OilRig
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 134 attack patterns (mitre), 30 malware, 11 sectors, 13 countries, 100 indicators, 1 vulnerabilities (cve), 11 tool
Aliases
COBALT GYPSY IRN2 Helix Kitten Evasive Serpens Hazel Sandstorm EUROPIUM ITG13 TA452 Crambus Earth Simnavaz APT34
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Trend Micro Earth Simnavaz October 2024
- Palo Alto OilRig Oct 2016
- Check Point APT34 April 2021
- Secureworks COBALT GYPSY Threat Profile
- FireEye APT34 Dec 2017
- Microsoft Threat Actor Naming July 2023
- Unit 42 QUADAGENT July 2018
- Unit42 OilRig Playbook 2023
- ClearSky OilRig Jan 2017
- Palo Alto OilRig April 2017
- Proofpoint Iranian Aligned Attacks JAN 2020
- Symantec Crambus OCT 2023
- Unit 42 Playbook Dec 2017
- IBM ZeroCleare Wiper December 2019
- Palo Alto OilRig May 2016
- Crowdstrike Helix Kitten Nov 2018
- mitre-attack (G0049)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
1 CVE 18 MITREs 3 Malwares 5 Observables 1 APT
Attack patterns (MITRE) (134)
-
-
T1134 usesAccess Token Manipulation MITRE
-
T1071.004 usesDNS MITRE
-
T1497.001 usesSystem Checks MITRE
-
T1586.002 usesEmail Accounts MITRE
-
T1102 usesWeb Service MITRE
-
T1555 usesCredentials from Password Stores MITRE
-
T1115 usesClipboard Data MITRE
-
T1059.003 usesWindows Command Shell MITRE
-
T1021.004 usesSSH MITRE
-
T1059.005 usesVisual Basic MITRE
-
T1105 usesIngress Tool Transfer MITRE
Malware (30)
-
QUADAGENT - S0269 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Spearal usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SampleCheck5000 usesFamily The MITRE Corporation Confidence 100
[SampleCheck5000](https://attack.mitre.org/software/S1168) is a downloader with multiple variants that was used by [OilRig](https://attack.mitre.org/groups/G0049) including during the [Outer Space](https://attack.mitre.org/campaigns/C0042) campaign to download and execute additional payloads. (Citation: ESET OilRig Campaigns…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SEASHARPEE usesFamily The MITRE Corporation Confidence 100
[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)
First seen 01/01/1970 · Last seen 16/11/5138 · -
OilBooster usesFamily The MITRE Corporation Confidence 100
[OilBooster](https://attack.mitre.org/software/S1172) is a downloader written in Microsoft Visual C/C++ that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CacheHttp usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
STEALHOOK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CmEx usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BONDUPDATER usesFamily The MITRE Corporation Confidence 100
[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was…
First seen 01/01/1970 · Last seen 16/11/5138 · -
C#/.NET usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Saitama usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ZeroCleare usesFamily The MITRE Corporation Confidence 100
[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (11)
-
Government targets
-
Energy targets
-
Diplomacy targets
-
Finance targets
-
Chemical targets
-
Telecommunications targets
-
Defense ministries (including the military) targets
-
Manufacturing targets
-
Education targets
-
Technology targets
-
Healthcare targets
Countries (13)
-
United Kingdom of Great Britain and Northern Ireland targets
-
United States of America targets
-
United Arab Emirates targets
-
Türkiye targets
-
China targets
-
Jordan targets
-
Iraq targets
-
Israel targets
-
Oman targets
-
Lebanon targets
-
Albania targets
-
Kuwait targets
Indicators (100)
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of 66bd8db40f4169c7f0fca3d5d15c978efe143cf8
· Valid until 07/06/2026 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 08/05/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/09/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 10/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/05/2024 · Source: AlienVault
-
stix 100/100 Revoked
#LOWFI:HSTR:MSIL/Obfuscator.Confuser.C
· Valid until 08/05/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
-
stix 100/100 Revoked
stack_string
· Valid until 16/09/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 22/01/2025 · Source: AlienVault
Vulnerabilities (CVE) (1)
Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.
- Attack vector
- Local
- Published
- 15/10/2024
- Modified
- 21/12/2025
Tool (11)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation:…
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
ngrok usesThe MITRE Corporation Confidence 100
[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public…
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…