S1172: OilBooster
OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.[1]
Analyst context for executives and security teams
OilBooster matters because ATT&CK describes it as a Windows downloader used by OilRig to download and execute files and support exfiltration. For leaders, the practical risk is not just the malware name; it is the chain of behaviors around reliable command-and-control, cloud or web-based communications, local staging, and data theft. If a Windows endpoint can quietly fetch tools, run command-shell activity, stage files, and send data out through normal-looking web or cloud traffic, incident responders may have limited time to distinguish compromise from routine business traffic.
Executive priority
Treat this as a validation case for Windows endpoint visibility, outbound web/cloud governance, and exfiltration readiness. Priority questions: can the SOC see suspicious downloader behavior and command-shell execution on Windows; can network and proxy controls distinguish approved cloud use from unusual external transfer; and can incident response quickly identify staged data and follow-on tool downloads? For sectors named in the related OilRig context, including energy, chemical, government, financial, telecommunications, and supply-chain-connected organizations, this also supports resilience and audit discussions around trusted relationships and external data movement.
Technical view
ATT&CK provides no official detection text for OilBooster, so defenders should validate coverage through the related techniques. Focus on Windows hosts showing downloader patterns, command execution via Windows Command Shell, native API or inter-process communication activity, hidden-window execution, local data staging, deobfuscation or decoding behavior, ingress tool transfer, and outbound command-and-control or exfiltration over web/cloud channels. The relationship set includes fallback channels, bidirectional web-service communication, web protocols, asymmetric cryptography, exfiltration over C2, and exfiltration to cloud storage; detection should therefore combine endpoint process/file telemetry with proxy, DNS, TLS, firewall, and cloud access evidence rather than relying on a single IOC or malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe or child processes associated with download, execution, discovery, staging, or decoding activity
- EDR events for process injection-like, native API, IPC, hidden-window, or unusual parent-child process behavior where available
- File creation, modification, rename, and archive/staging activity on local Windows systems
- Network proxy, firewall, DNS, TLS, and web request logs for outbound HTTP/S and alternate or fallback external channels
- Cloud access or CASB-style logs for uploads, downloads, and unusual use of external cloud storage services
Detection direction
- Build detections around behavior clusters: downloader activity followed by command-shell execution, local staging, and outbound web or cloud transfer is higher value than any single event alone.
- Validate whether normal business cloud services create false positives; tune by user role, host role, destination reputation, transfer volume, and whether the endpoint normally uses that service.
- Hunt for Windows hosts performing system owner/user discovery or system information discovery shortly before external communication or file transfer activity.
- Review coverage for encrypted or web-service-based C2 assumptions; asymmetric cryptography and bidirectional web-service communication can reduce the value of payload inspection, increasing reliance on metadata, endpoint context, and sequence analytics.
- Confirm incident responders can pivot from a suspected downloader process to downloaded files, command history, staged directories, outbound destinations, and potential exfiltration paths.
Mitigation priorities
- Harden Windows endpoint controls first: restrict unnecessary command-shell use, monitor script and binary execution, and enforce least privilege for users and processes.
- Control outbound traffic: require proxying or egress filtering where practical, review allowed cloud storage services, and alert on unusual external web or cloud destinations.
- Improve data protection around staging and exfiltration: classify sensitive data, monitor bulk local staging, and apply DLP or egress controls for high-risk repositories.
- Strengthen incident readiness: preserve endpoint, proxy, DNS, and cloud logs long enough to reconstruct downloader-to-exfiltration timelines.
- For organizations with supply-chain exposure or OT-adjacent environments, validate segmentation and trust-boundary monitoring so compromised Windows enterprise systems cannot easily become a bridge to more sensitive environments.
Analyst notes and limits
This take is based on ATT&CK S1172 OilBooster, its official description, the cited ESET reference, and the supplied relationship context showing OilRig use and associated ATT&CK techniques. The key defensive value is mapping the malware entry to observable behaviors across execution, discovery, command-and-control, collection, stealth, ingress transfer, and exfiltration.
ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for OilBooster in the supplied fields. The object platform is Windows; several related techniques list broader platforms, but this summary does not extend OilBooster beyond Windows. Local telemetry, approved cloud-service use, endpoint configurations, and business context are required to determine actual exposure and detection coverage.
OilBooster
OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1082 | System Information Discovery | OilBooster can identify the compromised system's hostname which is used to create a unique identifier.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | OilBooster can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | OilBooster can hide its console window upon execution through the `ShowWindow` API. CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | OilBooster has the ability to execute shell commands and exfiltrate the results.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | OilBooster uses the Microsoft Graph API to connect to an actor-controlled OneDrive account to download and execute files and shell commands, and to create directories to share exfiltrated data.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1559 | Inter-Process Communication | OilBooster can read the results of command line execution via an unnamed pipe connected to the process.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | OilBooster can download and execute files from an actor-controlled OneDrive account.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | OilBooster can send HTTP `GET`, `POST`, `PUT`, and `DELETE` requests to the Microsoft Graph API over port 443 for C2 communication.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1033 | System Owner/User Discovery | OilBooster can identify the compromised system's username which is then used as part of a unique identifier.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | OilBooster can stage files in the `tempFiles` directory for exfiltration.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1008 | Fallback Channels | OilBooster can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | OilBooster can use the OpenSSL library to encrypt C2 communications.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1106 | Native API | OilBooster has used the `ShowWindow` and `CreateProcessW` APIs.CitationESET OilRig Downloaders DEC 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 47e296c22354… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Downloaders DEC 2023
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Open source URL -
[2]
mitre-attack S1172Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.