OilRig
Aliases: COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
Open interactive actor investigation
ATT&CK techniques
T1555.004
Windows Credential ManagerT1082
System Information DiscoveryT1003.001
LSASS MemoryT1008
Fallback ChannelsT1071.001
Web ProtocolsT1059.003
Windows Command ShellT1021.001
Remote Desktop ProtocolT1505.003
Web ShellT1036
MasqueradingT1218.001
Compiled HTML FileT1046
Network Service DiscoveryT1087.001
Local AccountT1137.004
Outlook Home PageT1069.002
Domain GroupsT1113
Screen CaptureT1007
System Service DiscoveryT1059.001
PowerShellT1070.004
File DeletionT1204.002
Malicious FileT1133
External Remote ServicesT1201
Password Policy DiscoveryT1087.002
Domain AccountT1003.004
LSA SecretsT1140
Deobfuscate/Decode Files or InformationT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1110
Brute ForceT1059.005
Visual BasicT1566.002
Spearphishing LinkT1120
Peripheral Device DiscoveryT1071.004
DNST1105
Ingress Tool TransferT1049
System Network Connections DiscoveryT1204.001
Malicious LinkT1078
Valid AccountsT1573.002
Asymmetric CryptographyT1566.001
Spearphishing AttachmentT1053.005
Scheduled TaskT1119
Automated CollectionT1056.001
KeyloggingT1033
System Owner/User DiscoveryT1566.003
Spearphishing via ServiceT1572
Protocol TunnelingT1047
Windows Management InstrumentationT1021.004
SSHT1555
Credentials from Password StoresT1003.005
Cached Domain CredentialsT1027.013
Encrypted/Encoded FileT1069.001
Local GroupsT1552.001
Credentials In FilesT1057
Process DiscoveryT1555.003
Credentials from Web BrowsersT1016
System Network Configuration DiscoveryT1012
Query RegistryT1059
Command and Scripting InterpreterT1497.001
System ChecksT1027.005
Indicator Removal from Tools
Windows Credential ManagerT1082
System Information DiscoveryT1003.001
LSASS MemoryT1008
Fallback ChannelsT1071.001
Web ProtocolsT1059.003
Windows Command ShellT1021.001
Remote Desktop ProtocolT1505.003
Web ShellT1036
MasqueradingT1218.001
Compiled HTML FileT1046
Network Service DiscoveryT1087.001
Local AccountT1137.004
Outlook Home PageT1069.002
Domain GroupsT1113
Screen CaptureT1007
System Service DiscoveryT1059.001
PowerShellT1070.004
File DeletionT1204.002
Malicious FileT1133
External Remote ServicesT1201
Password Policy DiscoveryT1087.002
Domain AccountT1003.004
LSA SecretsT1140
Deobfuscate/Decode Files or InformationT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1110
Brute ForceT1059.005
Visual BasicT1566.002
Spearphishing LinkT1120
Peripheral Device DiscoveryT1071.004
DNST1105
Ingress Tool TransferT1049
System Network Connections DiscoveryT1204.001
Malicious LinkT1078
Valid AccountsT1573.002
Asymmetric CryptographyT1566.001
Spearphishing AttachmentT1053.005
Scheduled TaskT1119
Automated CollectionT1056.001
KeyloggingT1033
System Owner/User DiscoveryT1566.003
Spearphishing via ServiceT1572
Protocol TunnelingT1047
Windows Management InstrumentationT1021.004
SSHT1555
Credentials from Password StoresT1003.005
Cached Domain CredentialsT1027.013
Encrypted/Encoded FileT1069.001
Local GroupsT1552.001
Credentials In FilesT1057
Process DiscoveryT1555.003
Credentials from Web BrowsersT1016
System Network Configuration DiscoveryT1012
Query RegistryT1059
Command and Scripting InterpreterT1497.001
System ChecksT1027.005
Indicator Removal from Tools
Correlated CTI and IR reports
OilRig G0049
MITRE ATT&CK · direct source mappingDNS Tunneling in the Wild: Overview of OilRig's DNS Tunneling
Unit 42 · actor referenceIran-linked OilRig attacks Israeli organizations with cloud service-powered downloaders
ESET Research · actor reference1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionAPT and financial attacks on industrial organizations in H2 2023
Kaspersky ICS CERT · actor contextOilRig APT 2025
Brandefense · actor context
MITRE ATT&CK · direct source mappingDNS Tunneling in the Wild: Overview of OilRig's DNS Tunneling
Unit 42 · actor referenceIran-linked OilRig attacks Israeli organizations with cloud service-powered downloaders
ESET Research · actor reference1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionAPT and financial attacks on industrial organizations in H2 2023
Kaspersky ICS CERT · actor contextOilRig APT 2025
Brandefense · actor context