Threat Actor Profile
Description
BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['BlackOasis'],
'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[BlackOasis](https://attack.mitre.org/groups/G0063) is a '
'Middle Eastern threat group that is believed to be a customer '
'of Gamma Group. The group has shown interest in prominent '
'figures in the United Nations, as well as opposition '
'bloggers, activists, regional news correspondents, and think '
'tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: '
'Securelist APT Trends Q2 2017) A group known by Microsoft as '
'[NEODYMIUM](https://attack.mitre.org/groups/G0055) is '
'reportedly associated closely with '
'[BlackOasis](https://attack.mitre.org/groups/G0063) '
'operations, but evidence that the group names are aliases has '
'not been identified. (Citation: CyberScoop BlackOasis Oct '
'2017)',
'external_references': [{'external_id': 'G0063',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0063'},
{'description': '(Citation: Securelist BlackOasis Oct '
'2017) (Citation: Securelist APT '
'Trends Q2 2017)',
'source_name': 'BlackOasis'},
{'description': "Kaspersky Lab's Global Research & "
'Analysis Team. (2017, October 16). '
'BlackOasis APT and new targeted '
'attacks leveraging zero-day exploit. '
'Retrieved February 15, 2018.',
'source_name': 'Securelist BlackOasis Oct 2017',
'url': 'https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/'},
{'description': "Kaspersky Lab's Global Research & "
'Analysis Team. (2017, August 8). APT '
'Trends report Q2 2017. Retrieved '
'February 15, 2018.',
'source_name': 'Securelist APT Trends Q2 2017',
'url': 'https://securelist.com/apt-trends-report-q2-2017/79332/'},
{'description': 'Bing, C. (2017, October 16). Middle '
'Eastern hacking group is using '
'FinFisher malware to conduct '
'international espionage. Retrieved '
'February 15, 2018.',
'source_name': 'CyberScoop BlackOasis Oct 2017',
'url': 'https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/'}],
'id': 'intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850',
'modified': '2025-04-25T14:49:40.224Z',
'name': 'BlackOasis',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}