TLP:CLEAR | Mixed audience | Updated: March 2026
1. IDENTIFICATION & ATTRIBUTION
Designations: OilRig (CrowdStrike), Helix Kitten (CrowdStrike), APT34 (Mandiant/Google), IRN2 (SecureWorks), COBALT GYPSY (SecureWorks), Crambus (Symantec), Earth Simnavaz (Trend Micro), EUROPIUM (Microsoft)
Origin: Iran Suspected sponsor: Iranian Ministry of Intelligence (MOIS — Vezarat-e Ettela’at va Amniat-e Keshvar) Sophistication level: High (confirmed APT, persistent operations since 2012) Motivation: Strategic espionage, geopolitical intelligence collection, occasional sabotage Targeted sectors: Energy (oil & gas), finance, telecommunications, governments, defense, chemicals, transportation
Geographic scope: Middle East (priority: Saudi Arabia, UAE, Kuwait, Iraq, Jordan, Bahrain), Europe, North America, South Asia
2. INFRASTRUCTURE & TTPs
Infrastructure
APT34 operates a heavily segmented infrastructure that is regularly renewed:
- Primary C2: DNS tunneling (DNS protocol used as C2 exfiltration/command channel — distinctive group signature)
- Secondary C2: HTTPS toward compromised legitimate domains or registered domains impersonating known entities (typosquatting)
- Hosting: VPS rented through resellers (avoiding direct attribution), infrastructure partially shared with APT33
- Frequent registrars: Namecheap, Njalla, anonymizing services
- Pivot via legitimate networks: Use of compromised LinkedIn, Exchange, and OWA accounts for initial persistence
TTPs (MITRE ATT&CK)
| Phase | Technique | ID |
|---|---|---|
| Reconnaissance | OSINT collection via LinkedIn, targeted spear-phishing | T1589, T1598 |
| Initial Access | Spear-phishing attachments (Office macros, LNK), VPN/OWA exploitation | T1566.001, T1190 |
| Execution | PowerShell, VBScript, DNS requests | T1059.001, T1059.005 |
| Persistence | Scheduled Tasks, Web Shell, registry modification | T1053.005, T1505.003 |
| Defense Evasion | Living-off-the-land, PowerShell obfuscation, signed binary proxy | T1027, T1218 |
| Credential Access | Credential dumping (Mimikatz), OWA/Exchange harvesting | T1003, T1114 |
| Lateral Movement | Pass-the-Hash, RDP, SMB | T1550.002, T1021.001 |
| Exfiltration | DNS tunneling, HTTPS, email via compromised accounts | T1048.001, T1041 |
| C2 | DNS over HTTPS (DoH), legitimate application protocols | T1071.004, T1071.001 |
3. MALWARES & TOOLING
Internally developed tools
POWRUNER
- Type: PowerShell backdoor
- Function: Remote command execution, system collection
- C2 channel: DNS tunneling
- Detection: Abnormally long DNS queries (labels > 63 characters), high frequency of TXT requests
BONDUPDATER
- Type: PowerShell backdoor
- Function: Payload download/execution, persistence
- Specifics: Uses DNS TXT records to receive C2 commands
- Family: Used in conjunction with POWRUNER
TWOFACE / SEASHARPEE
- Type: Web Shell (ASP.NET / ASPX)
- Function: Persistent access on compromised Exchange/OWA servers
- Deployment: Post-exploitation on exposed Exchange infrastructure
HYPERSHELL
- Type: Perl Web Shell
- Function: Backdoor on Linux servers
RAGERUNNER / SAITAMA
- Type: .NET backdoor
- Function: DNS-based exfiltration, C2 communication encoded in base64 within DNS labels
- Campaign: Identified in 2022 targeting Jordanian government entities
MENORAH
- Type: PowerShell backdoor
- Function: System fingerprinting, file exfiltration, command execution
- Campaign: Identified in 2023, Middle East targeting
VEATY / SPEARAL
- Type: .NET malware (two distinct components)
- Function: VEATY uses compromised email accounts as C2 channel (read/write in Exchange mailboxes), SPEARAL uses DNS tunneling
- Campaign: Identified in 2024, targeting Iraq (government, telecoms)
Third-party tools used
- Mimikatz (credential dumping)
- CrackMapExec (lateral movement)
- Plink / PuTTY (SSH tunneling)
- ngrok (internal service exposure)
- nbtscan (internal network reconnaissance)
4. CAMPAIGN HISTORY
| Period | Campaign / Operation | Targets | Vector | Tooling |
|---|---|---|---|---|
| 2012–2014 | Initial documented activity | Energy, Middle East governments | Spear-phishing | Unnamed custom tools |
| 2016 | OilRig campaign v1 | Saudi organizations, financial sector | Office macro spear-phishing | POWRUNER, BONDUPDATER |
| 2017–2018 | Extended OilRig campaigns | Telecoms, Gulf States governments | OWA compromise, spear-phishing | TWOFACE, SEASHARPEE, POWRUNER |
| 2019 | Lab Dookhtegan tool leak | — | — | Source code of JASON, HYPERSHELL, GLIMPSE published on Telegram |
| 2019–2020 | Exchange/OWA campaign | Banks, Middle East governments | OWA exploitation | TWOFACE, credential harvesting |
| 2021–2022 | Jordan campaign | Government entities | Spear-phishing | SAITAMA |
| 2022–2023 | Extended Middle East campaign | Governments, energy | Spear-phishing, VPN exploitation | MENORAH |
| 2024 | Iraq campaign | Government, telecoms, NGOs | Spear-phishing, web shell | VEATY, SPEARAL |
| 2024–2025 | Earth Simnavaz (Trend Micro) | UAE, Gulf States | Exchange exploitation, CVE-2024-30088 (Windows Kernel EoP) | .NET backdoor, ASPX web shell |
Note: In 2019, the hacktivist group Lab Dookhtegan (likely backed by a rival state) published the source code of several APT34 tools and infrastructure data on Telegram, forcing the group to partially renew its arsenal.
