{ "id": "af52da92-6b79-438b-b2e1-71a2bd82906f", "created_at": "2026-04-06T00:13:20.625048Z", "updated_at": "2026-04-10T03:37:36.84247Z", "deleted_at": null, "sha1_hash": "23b41b66e38b72ab1e630ea5fa429617d202c40f", "title": "New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1321556, "plain_text": "New Iranian Campaign Tailored to US Companies Utilizes an\r\nUpdated Toolset\r\nBy Paul Litvak\r\nPublished: 2020-01-30 · Archived: 2026-04-05 21:18:26 UTC\r\nIntroduction\r\nOur researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34\r\nemploying an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting\r\nWestat employees, or United States organizations hiring Westat services.\r\nWestat is a United States-based company that “provides research services to agencies of the U.S. Government, as\r\nwell as businesses, foundations, and state and local governments”. One example of the services Westat offers is a\r\nsurvey for federal workers, which leads us to believe this attack may target Westat customers.\r\nOfficial Westat response: “Westat understands that in their effort to identify threats and malware, Intezer has\r\nidentified a malicious file that uses the Westat name and logo. This file was not created by, hosted by, or sent from\r\nWestat, and is likely the result of a bad actor stealing the Westat brand name and logo. Our cybersecurity team is\r\nworking with Intezer and others to fully understand the nature of this report. We will continue to monitor the\r\nsituation and respond accordingly.”\r\nAPT34 Background\r\nAPT34 (also known as OilRig or Helix Kitten) is a cluster of Iranian government-backed cyber espionage\r\nactivities that has been active since 2014. The group is known to target various international organizations, mainly\r\nin the Middle East. Among their targeted industries are government agencies, financial services, energy and\r\nutilities, telecommunications, and oil and gas.\r\nMore light was shed on this group in April 2019 as leaks emerged from a mysterious individual with the\r\npseudonym “Lab Dookhtegan”. This individual exposed data belonging to victims of this group, together with\r\nsource code of hacking tools and data about previous APT34 operations; including IP addresses and domains\r\nwhere the group hosted web shells related to past operations.\r\nMost recently, FireEye exposed a spear-phishing operation conducted by APT34, which enabled us to connect this\r\noperation to this Iranian actor due to similarities in the techniques and tools employed in both campaigns.\r\nInitial Vector\r\nIn late January 2020, we discovered a file named survey.xls that was designed to look like an employee\r\nsatisfaction survey tailored to either Westat employees or Westat customers.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 1 of 12\n\nAt first the spreadsheet appeared to be blank. Only once the victim enables macros, the survey is displayed to the\r\nuser and the malicious VBA code begins to execute.\r\nsurvey.xls\r\nThe embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file\r\nand installs it to “C:Users\u003cUser\u003evalsClient update.exe”.\r\n“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named\r\nTONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked\r\nexecutable five minutes after being infected by it, as well as on future log-ons.\r\nSurvey.xls VBA Code\r\nBoth the extracted VBA code and the functionality of the code look similar to the one analyzed in the FireEye\r\nreport:\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 2 of 12\n\nAPT34 VBA Code from the FireEye Report\r\nIn addition, we found a similar document labelled as “Employee satisfaction survey.xls” containing the same\r\nsurvey as the previous document.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 3 of 12\n\nEmployee Satisfaction survey.xls\r\nHowever, it’s important to highlight that the code page field of this document is Arabic as can be seen when\r\nexamining its file metadata, denoting the preferred language installed on the document author’s version of\r\nMicrosoft Excel:\r\nEmployee Satisfaction survey.xls Metadata\r\nTONEDEAF 2.0\r\nAt first glance, “Client update.exe” seems like a completely new backdoor malware. However, further\r\nexamination reveals it’s most likely a highly modified version of the previously seen TONEDEAF backdoor.\r\nTONEDEAF is a backdoor that communicates with its Command and Control server via HTTP in order to receive\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 4 of 12\n\nand execute commands. It was mentioned in FireEye’s recent report about an ongoing APT34 operation, as one of\r\nthe group’s custom tools. We have named the new variant TONEDEAF 2.0.\r\nTONEDEAF 2.0 is an advanced version of TONEDEAF, serving the same purpose as the original, but with a\r\nrevamped C2 communication protocol and a substantially modified code base. In contrast to the original\r\nTONEDEAF, TONEDEAF 2.0 contains solely arbitrary shell execution capabilities, and doesn’t support any\r\npredefined commands. It’s also more stealthy and contains new tricks such as dynamic importing, string decoding,\r\nand a victim deception method.\r\nNew Tricks\r\nUpon execution the backdoor checks whether it was executed with “…” as an argument, which is the way it’s\r\nconfigured to execute by the scheduled task, as part of the proper infection chain.\r\nIn the case it’s executed without the correct argument, such as by launching it via a double click, it will display a\r\nblank GUI Window to the user. This is most likely intended to serve as a deception method, to make the malware\r\nappear like a legitimate (alibiet broken) application titled “Bee”.\r\nGUI Window Used for Deception\r\nTONEDEAF 2.0 also attempts to be more stealthy than its predecessor by hiding many of the interesting API\r\nimports it uses. The names of these APIs, and the DLLs that contain them, are stored as encoded strings and are\r\ndecoded and resolved on demand during runtime.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 5 of 12\n\nDecoding and Resolving API Functions\r\nC2 Communication\r\nThe backdoor uses HTTP for C2 communication, with a custom encoding and handshake mechanisms. Messages\r\nsent by the backdoor always contain the HTTP query parameter “?ser=\u003c6 digits\u003e” as an identifier. The first three\r\ndigits are the \u003cserver_id\u003e and the last three are the \u003cclient_id\u003e.  