OilRig
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 134 attack patterns (mitre), 30 malware, 11 sectors, 13 countries, 100 indicators, 1 vulnerabilities (cve), 11 tool
Aliases
COBALT GYPSY IRN2 Helix Kitten Evasive Serpens Hazel Sandstorm EUROPIUM ITG13 TA452 Crambus Earth Simnavaz APT34
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Trend Micro Earth Simnavaz October 2024
- Palo Alto OilRig Oct 2016
- Check Point APT34 April 2021
- Secureworks COBALT GYPSY Threat Profile
- FireEye APT34 Dec 2017
- Microsoft Threat Actor Naming July 2023
- Unit 42 QUADAGENT July 2018
- Unit42 OilRig Playbook 2023
- ClearSky OilRig Jan 2017
- Palo Alto OilRig April 2017
- Proofpoint Iranian Aligned Attacks JAN 2020
- Symantec Crambus OCT 2023
- Unit 42 Playbook Dec 2017
- IBM ZeroCleare Wiper December 2019
- Palo Alto OilRig May 2016
- Crowdstrike Helix Kitten Nov 2018
- mitre-attack (G0049)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
1 CVE 18 MITREs 3 Malwares 5 Observables 1 APT
Attack patterns (MITRE) (134)
-
T1005 usesData from Local System MITRE
-
T1106 usesNative API MITRE
-
T1583 usesAcquire Infrastructure MITRE
-
T1588.003 MITRE
-
T1574 usesHijack Execution Flow MITRE
-
T1071.001 usesWeb Protocols MITRE
-
T1497 usesVirtualization/Sandbox Evasion MITRE
-
T1203 usesExploitation for Client Execution MITRE
-
T1053 usesScheduled Task/Job MITRE
-
T1555.004 usesWindows Credential Manager MITRE
-
T1132.001 usesStandard Encoding MITRE
-
T1560 usesArchive Collected Data MITRE
Malware (30)
-
QUADAGENT - S0269 usesFamily
-
Spearal usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SampleCheck5000 uses
-
SEASHARPEE usesFamily The MITRE Corporation Confidence 100
[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)
First seen 01/01/1970 · Last seen 16/11/5138 · -
OilBooster uses
-
CacheHttp usesFamily
-
STEALHOOK usesFamily
-
CmEx uses
-
BONDUPDATER uses
-
C#/.NET uses
-
Saitama usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ZeroCleare usesFamily The MITRE Corporation Confidence 100
[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (11)
-
Government targets
-
Energy targets
-
Diplomacy targets
-
Finance targets
-
Chemical targets
-
Telecommunications targets
-
Defense ministries (including the military) targets
-
Manufacturing targets
-
Education targets
-
Technology targets
-
Healthcare targets
Countries (13)
-
United Kingdom of Great Britain and Northern Ireland targets
-
United States of America targets
-
United Arab Emirates targets
-
Türkiye targets
-
China targets
-
Jordan targets
-
Iraq targets
-
Israel targets
-
Oman targets
-
Lebanon targets
-
Albania targets
-
Kuwait targets
Indicators (100)
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of 66bd8db40f4169c7f0fca3d5d15c978efe143cf8
· Valid until 07/06/2026 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/05/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/09/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 10/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/05/2024 · Source: AlienVault
-
stix 100/100 Revoked
#LOWFI:HSTR:MSIL/Obfuscator.Confuser.C
· Valid until 08/05/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked
stack_string
· Valid until 16/09/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
Vulnerabilities (CVE) (1)
Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.
- Attack vector
- Local
- Published
- 15/10/2024
- Modified
- 21/12/2025
Tool (11)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation:…
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
ngrok usesThe MITRE Corporation Confidence 100
[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public…
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…