{ "id": "9786f65f-1f5b-43fc-8cfd-1bfd7d98b9cb", "created_at": "2026-04-06T00:06:38.833714Z", "updated_at": "2026-04-10T03:37:37.116388Z", "deleted_at": null, "sha1_hash": "5ce46cc4b092b3cbdcd583c86b61a85d611eb90e", "title": "Subgroup: Greenbug, Volatile Kitten - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60018, "plain_text": "Subgroup: Greenbug, Volatile Kitten - Threat Group Cards: A\r\nThreat Actor Encyclopedia\r\nArchived: 2026-04-05 21:12:50 UTC\r\nHome \u003e List all groups \u003e Subgroup: Greenbug, Volatile Kitten\r\n APT group: Subgroup: Greenbug, Volatile Kitten\r\nNames\r\nGreenbug (Symantec)\r\nVolatile Kitten (CrowdStrike)\r\nCountry Iran\r\nSponsor State-sponsored, Ministry of Intelligence and Security (MOIS)\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\nA subgroup of OilRig, APT 34, Helix Kitten, Chrysene.\r\n(Symantec) Symantec discovered the Greenbug cyberespionage group during its\r\ninvestigation into previous attacks involving W32.Disttrack.B (aka Shamoon).\r\nShamoon (W32.Disttrack) first made headlines in 2012 when it was used in attacks\r\nagainst energy companies in Saudi Arabia. It recently resurfaced in November 2016\r\n(W32.Disttrack.B), again attacking targets in Saudi Arabia. While these attacks were\r\ncovered extensively in the media, how the attackers stole these credentials and\r\nintroduced W32.Disttrack on targeted organizations’ networks remains a mystery.\r\nCould Greenbug be responsible for getting Shamoon those stolen credentials?\r\nAlthough there is no definitive link between Greenbug and Shamoon, the group\r\ncompromised at least one administrator computer within a Shamoon-targeted\r\norganization’s network prior to W32.Disttrack.B being deployed on November 17,\r\n2016.\r\nObserved\r\nTools used\r\nOperations performed Nov 2016 Greenbug cyberespionage group targeting Middle East, possible links\r\nto Shamoon\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1839228a-7fb6-4d8b-a7cd-486e728ba9b1\r\nPage 1 of 2\n\nMay 2017\nResearchers have identified a possible new collaborator in the\ncontinued Shamoon attacks against Saudi organizations. Called\nGreenbug, this group is believed to be instrumental in helping\nShamoon steal user credentials of targets ahead of Shamoon’s\ndestructive attacks.\nJul 2017\nOilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat\nGroup\nIn July 2017, we observed an attack on a Middle Eastern technology\norganization that was also targeted by the OilRig campaign in August\n2016. Initial inspection of this attack suggested this was again the\nOilRig campaign using their existing toolset, but further examination\nrevealed not only new variants of the delivery document we named\nClayslide, but also a different payload embedded inside it.\nOct 2017\nIranian Threat Agent Greenbug has been registering domains similar\nto those of Israeli High-Tech and Cyber Security Companies.\nOn 15 October 2017 a sample of ISMdoor was submitted to VirusTotal\nfrom Iraq.\nLast change to this card: 18 June 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1839228a-7fb6-4d8b-a7cd-486e728ba9b1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1839228a-7fb6-4d8b-a7cd-486e728ba9b1\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1839228a-7fb6-4d8b-a7cd-486e728ba9b1" ], "report_names": [ "showcard.cgi?u=1839228a-7fb6-4d8b-a7cd-486e728ba9b1" ], "threat_actors": [ { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433998, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ce46cc4b092b3cbdcd583c86b61a85d611eb90e.pdf", "text": "https://archive.orkl.eu/5ce46cc4b092b3cbdcd583c86b61a85d611eb90e.txt", "img": "https://archive.orkl.eu/5ce46cc4b092b3cbdcd583c86b61a85d611eb90e.jpg" } }