>samit_hota
Back to adversary profiles
G0063HighActive

BlackOasis (G0063): A Persistent Cyber-Espionage Threat

Samit Hota·
Suspected Origin
Middle East
Motivation
Espionage, Information Theft
Aliases
None documented
Target Sectors
Government, Media, Think Tanks, UN, Activists, Energy
Associated Malware
FinFisher, FinSpy, Wingbird
#threat-actor#g0063

Overview

BlackOasis (G0063) is a tenacious and well-resourced cyber-espionage group, widely assessed to originate from the Middle East. This group distinguishes itself through its consistent use of highly potent zero-day exploits and sophisticated commercial surveillance software, primarily FinSpy. Their primary motivation is information theft and espionage, focusing on acquiring sensitive data from a diverse range of high-value targets globally. BlackOasis has demonstrated a clear interest in individuals and organizations involved in political and humanitarian affairs, often targeting prominent figures within the United Nations, opposition bloggers, activists, regional news correspondents, and think tanks. Broader target sectors also include government agencies, energy organizations, and news media outlets across various regions, including Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, the Netherlands, Nigeria, Russia, Saudi Arabia, Tunisia, and the UK.

The group is strongly believed to be a customer of Gamma Group, a controversial vendor known for selling “lawful interception” or surveillance software. This connection suggests a state-sponsored or at least state-aligned capability, as such powerful tools are typically acquired and deployed by nation-states for intelligence gathering. While Microsoft tracks a group called NEODYMIUM (G0055) with close operational ties to BlackOasis, direct evidence confirming them as aliases has not been definitively established.

Tactics & Techniques

BlackOasis employs a range of sophisticated tactics, techniques, and procedures (TTPs) that highlight their advanced capabilities and dedication to achieving their espionage objectives. A hallmark of their operations is the prolific use of zero-day vulnerabilities in widely used software, enabling them to bypass conventional security defenses effectively.

Initial access often begins with targeted spear-phishing campaigns. These emails are meticulously crafted, sometimes designed to appear as legitimate news articles related to political developments, such as relations between Angola and China, to trick recipients into opening malicious attachments. These attachments frequently come in the form of weaponized Microsoft Office documents, specifically RTF files, that embed and leverage the zero-day exploits.

Once an unsuspecting victim opens the malicious document, the embedded exploit is triggered, allowing BlackOasis to achieve arbitrary code execution. Over the years, they have been observed exploiting several critical vulnerabilities, including:

  • CVE-2015-5119 (Adobe Flash)
  • CVE-2016-0984 (Adobe Flash)
  • CVE-2016-4117 (Adobe Flash)
  • CVE-2017-8759 (SOAP WSDL parser code injection)
  • CVE-2017-11292 (Adobe Flash)

Their technical execution also includes obfuscation techniques, such as incorporating NOP sleds with alternative instructions in their initial shellcode to evade antivirus detection. Following successful exploitation, the shellcode downloads and executes the final payload, typically FinSpy malware, and often simultaneously displays a decoy lure document to the victim to maintain cover.

From an infrastructure perspective, BlackOasis demonstrates capabilities in acquiring and compromising infrastructure, including domains and virtual private servers, to support their operations. This allows them to host their command and control (C2) infrastructure and deliver subsequent stages of their attacks. Detection efforts have often identified suspicious DNS and web requests associated with BlackOasis-controlled domains, serving as key indicators of compromise.

Notable Campaigns

BlackOasis has been active for several years, with their first identified activities dating back to at least June 2015. Investigations by security researchers revealed their use of zero-day exploit chains (CVE-2015-5119 and CVE-2016-0984) in 2015, which were quickly patched after discovery.

A significant incident that brought BlackOasis to public attention occurred in May 2016 when they were observed leveraging another Adobe Flash zero-day, CVE-2016-4117, actively exploiting it in the wild to deliver FinSpy.

In the latter half of 2017, BlackOasis demonstrated continued sophistication by deploying multiple new zero-day exploits. In September 2017, FireEye uncovered their use of CVE-2017-8759, a SOAP WSDL parser code injection vulnerability, to install FinSpy. Shortly thereafter, in October 2017, Kaspersky Lab identified BlackOasis exploiting yet another Adobe Flash zero-day, CVE-2017-11292, delivered via a malicious Microsoft Office document, again with the ultimate goal of deploying the latest version of FinSpy malware. These incidents highlight the group’s consistent access to and willingness to deploy expensive and potent zero-day exploits, underscoring their advanced capabilities and funding.

Associated Malware & Tools

The primary and most consistently identified malware utilized by BlackOasis is FinSpy, also widely known as FinFisher. This commercial surveillanceware suite is a powerful tool designed for extensive data exfiltration and monitoring of target systems. FinSpy allows its operators to covertly access a wide range of information, including communications, files, and other sensitive data, making it ideal for espionage objectives. Its capabilities include gathering intelligence by learning what targets are discussing and with whom they are communicating.

Beyond FinSpy, there is one mention of “Wingbird” as another tool associated with the group, though details on its specific functions or observed deployment are less prominent than those of FinSpy. The group also develops and utilizes custom shellcode as part of their exploit chains to facilitate initial compromise and the subsequent delivery and execution of their primary FinSpy payload.

Current Status

BlackOasis remains an active threat. While much of the publicly detailed activity dates back to 2015-2017, their continued listing and updates within threat intelligence platforms, including a modification date of April 25, 2025, for their MITRE ATT&CK entry (G0063), indicate ongoing relevance and monitoring by the cybersecurity community. The group’s consistent use of zero-day exploits and sophisticated commercial spyware like FinSpy suggests a sustained operational capability and funding. Organizations and individuals within their targeted sectors, particularly those involved in Middle Eastern political and humanitarian affairs, should continue to consider BlackOasis a significant and active cyber-espionage threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call