Threat Actor Profile
High
APT
Description
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
Confidence Score
Known Aliases
OilRig
COBALT GYPSY
IRN2
APT34
Helix Kitten
Evasive Serpens
Hazel Sandstorm
EUROPIUM
ITG13
Earth Simnavaz
Crambus
TA452
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (76)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['OilRig',
'COBALT GYPSY',
'IRN2',
'APT34',
'Helix Kitten',
'Evasive Serpens',
'Hazel Sandstorm',
'EUROPIUM',
'ITG13',
'Earth Simnavaz',
'Crambus',
'TA452'],
'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[OilRig](https://attack.mitre.org/groups/G0049) is a '
'suspected Iranian threat group that has targeted Middle '
'Eastern and international victims since at least 2014. The '
'group has targeted a variety of sectors, including financial, '
'government, energy, chemical, and telecommunications. It '
'appears the group carries out supply chain attacks, '
'leveraging the trust relationship between organizations to '
'attack their primary targets. The group works on behalf of '
'the Iranian government based on infrastructure details that '
'contain references to Iran, use of Iranian infrastructure, '
'and targeting that aligns with nation-state '
'interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo '
'Alto OilRig April 2017)(Citation: ClearSky OilRig Jan '
'2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo '
'Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook '
'2023)(Citation: Unit 42 QUADAGENT July 2018)',
'external_references': [{'external_id': 'G0049',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0049'},
{'description': '(Citation: Crowdstrike Helix Kitten '
'Nov 2018)',
'source_name': 'IRN2'},
{'description': '(Citation: IBM ZeroCleare Wiper '
'December 2019)',
'source_name': 'ITG13'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Hazel Sandstorm'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'EUROPIUM'},
{'description': '(Citation: Palo Alto OilRig April '
'2017) (Citation: ClearSky OilRig Jan '
'2017) (Citation: Palo Alto OilRig '
'May 2016) (Citation: Palo Alto '
'OilRig Oct 2016) (Citation: Unit 42 '
'Playbook Dec 2017) (Citation: Unit '
'42 QUADAGENT July 2018)',
'source_name': 'OilRig'},
{'description': '(Citation: Proofpoint Iranian '
'Aligned Attacks JAN 2020)',
'source_name': 'TA452'},
{'description': '(Citation: Secureworks COBALT GYPSY '
'Threat Profile)',
'source_name': 'COBALT GYPSY'},
{'description': '(Citation: Symantec Crambus OCT '
'2023)',
'source_name': 'Crambus'},
{'description': '(Citation: Trend Micro Earth '
'Simnavaz October 2024)',
'source_name': 'Earth Simnavaz'},
{'description': '(Citation: Unit 42 QUADAGENT July '
'2018)(Citation: Crowdstrike Helix '
'Kitten Nov 2018)',
'source_name': 'Helix Kitten'},
{'description': '(Citation: Unit42 OilRig Playbook '
'2023)',
'source_name': 'Evasive Serpens'},
{'description': 'Check Point. (2021, April 8). Iran’s '
'APT34 Returns with an Updated '
'Arsenal. Retrieved May 5, 2021.',
'source_name': 'Check Point APT34 April 2021',
'url': 'https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/'},
{'description': 'ClearSky Cybersecurity. (2017, '
'January 5). Iranian Threat Agent '
'OilRig Delivers Digitally Signed '
'Malware, Impersonates University of '
'Oxford. Retrieved May 3, 2017.',
'source_name': 'ClearSky OilRig Jan 2017',
'url': 'http://www.clearskysec.com/oilrig/'},
{'description': 'Fahmy, M. et al. (2024, October 11). '
'Earth Simnavaz (aka APT34) Levies '
'Advanced Cyberattacks Against Middle '
'East. Retrieved November 27, 2024.',
'source_name': 'Trend Micro Earth Simnavaz October '
'2024',
'url': 'https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html'},
{'description': 'Falcone, R. and Lee, B.. (2016, May '
'26). The OilRig Campaign: Attacks on '
'Saudi Arabian Organizations Deliver '
