Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Iran52 malware familiesExploits CVEs in the wild

OilRig

Also known asAPT34COBALT GYPSYCrambusEarth SimnavazEUROPIUMEvasive SerpensHazel SandstormHELIX KITTENIRN2ITG13OilRigTA452

OilRig is a Middle East-based threat group with suspected ties to the Iranian government. Known aliases in the provided content include APT34, Helix Kitten, Cobalt Gypsy, Crambus, Earth Simnavaz, Europium, Evasive Serpens, Hazel Sandstorm, IRN2, ITG13, and TA452. The group has targeted organizations in the aerospace, chemical, energy, financial, government, telecommunications, and transportation sectors. Reported initial access methods in the provided content include social engineering, stolen credentials, supply chain attacks, and phishing attachments. The content describes OilRig as having a preference for PowerShell-based tooling and documents use of living-off-the-land techniques. Specifically, OilRig/APT34 has been reported using Regsvr32 to execute remote COM scripts, Certutil.exe to download payloads, and PowerShell for execution. The group has delivered macro-enabled documents that required users to enable content to run the payload. The content also states that OilRig used a compromised Domain Controller to create a service on a remote host. The provided material also attributes Poison Frog and its updated version Glimpse to OilRig. Poison Frog is described as a PowerShell and sometimes .NET backdoor first observed in 2017 and used at least through 2019. It used DNS as its primary command-and-control channel and supported basic download, upload, and execute functionality. The content further references prior reporting that Turla compromised OilRig servers and used them in operations against some of OilRig victims, and separately notes that Turla used malware obtained after compromising other threat actors, including OilRig.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

59 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics78 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1584
Compromise Infrastructure
T1588
Obtain Capabilities
T1588.002
Tool
TA0001
Initial Access
4 techniques
T1078×2
Valid Accounts
T1190×3
Exploit Public-Facing Application
T1195×2
Supply Chain Compromise
T1566
Phishing
T1566.001×2
Spearphishing Attachment
TA0002
Execution
5 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059×3
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003×2
Windows Command Shell
T1059.005
Visual Basic
T1059.007
JavaScript
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002×3
Malicious File
TA0003
Persistence
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×2
Valid Accounts
T1112×2
Modify Registry
T1505
Server Software Component
T1505.003×2
Web Shell
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1068×9
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0005
Stealth
6 techniques
T1027×3
Obfuscated Files or Information
T1027.013
Encrypted/Encoded File
T1036
Masquerading
T1070×2
Indicator Removal
T1070.004×3
File Deletion
T1078×2
Valid Accounts
T1140×2
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.010×2
Regsvr32
TA0112
Defense Impairment
1 technique
T1112×2
Modify Registry
TA0006
Credential Access
3 techniques
T1003×3
OS Credential Dumping
T1056
Input Capture
T1555×2
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1555.005
Password Managers
TA0007
Discovery
9 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1033
System Owner/User Discovery
T1046
Network Service Discovery
T1057
Process Discovery
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1082
System Information Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1120
Peripheral Device Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
TA0009
Collection
6 techniques
T1005
Data from Local System
T1056
Input Capture
T1074
Data Staged
T1115
Clipboard Data
T1119
Automated Collection
T1213
Data from Information Repositories
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×3
Web Protocols
T1071.004×2
DNS
T1090
Proxy
T1090.002
External Proxy
T1105×2
Ingress Tool Transfer
T1572
Protocol Tunneling
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
ARSENAL

Associated malware families

52 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
LaZagneLaZagne can obtain credentials from chats, databases, mail, and WiFi.9May 26, 2026
PICKPOCKETOilRig has also used tool named PICKPOCKET to dump passwords from web browsers.5May 26, 2026
EDumperDuring Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.4Mar 18, 2026
PowerExchangethe 2023 attacks targeting organizations in the Middle East with the PowerExchange and MrPerfectionManager backdoors4Jun 14, 2026
Spearal...the group intensified operations against Iraqi government entities through a multi-stage intrusion campaign deploying novel malware families, including the Veaty and Spearal backdoors...4Mar 19, 2026

47 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

12 CVEs this actor has used in observed campaigns. 12 of them exploited in the wild.

CVE-2024-30088Windows Kernel TOCTOU Race Condition Elevation of PrivilegeIn the wildEvidence5

OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of SYSTEM .

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityIn the wildEvidence1

we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

7 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

201 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

201 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
osint team blogNews
Jun 24, 2026
The Hackers Hiding Their Commands in the Internet’s Phone Book | by Pop123 | Jun, 2026 | OSINT Team

Referenced as a prior example of DNS-over-HTTPS-based command-and-control abuse.

Read more
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
codebyNews
Jun 6, 2026
Скрытые C2 каналы: DNS tunneling и HTTP от атаки до детекта

Used DNS tunneling to map internal networks prior to escalating the attack.

Read more
splunk researchNews
May 20, 2026
Detection: Cisco IOS XE Guestshell Activation and Destroy | Splunk Security Content

Listed in the detection annotations as a threat actor associated with this analytic context.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping59

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal52

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs12

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables201

Domains, IPs, and hashes tied to this actor, refreshed continuously.

OilRig | Mallory