The backdoor will use one of the following two\r\nmessages:\r\n1. GET /dow?ser=\u003cserver_id\u003e\u003cclient_id\u003e  – request message, used to obtain commands to execute from the\r\nserver.\r\n2. POST /upl?ser==\u003cserver_id\u003e\u003cclient_id\u003e  – reply to command message, used to send the executed\r\ncommand’s output to the server.\r\nBefore performing the first request, the malware will generate the \u003cclient_id\u003e derived from the environment\r\nvariables %HOMEPATH% and %COMPUTERNAME% using a custom formula.\r\nIt will then send an initial GET message to the C2 using that ID.\r\nC2 Request\r\nOne odd element about the communication is the usage of a Windows Phone User-Agent  value in the HTTP\r\nmessage.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 6 of 12\n\nDuring our analysis the C2 was alive but continuously replied with a 403 Forbidden HTTP error code to our\r\nrequests. It’s possible that the C2 is filtering the targets since this backdoor is part of a targeted operation and our\r\nclient_id parameter does not match that of one of the intended victims.\r\nShould the C2 accept the ID, it will reply with an encoded message that contains the \u003cserver_id\u003e and the\r\ncommand the backdoor needs to execute. The malware extracts the command by looking for an HTTP div element\r\nin the response with a special class name.\r\nParsing of C2 Response\r\nThe malware will then execute the command by prepending it with “cmd U c” and will send the output of the\r\ncommand back to the C2 using the POST reply message (2).\r\nWhen entering the C2 via a browser, the site tries to imitate https://docs.microsoft.com/en-us/, although it fails to\r\ndisplay it properly due to a misconfiguration with the CSS, as can be seen in the console:\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 7 of 12\n\nmanygoodnews[.]com C2 webpage\r\nWe have also observed that an SSL certificate has been recently generated that matches the domain of the C2.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 8 of 12\n\nSSL Certificate for the C2 Domain that was Issued One Month Ago\r\nThese findings might indicate that the attackers are in the process of transitioning into HTTPS for C2\r\ncommunication, in an attempt to improve their OPSEC capabilities and avoid detection.\r\nTraces from the Original TONEDEAF\r\nWith all of the changes and new additions, there are still enough similarities that link TONEDEAF 2.0 to the\r\noriginal. While the code is mostly modified, the general flow and functionality are similar. The C2 communication\r\nis different but still has similarities to its predecessor, such as the usage of three digit identifiers for both the victim\r\nand the server. However, most notably there are several places in the code where the similarity is most clear. One\r\nsuch place is a function that exists in both variants, which oddly enough creates a notification icon in the Windows\r\nstatus bar. The only notable changes are the usage of dynamic API resolution and the shortening of the notification\r\nmessage from “Updating” to “up”.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 9 of 12\n\nSpecific Function Comparison\r\nAnother instance is the code that sets the working directory of the program. It appears in different stages for each\r\nvariant, but is identical:\r\nSimilar Code Snippets\r\nVALUEVAULT 2.0\r\nWe were unable to download further modules, however, we believe this operation also includes the usage of a\r\nVALUEVAULT implant. VALUEVAULT is a browser credential theft tool built in Golang, discovered by FireEye\r\nin the aforementioned APT34 operation analysis.\r\nWe found the survey.xls file uploaded to VirusTotal with a VALUEVAULT instance and a TONEDEAF 2.0\r\ninstance, uploaded from Lebanon by the same user, only a few minutes apart. This may indicate that these\r\nmalware were delivered together as part of the same attack.\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 10 of 12\n\nThis VALUEVAULT takes a more minimalistic approach than its predecessor. Many functionalities and strings\r\nwere stripped from the new binary in order to lower its noise. Only Chrome password dumping is now supported,\r\nalthough interestingly the use of the file “fsociety.dat” as a password data store under the “AppDataRoaming”\r\ndirectory stayed the same.\r\nVALUEVAULT 2.0 Compilation Paths\r\nVALUEVAULT 1.0 Compilation Paths\r\nFurthermore, VALUEVAULT 2.0 is a 64-bit binary as opposed to VALUEVAULT 1.0 which is a 32-bit\r\nbinary. These relatively minor changes were enough to create a fully undetected implant.\r\nConclusion\r\nThe last APT34 operation was exposed only a few months ago by FireEye, and judging by our current findings we\r\ncan confidently state that the group has since evolved its operations. The technical analysis of the new malware\r\nvariants reveals this Iranian government-backed group has invested substantial efforts into upgrading its toolset in\r\nan attempt to evade future detection.\r\nThe binary code from these new malware samples are now indexed in our Genetic Malware Analysis platform,\r\nIntezer Analyze. We encourage you to use our free community edition to detect and classify threats that share code\r\nwith APT34 malware.\r\nIOCs\r\nmanygoodnews[.]com\r\nc10cd1c78c180ba657e3921ee9421b9abd5b965c4cdfaa94a58e383b45bb72ca\r\n4c323bc11982b95266732c01645c39618550e68f25c34f6d3d79288eae7d4378\r\na897164e3547f0ce3aaa476b0364a200769e8c07ce825bcfdc43939dd1314bb1\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 11 of 12\n\n20b3d046ed617b7336156a64a0550d416afdd80a2c32ce332be6bbfd4829832c\r\nd61eecd7492dfa461344076a93fc2668dc28943724190faf3d9390f8403b6411\r\nSource: https://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nhttps://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" ], "report_names": [ "new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23b41b66e38b72ab1e630ea5fa429617d202c40f.pdf", "text": "https://archive.orkl.eu/23b41b66e38b72ab1e630ea5fa429617d202c40f.txt", "img": "https://archive.orkl.eu/23b41b66e38b72ab1e630ea5fa429617d202c40f.jpg" } }