{ "id": "e2fe866b-3544-4414-8b8c-35fff43b5898", "created_at": "2026-04-06T00:16:23.735771Z", "updated_at": "2026-04-10T03:37:37.125171Z", "deleted_at": null, "sha1_hash": "6191785c9b36d5909ad58692193c3c12d302b00d", "title": "Iran’s APT34 Returns with an Updated Arsenal - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92347, "plain_text": "Iran’s APT34 Returns with an Updated Arsenal - Check Point\r\nResearch\r\nBy michaelab\r\nPublished: 2021-04-08 · Archived: 2026-04-05 19:06:13 UTC\r\nIntroduction\r\nCheck Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig),\r\nagainst what appears to be a Lebanese target, employing a new backdoor variant we dubbed SideTwist .\r\nSince the 2019 leak of APT34’s tools by an entity named “Lab Dookhtegan”, the threat group has been actively\r\nretooling and updating their payload arsenal to try and avoid detection, creating several different malware variants\r\nwhose ultimate purpose remained the same: to gain the initial foothold on the targeted device.\r\nStarting with the DNSpionage campaign back in 2018, APT34 has been observed targeting individuals through the\r\nuse of booby-trapped job opportunity documents, delivered directly to the selected targets via LinkedIn messages.\r\nThis activity continued through 2019 with the HardPass operation, in which the LinkedIn platform was used in the\r\nsame manner.\r\nIn this latest campaign from January, a document submitted to VirusTotal from Lebanon (a common target for\r\nAPT34), also depicts such a job opportunity document, although in this case we were unable to confirm the initial\r\ndelivery mechanism to the target.\r\nIn the following article we analyze the latest infection chain used by the attackers and deep dive into the new\r\nmalware variant.\r\nInitial Infection\r\nOur analysis began with a malicious Microsoft Word document named Job-Details.doc (md5:\r\n6615c410b8d7411ed14946635947325e ).\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 1 of 10\n\nFig 1: Lure document with malicious macros\r\nThe decoy document clearly tries to appear like a benign document, offering various positions in the Ntiva IT\r\nconsulting company – a company based in Virginia, US.\r\nHowever, once the user activates the embedded malicious macros, the full infection flow is triggered:\r\nFig 2: Infection Flow\r\nMalicious Macros with DNS tunneling\r\nMacros used by APT34’s job opportunity campaigns have evolved through the years, but also managed to keep\r\ntheir own distinctive style and purpose:\r\nVerification that there is a mouse connected to the PC (Anti-Sandboxing technique).\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 2 of 10\n\nInitial fingerprinting of the target device and sending of the information to the C2 server.\r\nDropping embedded executable to disk with a “doc” extension (later to be renamed to “.exe”).\r\nRegistering a Windows schedule task that would launch the executable every X minutes.\r\nFig 3: VBA functions call graph generated by Vba2Graph\r\nIn the macros function call graph above, we can see that from the Document_Open and the Document_Close\r\nfunctions, there are multiple calls to the DnsQuery external function.\r\nAPT34 is notorious for its heavy use of DNS tunneling through many of their different tools, and this time this\r\nfeature also made its way into the initial macros stage.\r\nOnce the macros are executed, DNS requests are used to beacon back to the attacker, and inform them of the\r\ncurrent stage of the execution, as well as to deliver some victim identifiable information.\r\nFig 4: Snippet from the malicious macros, responsible for sending DNS queries\r\nIn this step, the attacker is using the publicly available requestbin.net DNS tunneling service, in order to get\r\nupdates about the macros infection progress. This way the attacker-owned infrastructure would not be exposed, in\r\ncase a sandbox would not be able to fully “detonate” the document.