MalwareUsed by 1 actor

PowerExchange

PowerExchange is an OilRig (APT34, Hazel Sandstorm) backdoor associated with Iranian cyber-espionage activity. It was publicly documented in 2023 and was used in attacks targeting organizations in the Middle East, including activity against Israeli organizations. The malware uses an email-based command-and-control channel: it can receive commands and send back execution results through email, and it can exfiltrate files via that same channel. Reporting specifically notes that, unlike some related OilRig tooling, PowerExchange uses the victimized organization’s Microsoft Exchange Server to send messages to the attacker’s email account. PowerExchange has been discussed alongside the OilRig backdoor MrPerfectionManager, with both described as using email-based C2 protocols for exfiltration, and later tooling such as Veaty and Spearal was noted to share lineage with earlier OilRig implants including Karkoff and PowerExchange. The content also references PowerExchange in the context of Exchange-related threats and long-term email exfiltration implants. High-confidence behavioral details directly mentioned are limited to email-based C2, command execution result return via email, and file exfiltration through the email channel.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

OilRig

the 2023 attacks targeting organizations in the Middle East with the PowerExchange and MrPerfectionManager backdoors

via eset welivesecurity blogwelivesecurity.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

“Exploitation of Exchange vulnerabilities to execute arbitrary code (deploy web shells) on the server”

Execution

1 technique

T1059.001PowerShellEvidence1

Stealth

1 technique

T1140Deobfuscate/Decode Files or InformationEvidence3

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Command and Control

4 techniques

T1071.003Mail ProtocolsEvidence1

T1102Web ServiceEvidence1

By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructure.

T1105Ingress Tool TransferEvidence1

T1572Protocol TunnelingEvidence1

Cobalt Group has used the Plink utility to create SSH tunnels. FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers. OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence5

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

T1048Exfiltration Over Alternative ProtocolEvidence2

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels... CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader... Kevin can send data from the victim host through a DNS C2 channel... NightClub can use SMTP and DNS for file exfiltration and C2.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

trellix blogNews

Mar 2, 2026

The Iranian Cyber Capability 2026

Earlier APT34 implant referenced as predecessor lineage for newer malware families.

kaspersky blogNews

Nov 26, 2025

Hardening Exchange servers

Referenced as a specialized threat associated with attacks on Microsoft Exchange servers; no additional details are provided in the content.

eset welivesecurity blogNews

Jun 5, 2025

BladedFeline: Whispering in the dark

A backdoor used in 2023 attacks attributed to OilRig against Middle Eastern organizations.

the hacker newsNews

Dec 14, 2023

Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders

A backdoor associated with OilRig that uses the victim organization's Exchange Server for email-based command-and-control and data exfiltration.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.