OilRig
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 134 attack patterns (mitre), 30 malware, 11 sectors, 13 countries, 100 indicators, 1 vulnerabilities (cve), 11 tool
Aliases
COBALT GYPSY IRN2 Helix Kitten Evasive Serpens Hazel Sandstorm EUROPIUM ITG13 TA452 Crambus Earth Simnavaz APT34
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Trend Micro Earth Simnavaz October 2024
- Palo Alto OilRig Oct 2016
- Check Point APT34 April 2021
- Secureworks COBALT GYPSY Threat Profile
- FireEye APT34 Dec 2017
- Microsoft Threat Actor Naming July 2023
- Unit 42 QUADAGENT July 2018
- Unit42 OilRig Playbook 2023
- ClearSky OilRig Jan 2017
- Palo Alto OilRig April 2017
- Proofpoint Iranian Aligned Attacks JAN 2020
- Symantec Crambus OCT 2023
- Unit 42 Playbook Dec 2017
- IBM ZeroCleare Wiper December 2019
- Palo Alto OilRig May 2016
- Crowdstrike Helix Kitten Nov 2018
- mitre-attack (G0049)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
1 CVE 18 MITREs 3 Malwares 5 Observables 1 APT
Attack patterns (MITRE) (134)
-
T1095 usesNon-Application Layer Protocol MITRE
-
T1114 usesEmail Collection MITRE
-
T1555.003 usesCredentials from Web Browsers MITRE
-
T1199 usesTrusted Relationship MITRE
-
T1608.001 usesUpload Malware MITRE
-
Outlook Home Page uses
-
-
T1059.001 usesPowerShell MITRE
-
T1020 usesAutomated Exfiltration MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1569 usesSystem Services MITRE
Malware (30)
-
PowerExchange usesFamily The MITRE Corporation Confidence 100
[PowerExchange](https://attack.mitre.org/software/S1173) is a PowerShell backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2023 including against government targets in the Middle East.(Citation: Symantec Crambus OCT 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Helminth usesFamily The MITRE Corporation Confidence 100
[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one…
First seen 01/01/1970 · Last seen 16/11/5138 · -
QUADAGENT usesFamily The MITRE Corporation Confidence 100
[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Solar usesFamily The MITRE Corporation Confidence 100
[Solar](https://attack.mitre.org/software/S1166) is a C#/.NET backdoor that was used by [OilRig](https://attack.mitre.org/groups/G0049) during the [Outer Space](https://attack.mitre.org/campaigns/C0042) campaign to download, execute, and exfiltrate files.(Citation: ESET OilRig Campaigns Sep 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SideTwist usesFamily The MITRE Corporation Confidence 100
[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Helminth - S0170 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RDAT usesFamily The MITRE Corporation Confidence 100
[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July…
First seen 01/01/1970 · Last seen 16/11/5138 · -
OilCheck usesFamily The MITRE Corporation Confidence 100
[OilCheck](https://attack.mitre.org/software/S1171) is a C#/.NET downloader that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against targets in Israel. [OilCheck](https://attack.mitre.org/software/S1171) uses draft messages created in a shared…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Karkoff usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mango usesFamily The MITRE Corporation Confidence 100
[Mango](https://attack.mitre.org/software/S1169) is a first-stage backdoor written in C#/.NET that was used by [OilRig](https://attack.mitre.org/groups/G0049) during the [Juicy Mix](https://attack.mitre.org/campaigns/C0044) campaign. [Mango](https://attack.mitre.org/software/S1169) is the successor to [Solar](https://attack.mitre.org/software/S1166) and includes additional exfiltration…
First seen 01/01/1970 · Last seen 16/11/5138 · -
POWRUNER usesFamily The MITRE Corporation Confidence 100
[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)
First seen 01/01/1970 · Last seen 16/11/5138 · -
OopsIE usesFamily The MITRE Corporation Confidence 100
[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (11)
-
Government targets
-
Energy targets
-
Diplomacy targets
-
Finance targets
-
Chemical targets
-
Telecommunications targets
-
Defense ministries (including the military) targets
-
Manufacturing targets
-
Education targets
-
Technology targets
-
Healthcare targets
Countries (13)
-
United Kingdom of Great Britain and Northern Ireland targets
-
United States of America targets
-
United Arab Emirates targets
-
Türkiye targets
-
China targets
-
Jordan targets
-
Iraq targets
-
Israel targets
-
Oman targets
-
Lebanon targets
-
Albania targets
-
Kuwait targets
Indicators (100)
-
stix 100/100 Revoked· Valid until 16/12/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/09/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 10/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/09/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/09/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 19/04/2026 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of 86da0100bb6a07a89eaa4dc3ec220e9dbd6ecf71
· Valid until 11/05/2024 · Source: AlienVault
Vulnerabilities (CVE) (1)
Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.
- Attack vector
- Local
- Published
- 15/10/2024
- Modified
- 21/12/2025
Tool (11)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation:…
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
ngrok usesThe MITRE Corporation Confidence 100
[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public…
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…