5. INDICATORS OF COMPROMISE (IOCs)
The following IOCs are sourced from public reports. Operational relevance must be assessed against publication date — APT34 regularly rotates its infrastructure.
Characteristic DNS patterns
- DNS queries with base64-encoded labels (abnormal length)
- High-frequency DNS TXT queries toward unresolved domains
- Subdomain pattern:
[base64_data].[domain].com
Historical domains (public reports)
b.tzuri.me
dns.changeip.com
windowsupdater.com
microsoftapps.net
svnwork.comPublic malware hashes (SAITAMA)
SHA256: 687c5ce1fe1f8fb8ab1e1fb1b3e2d8c5b2eaf2d2e5e6c7a3b4f5e6d7c8b9a0f1(symbolic hash — refer to Malwarebytes/ESET reports for verified hashes)
Abnormal User-Agents observed
python-requests/2.x
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Recommended real-time IOC sources
- MISP (APT34 community feeds)
- OpenCTI (public feeds)
- AlienVault OTX: https://otx.alienvault.com (search “OilRig” / “APT34”)
- MITRE ATT&CK G0049: https://attack.mitre.org/groups/G0049/
6. DETECTION & COUNTERMEASURES (MITRE ATT&CK)
Priority detection rules
DNS Tunneling (T1048.001 / T1071.004)
Detect:
- DNS queries with high label entropy (Shannon entropy > 3.5)
- Abnormally high DNS TXT query volume per endpoint
- DNS labels > 50 characters
- DNS TXT responses containing base64-encoded content
Tools: Zeek (dns.log), Suricata (DNS rules), Elastic SIEMWeb Shell (T1505.003)
Detect:
- Creation of .aspx/.php files in Exchange/OWA web directories
- w3wp.exe or httpd spawning cmd.exe / powershell.exe
- HTTP access to .aspx files not referenced in the application
Tools: Sysmon (Event ID 1, 11), EDR process tree analysisExchange Credential Harvesting (T1114)
Detect:
- OWA access from unusual IPs/ASNs
- Mailbox export via EWS (Exchange Web Services) outside legitimate processes
- Creation of mail forwarding rules to external addressesObfuscated PowerShell (T1059.001 / T1027)
Detect:
- PowerShell with -EncodedCommand encoding
- Invocation of [System.Reflection.Assembly]::Load
- Abnormal escape characters in scripts
Sigma rule: https://github.com/SigmaHQ/sigma (search OilRig)Recommended countermeasures
- DNS filtering: Deploy an inspection-capable DNS resolver (enterprise Pi-hole, Infoblox, Cisco Umbrella) — top priority against DNS tunneling
- Exchange / OWA: Restrict EWS access to legitimate clients only, enable advanced Exchange audit logging
- MFA: Enforce MFA on all exposed OWA/Exchange access (absolute priority)
- Segmentation: Isolate Exchange servers from the rest of the network, restrict outbound DNS flows to authorized resolvers only
- EDR: Enable PowerShell telemetry (ScriptBlock Logging, Module Logging, Transcription)
- Threat Hunting: Proactive hunting on DNS tunneling patterns and unreferenced ASPX web shells
SOURCES
- Mandiant / Google — APT34 threat actor profile: https://www.mandiant.com/resources/insights/apt-groups
- MITRE ATT&CK — G0049 OilRig: https://attack.mitre.org/groups/G0049/
- CrowdStrike — Helix Kitten adversary profile: https://www.crowdstrike.com/adversaries/helix-kitten/
- Palo Alto Unit42 — OilRig campaign analysis: https://unit42.paloaltonetworks.com/tag/oilrig/
- ESET Research — OilRig tooling analysis: https://www.welivesecurity.com
- Trend Micro — Earth Simnavaz (2024): https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz.html
- Check Point Research — VEATY & SPEARAL (2024): https://research.checkpoint.com
- Malwarebytes — SAITAMA backdoor analysis (2022): https://www.malwarebytes.com/blog/threat-intelligence
- Lab Dookhtegan leak — Telegram (2019) — archived via OSINT sources
- AlienVault OTX — APT34/OilRig IOCs: https://otx.alienvault.com/browse/global/pulses?q=APT34
- SigmaHQ — OilRig detection rules: https://github.com/SigmaHQ/sigma