\r\nBelow is a demonstration of the information the attacker would see on the requesbin.net website, when a\r\nvictim executes the malicious macros from a system with the following environment:\r\nUser name: John\r\nHostname: John-pc\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 3 of 10\n\nFig 5: The macro requests as viewed on “requesbin.net”, with source IP address and timestamp\r\nredacted\r\nThe encoded data is derived from the PC information, in the following manner:\r\nFig 6: encoded DNS data\r\nSecond Stage Payload: SideTwist\r\nThe backdoor in this stage, is a variant we haven’t seen before in previous APT34 operations, but provides\r\nfunctionality which is simple and similar to other C based backdoors utilized by the group: DNSpionage and\r\nTONEDEAF and TONEDEAF2.0. \r\nThe functionality of the backdoor includes download, upload and shell command execution.\r\nPersistence\r\nIn this infection chain the persistence is actually established by the 1st stage macros, and the 2nd stage payload\r\ndoes not have any persistence mechanism of its own.\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 4 of 10\n\nPersistence is achieved in the 1st\r\n stage, when the schedule task is registered. The scheduled task named\r\nSystemFailureReporter will execute the 2nd\r\n stage payload every 5 minutes:\r\nFig 7: Scheduled task on an infected machine\r\nThe backdoor is very dependent on this persistence mechanism, as every time it would launch, it would only\r\nexecute a single command provided from the C\u0026C server and immediately shut down, until it is launched again\r\nby the scheduled task.\r\nInitialization\r\nThe backdoor starts by collecting basic information about the victim’s machine and calculating a 4-byte long\r\nvictim identifier, based on the user-name, computer-name and the domain name of the target environment. This\r\nidentifier will be used in the follow-up C\u0026C communication.\r\nFig 8: Code to gather identifiable information\r\nNext the malware will verify that the update.xml file that was supposed to be created in the 1st stage of the\r\ninfection does indeed exists, and if not, it will terminate itself – printing the following text to the debugging output\r\nusing the OutputDebugString function:\r\n“Please install visual studio 2017 and try again”\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 5 of 10\n\nFig 9: Code to verify that the 1st stage was executed\r\nAs the purpose of this function is to print debugging information, only during the debugging process of an\r\napplication, the text will not be visible to the regular user.\r\nC\u0026C communication\r\nThe backdoor’s communication with the C\u0026C server ( sarmsoftware[.]com ) is HTTP based on port 443 with\r\nport 80 as fallback.\r\nThe backdoor uses two different techniques for its outgoing and incoming communications with the C\u0026C server,\r\nthough in both cases the same encryption algorithm is utilized (see more on encryption below).\r\nCommand Request Communication\r\nThe backdoor contacts the C\u0026C server in the following URL using a GET request:\r\nsarmsoftware[.]com/search/{identifier}\r\nThe response to this request is hidden in the source code of following Flickr lookalike page:\r\nFig 10: Fake Flickr lookalike page used as C\u0026C\r\nThe response is returned to the backdoor within the HTML code, in the following format:\r\n/*Encrypted_Message_Encoded_with_Base64*/\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 6 of 10\n\nFig 11: C\u0026C commands embedded within the code\r\nAfter this base64 string is decoded and decrypted, the plain-text content is in the following pipe-separated format:\r\nFig 12: Encrypted data format\r\nCommand Number – a running index number to keep track of executed commands. If set to any number\r\nother than -1 , the backdoor should proceed to execute the command, according to the Command ID.\r\nOtherwise, ignore and terminate.\r\nCommand ID – can be one of the following commands:\r\n101 – Shell Command: execute the Shell command attached in the {Arg1} argument.\r\n102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and\r\nsaves it on the disk with the {Arg1} name.\r\n103 – Upload File: Uploads a local file {Arg1} to the server.\r\n104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument.\r\nCommand Results Communication\r\nAfter the backdoor has executed an arbitrary command on the victim’s machine, it returns the result of the\r\nexecuted command to the C\u0026C server, to the same URL as before, but in a POST request instead of a GET:\r\nsarmsoftware[.]com/search/{identifier}\r\nThe format of the POST body is a simple JSON, based on the command number provided from the C\u0026C server\r\nand the encrypted result of the command execution:\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 7 of 10\n\nFig 13: Result data format\r\nCommunication Encryption\r\nAs the basis for the encrypted communication, the attackers utilize the Mersenne Twister pseudorandom number\r\ngenerator.