>samit_hota
Back to adversary profiles
G0049HighActive

OilRig (G0049) - Iran's Persistent Cyber Espionage Arm

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Intelligence Gathering, Geopolitical Influence, Strategic Access Development
Aliases
COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Target Sectors
Government, Energy, Financial, Telecommunications, Chemical, Critical Infrastructure, Technology, Aerospace & Defense, Education, Hospitality
Associated Malware
Helminth, QUADAGENT, ISMAgent, STEALHOOK, OopsIE, PowerExchange, Karkoff, RDAT, SideTwist, Saitama, Solar, Mango, SampleCheck5000, GOLDIRONY, PICKPOCKET, CDumper, EDumper, MKG, ThreeDollars, BONDUPDATER, DNSMessenger, Tonedeaf, PoisonFrog
#threat-actor#g0049

Overview

OilRig, identified by MITRE as G0049, is a highly active and sophisticated Iranian state-sponsored threat group with operations dating back to at least 2014, if not earlier. Also known by aliases such as APT34, COBALT GYPSY, and Helix Kitten, this group is believed to operate on behalf of the Iranian government, with links to either the Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization.

The primary motivation behind OilRig’s campaigns is cyber espionage and intelligence gathering, aimed at supporting Iran’s geopolitical objectives, enhancing national security, and providing strategic leverage. They meticulously collect political, economic, and military intelligence, often pre-positioning access within target networks for potential future disruptive or influential operations.

OilRig casts a wide net, primarily targeting organizations across the Middle East, particularly in countries like Saudi Arabia, the UAE, and Israel, but their reach extends globally to North America, Europe, and other parts of Asia. Their targets span critical sectors including financial, government, energy (oil and gas), chemical, telecommunications, critical infrastructure, technology services, aerospace & defense, education, and hospitality. A notable characteristic of OilRig’s operations is their propensity for supply chain attacks, exploiting trusted relationships between organizations to gain access to their ultimate targets.

Tactics & Techniques

OilRig employs a comprehensive and evolving suite of tactics, techniques, and procedures (TTPs) that demonstrate their adaptability and persistence. Initial access frequently relies on carefully crafted spearphishing campaigns, often utilizing malicious attachments (e.g., weaponized Excel documents, CHM payloads), links to credential harvesting sites, or social engineering lures such as fake job offers or impersonations of legitimate service providers. They also exploit public-facing applications, including VPNs, network appliances, and unpatched SharePoint servers, and have been observed leveraging watering hole attacks.

For execution and persistence, OilRig makes extensive use of scripting interpreters like PowerShell, VBScript, and Visual Basic, often delivered via macros. They establish persistence through scheduled tasks, web shells, custom DLLs, abusing the Outlook Home Page feature, and maintaining access via remote services such as VPN, Citrix, or Outlook Web Access (OWA).

Credential theft is a cornerstone of their operations. OilRig utilizes well-known tools like Mimikatz and LaZagne, as well as custom tools such as PICKPOCKET and various browser data dumpers (CDumper, EDumper, MKG). They are adept at exploiting Microsoft Exchange servers to extract credentials. Once initial access is gained and credentials are stolen, lateral movement is achieved through remote services like SSH and Putty, compromising Domain Controllers, using tools like PsExec and ngrok, and crucially, through credential reuse across victim environments.

Defense evasion is a high priority for OilRig. They frequently employ obfuscation techniques, including Invoke Obfuscation, Base64 encoding, and string stacking, to make their malicious scripts harder to detect. The group has been observed testing malware against antivirus solutions and modifying samples to ensure evasion. They also modify Windows firewall rules and leverage legitimate cloud services (Microsoft 365, Azure, Google Drive) and encrypted web traffic for command and control (C2) to blend in with normal network activity. In some campaigns, they have even used steganography to hide commands within bitmap images.

OilRig utilizes various C2 mechanisms, prominently featuring custom DNS tunneling protocols, encrypted channels over HTTPS, and exfiltration over FTP or Microsoft Exchange. Their toolkit also includes publicly available tools like SoftPerfect Network Scanner, certutil, ngrok, and RunPE-In-Memory. They have demonstrated a capability to rapidly integrate newly disclosed vulnerabilities into their attack chain, notably exploiting CVE-2024-30088 (Windows Kernel Elevation of Privilege) in recent operations. Other exploited vulnerabilities include CVE-2017-11882 (Microsoft Office), CVE-2017-0199 (Microsoft Office/WordPad), CVE-2020-0688 (Microsoft Exchange), CVE-2018-15982 (Adobe Flash Player), and CVE-2019-0604 (Microsoft SharePoint).

