3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Helix Kitten

Helix Kitten

ID: 3378be4c9a378e93cbecf8212e7a0fce56728
Cybercrime State-Sponsored
Threat types: Phishing, Malware, Data Theft
Iran UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
APT34 Oilrig
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. Ref: https://attack.mitre.org/groups/G0049/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access. · ref
T1003.004 LSA Secrets TA0006
  • OS Credential Dumping: LSA Secrets - OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. · ref
T1003.005 Cached Domain Credentials TA0006
  • OS Credential Dumping: Cached Domain Credentials - OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment. · ref
T1021.004 SSH TA0008
  • Remote Services: SSH - OilRig has used Putty to access compromised systems. · ref
T1027.005 Indicator Removal from Tools TA0005
  • Obfuscated Files or Information: Indicator Removal from Tools - OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - OilRig has encrypted and encoded data in its malware, including by using base64.During Outer Space, OilRig deployed VBS droppers with obfuscated strings. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Match Legitimate Resource Name or Location - OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe. · ref
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol TA0010
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol - OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.During Juicy Mix, OilRig used VBS droppers to schedule tasks for persistence. · ref
T1056.001 Keylogging TA0006 TA0009
  • Input Capture: Keylogging - OilRig has employed keyloggers including KEYPUNCH and LONGWATCH. · ref
T1059.001 PowerShell TA0002
  • PowerShell - OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.During Juicy Mix, OilRig used a PowerShell script to steal credentials. · ref
T1059.003 Windows Command Shell TA0002
  • Windows Command Shell - OilRig has used macros to deliver malware such as QUADAGENT and OopsIE. OilRig has used batch scripts. · ref
T1059.005 Visual Basic TA0002
  • Visual Basic - OilRig has used VBScript macros for execution on compromised hosts.During Outer Space, OilRig used VBS droppers to deploy malware.During Juicy Mix, OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor. · ref
T1069.001 Local Groups TA0007
  • Permission Groups Discovery: Local Groups - OilRig has used net localgroup administrators to find local administrators on compromised systems. · ref
T1069.002 Domain Groups TA0007
  • Permission Groups Discovery: Domain Groups - OilRig has used net group /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find domain group permission settings. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - OilRig has deleted files associated with their payload after execution. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - OilRig has used HTTP for C2.During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.During Juicy Mix, OilRig used a VBS script to send POST requests to register installed malware with C2. · ref
T1071.004 DNS TA0011
  • Application Layer Protocol: DNS - OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - During Juicy Mix, OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory. · ref
T1078.002 Domain Accounts TA0001 TA0003 TA0004 TA0005
  • Domain Accounts - OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials. · ref
T1087.001 Local Account TA0007
  • Account Discovery: Local Account - OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. · ref
T1087.002 Domain Account TA0007
  • Account Discovery: Domain Account - OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - During Juicy Mix, OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2. · ref
T1137.004 Outlook Home Page TA0003
  • Office Application Startup: Outlook Home Page - OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - OilRig has delivered malicious links to achieve execution on the target system. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system. · ref
T1218.001 Compiled HTML File TA0005
  • System Binary Proxy Execution: Compiled HTML File - OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim. · ref
T1497.001 System Checks TA0005 TA0007
  • Virtualization/Sandbox Evasion: System Checks - OilRig has used macros to verify if a mouse is connected to a compromised machine. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - OilRig has used web shells, often to maintain access to a victim network. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - OilRig has used a compromised Domain Controller to create a service on a remote host. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - OilRig has signed its malware with stolen certificates. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Web Browsers - OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials. · ref
T1555.004 Windows Credential Manager TA0006
  • Windows Credential Manager - OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.During Juicy Mix, OilRig used a Windows Credential Manager stealer for credential access. · ref
T1556.002 Password Filter DLL TA0003 TA0005 TA0006
  • Modify Authentication Process: Password Filter DLL - OilRig has registered a password filter DLL in order to drop malware. · ref
T1562.004 Disable or Modify System Firewall TA0005
  • Impair Defenses: Disable or Modify System Firewall - OilRig has modified Windows firewall rules to enable remote access. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - OilRig has sent spearphising emails with malicious links to potential victims. · ref
T1566.003 Spearphishing via Service TA0001
  • Phishing: Spearphishing via Service - OilRig has used LinkedIn to send spearphishing links. · ref
T1573.002 Asymmetric Cryptography TA0011
  • Encrypted Channel: Asymmetric Cryptography - OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers. · ref
T1583.001 Domains TA0042
  • Acquire Infrastructure: Domains - OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims. · ref
T1584.004 Server TA0042
  • Compromise Infrastructure: Server - During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.During Juicy Mix, OilRig compromised an Israeli job portal to use for a C2 server. · ref
T1585.003 Cloud Accounts TA0042
  • Establish Accounts: Cloud Accounts - During Outer Space, OilRig created M365 email accounts to be used as part of C2. · ref
T1586.002 Email Accounts TA0042
  • Compromise Accounts: Email Accounts - OilRig has compromised email accounts to send phishing emails. · ref
T1587.001 Malware TA0042
  • Develop Capabilities: Malware - OilRig actively developed and used a series of downloaders during 2022.For Outer Space, OilRig created new implants including the Solar backdoor.For Juicy Mix, OilRig improved on Solar by developing the Mango backdoor. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - OilRig has made use of the publicly available tools including Plink and Mimikatz. · ref
T1588.003 Code Signing Certificates TA0042
  • Obtain Capabilities: Code Signing Certificates - OilRig has obtained stolen code signing certificates to digitally sign malware. · ref
T1608.001 Upload Malware TA0042
  • Stage Capabilities: Upload Malware - OilRig has hosted malware on fake websites designed to target specific audiences. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.