'Helminth Backdoor. Retrieved May 3, '
'2017.',
'source_name': 'Palo Alto OilRig May 2016',
'url': 'http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/'},
{'description': 'Falcone, R.. (2017, April 27). '
'OilRig Actors Provide a Glimpse into '
'Development and Testing Efforts. '
'Retrieved May 3, 2017.',
'source_name': 'Palo Alto OilRig April 2017',
'url': 'http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/'},
{'description': 'Grunzweig, J. and Falcone, R.. '
'(2016, October 4). OilRig Malware '
'Campaign Updates Toolset and Expands '
'Targets. Retrieved May 3, 2017.',
'source_name': 'Palo Alto OilRig Oct 2016',
'url': 'http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/'},
{'description': 'Kessem, L. (2019, December 4). New '
'Destructive Wiper ZeroCleare Targets '
'Energy Sector in the Middle East. '
'Retrieved September 4, 2024.',
'source_name': 'IBM ZeroCleare Wiper December 2019',
'url': 'https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/'},
{'description': 'Lee, B., Falcone, R. (2018, July '
'25). OilRig Targets Technology '
'Service Provider and Government '
'Agency with QUADAGENT. Retrieved '
'August 9, 2018.',
'source_name': 'Unit 42 QUADAGENT July 2018',
'url': 'https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/'},
{'description': 'Meyers, A. (2018, November 27). Meet '
'CrowdStrike’s Adversary of the Month '
'for November: HELIX KITTEN. '
'Retrieved December 18, 2018.',
'source_name': 'Crowdstrike Helix Kitten Nov 2018',
'url': 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Proofpoint. (2020, January 10). '
'Iranian State-Sponsored and Aligned '
'Attacks: What You Need to Know and '
'Steps to Protect Yourself. Retrieved '
'January 16, 2025.',
'source_name': 'Proofpoint Iranian Aligned Attacks '
'JAN 2020',
'url': 'https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect'},
{'description': 'Sardiwal, M, et al. (2017, December '
'7). New Targeted Attack in the '
'Middle East by APT34, a Suspected '
'Iranian Threat Group, Using '
'CVE-2017-11882 Exploit. Retrieved '
'December 20, 2017.',
'source_name': 'FireEye APT34 Dec 2017',
'url': 'https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html'},
{'description': 'Secureworks. (n.d.). COBALT GYPSY '
'Threat Profile. Retrieved April 14, '
'2021.',
'source_name': 'Secureworks COBALT GYPSY Threat '
'Profile',
'url': 'https://www.secureworks.com/research/threat-profiles/cobalt-gypsy'},
{'description': 'Symantec Threat Hunter Team. (2023, '
'October 19). Crambus: New Campaign '
'Targets Middle Eastern Government. '
'Retrieved November 27, 2024.',
'source_name': 'Symantec Crambus OCT 2023',
'url': 'https://www.security.com/threat-intelligence/crambus-middle-east-government'},
{'description': 'This group was previously tracked '
'under two distinct groups, APT34 and '
'OilRig, but was combined due to '
'additional reporting giving higher '
'confidence about the overlap of the '
'activity.(Citation: Unit 42 '
'QUADAGENT July 2018)(Citation: '
'FireEye APT34 Dec 2017)(Citation: '
'Check Point APT34 April 2021)',
'source_name': 'APT34'},
{'description': 'Unit 42. (2017, December 15). Unit '
'42 Playbook Viewer. Retrieved '
'December 20, 2017.',
'source_name': 'Unit 42 Playbook Dec 2017',
'url': 'https://pan-unit42.github.io/playbook_viewer/'},
{'description': 'Unit42. (2016, May 1). Evasive '
'Serpens Unit 42 Playbook Viewer. '
'Retrieved February 6, 2023.',
'source_name': 'Unit42 OilRig Playbook 2023',
'url': 'https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens'}],
'id': 'intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d',
'modified': '2025-01-16T18:55:49.463Z',
'name': 'OilRig',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Robert Falcone',
'Bryan Lee',
'Dragos Threat Intelligence',
'Jaesang Oh, KC7 Foundation'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '5.0'}