Notable Campaigns

OilRig has a documented history of impactful campaigns:

  • Helminth Backdoor Campaign (2016): This marked OilRig’s initial prominence, primarily targeting financial institutions, technology organizations, and the defense industry in Saudi Arabia through spearphishing with malicious Excel attachments.
  • QUADAGENT Deployment (Mid-2018): This campaign saw the deployment of the PowerShell-based QUADAGENT backdoor against technology providers and government entities in the Middle East, showcasing a shift towards exploiting inter-organizational dependencies.
  • LinkedIn Phishing Campaign (2019): OilRig utilized fake Cambridge University credentials in targeted phishing to lure victims into opening malicious documents.
  • DNSMessenger Operation (2019): This operation involved using DNS tunneling to exfiltrate sensitive data from oil and gas companies in the Gulf region, marking an early foray into covert C2 methodologies.
  • “Outer Space” (2021) and “Juicy Mix” (2022) Campaigns: ESET researchers documented these campaigns, which exclusively targeted Israeli organizations. “Outer Space” introduced the Solar backdoor and SampleCheck5000 downloader, while “Juicy Mix” leveraged the improved Mango backdoor, often compromising legitimate Israeli websites for C2.
  • Late 2024 / Early 2025 Activities: These recent campaigns focused on Gulf-state government entities, particularly in the UAE. OilRig exploited the Windows Kernel vulnerability CVE-2024-30088 for privilege escalation and deployed the STEALHOOK backdoor to exfiltrate credentials from on-premises Microsoft Exchange servers. This period also saw significant cloud credential harvesting and the abuse of Microsoft 365 and Azure for persistence.
  • 2025 Oil and Energy Espionage Drive: OilRig conducted sustained intrusions against energy and defense companies across Europe and the Middle East, utilizing compromised Microsoft 365 accounts and Azure persistence.

Associated Malware & Tools

OilRig possesses an extensive and continually updated arsenal of custom malware and legitimate tools:

  • Backdoors and Implants: Helminth, QUADAGENT, ISMAgent, STEALHOOK, OopsIE, PowerExchange, Karkoff, RDAT (known for using steganography), SideTwist, Saitama, Solar, Mango (an evolution of Solar), BONDUPDATER, DNSMessenger, Tonedeaf, PoisonFrog, Alma Communicator, Dustman, ISMDoor, Jason, LIONTAIL, MrPerfectInstaller, Nautilus, Neuron, POWBAT, RGDoor, SEASHARPEE, StoneDrill, TwoFace, VALUEVAULT, Webmask, ZeroCleare, and custom C# backdoors.
  • Downloaders and Droppers: SampleCheck5000 (SC5k), Clayslide, ThreeDollars.
  • Credential Dumpers and Stealers: Mimikatz, LaZagne, PICKPOCKET, CDumper, EDumper, MKG.
  • Reconnaissance and Network Tools: SoftPerfect Network Scanner, GOLDIRONY, ipconfig, net, netstat, systeminfo, tasklist, PsList.
  • Tunneling and Remote Access Tools: Plink, ngrok, PowerExchange, Fox Pane.
  • Other Utilities: certutil, Reg, WinRAR, various custom PowerShell scripts, and “Living off the Land” techniques.

Current Status

OilRig remains an Active and evolving threat actor. Recent intelligence indicates a continued high level of activity, with operations observed into late 2024 and early 2025. The group continuously refines its TTPs, adapts its toolset, and rapidly incorporates new vulnerabilities, such as the exploitation of CVE-2024-30088 in recent campaigns. There are also indications that OilRig is leveraging AI technologies to enhance its cyberattack capabilities. This consistent evolution, coupled with their strategic alignment with Iranian state interests and broad targeting, ensures OilRig remains a critical concern for cybersecurity professionals, especially those protecting entities in the Middle East and sectors vital to global infrastructure and economy.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call