Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:08:07 UTC
Home > List all groups > List all tools > List all groups using tool Clayslide
 Tool: Clayslide
Names Clayslide
Category Malware
Type Dropper
Description
This is a so-called delivery document.
(Palo Alto) n May 2016, Unit 42 began researching attacks that used spear-phishing emails
with attachments, specifically malicious Excel spreadsheets sent to financial organizations
within Saudi Arabia. We observed spear-phishing emails sent between May 4 and May 12 of
this year that delivered these malicious Excel spreadsheets, which we are tracking as
‘Clayslide’. ClaySlide documents contain malicious macros that display decoy content within
the spreadsheet and installs a variant of a Helminth backdoor.
Information
Last change to this tool card: 20 April 2020
Download this tool card in JSON format
All groups using tool Clayslide
Changed Name Country Observed
APT groups
 OilRig, APT 34, Helix Kitten, Chrysene 2014-Sep 2024
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bed1c93e-b6c8-4d31-b7b0-b41d1b05bcb2
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bed1c93e-b6c8-4d31-b7b0-b41d1b05bcb2
Page 1 of 1