\r\nThe 4 first bytes of each encrypted message is the seed for the Mersenne Twister, to be used for the decryption of\r\nthe rest of the message.\r\nThe encrypted Base64 communication can be decrypted using the following Python snippet:\r\nseed=int.from_bytes(bs[:4],byteorder='big')\r\nk=rng.get_random_number()\r\nkey=int.to_bytes(k,length=4,byteorder='little')\r\ndec=\"\".join([chr(bs[i]^key[(i-4)%4]) for i in range(4,len(bs))])\r\ndef decode(msg): bs=base64.b64decode(msg) seed=int.from_bytes(bs[:4],byteorder='big') rng =\r\nmersenne_rng(seed) k=rng.get_random_number() key=int.to_bytes(k,length=4,byteorder='little')\r\ndec=\"\".join([chr(bs[i]^key[(i-4)%4]) for i in range(4,len(bs))]) return dec\r\ndef decode(msg):\r\n bs=base64.b64decode(msg)\r\n seed=int.from_bytes(bs[:4],byteorder='big')\r\n rng = mersenne_rng(seed)\r\n k=rng.get_random_number()\r\n key=int.to_bytes(k,length=4,byteorder='little')\r\n dec=\"\".join([chr(bs[i]^key[(i-4)%4]) for i in range(4,len(bs))])\r\n return dec\r\nAttribution\r\nBoth the malicious macros, the backdoor, the targeting, and the techniques used in this operation – all align with\r\npreviously reported campaigns attributed to APT34.\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 8 of 10\n\nDocument Similarity\r\nBesides the fact that like in previous APT34 operations, once again we see job opportunity documents being used\r\nto encourage the victim to enable macros, there are technical similarities as well.\r\nThe same variable name beacher was present in and old DNSpionage campaign:\r\nFig 14: Similar variable name in old macros code\r\nThe main functionality of the macros remained the same as in a previous APT34 campaign: The malicious\r\nmacros use the MouseAvailable function for evasion, and create a scheduled task to execute a payload\r\nembedded within the document.\r\nC\u0026C Communication Similarity\r\nAPT34’s backdoors DNSpionage and TONEDEAF are known to receive commands from the servers by searching\r\nfor specific pattern hidden inside the HTML content of a legitimate looking website.\r\nIn our case the attackers utilized a Flickr lookalike page, while in previous campaigns GitHub, Wikipedia, and\r\nMicrosoft lookalikes were used.\r\nAdditional APT34 Sightings\r\nWhile analyzing the above campaign, this and additional APT34 related documents were uploaded to VirusTotal\r\nand noted by malware researchers on Twitter.\r\nThese documents utilized the very same requestbin.net DNS tunneling service in the initial macros and\r\ndelivered another of the group’s signature tools: a variant of the .NET based backdoor named Karkoff, which\r\nutilized internet facing exchange servers as a communication method with the attackers.\r\nThe newly found artifacts emphasize the extent of the ongoing APT34’s offensive operations against targets in the\r\nMiddle East, and especially in Lebanon:\r\nThe Karkoff implant (MD5: ab25014c3d6f77ec5880c8f9728be968) included credentials for an exchange server\r\nbelonging to the Lebanese Government ( mail.army.gov[.]lb ), which might be an indication of a long running\r\ncompromise of their network.\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 9 of 10\n\nConclusion\r\nIran backed APT34 shows no sign of slowing down, further pushing its political agenda in the middle-east, with\r\nan ongoing focus on Lebanon – using offensive cyber operations.\r\nWhile maintaining its modus operandi and reusing old techniques, as reviewed above, the group continues to\r\ncreate new and updated tools to minimize the possible detection of their tools by security vendors.\r\nIn this publication we analyzed the newest backdoor variant deployed by the group’s ongoing job opportunities\r\ncampaigns, which includes malicious documents with job offers – a technique they have successfully employed\r\nsince at least 2018.\r\nCheck Point Sandblast protects against this APT attack, and prevents it from the very first steps.  \r\nAppendix A: Indicators of Compromise\r\nMalicious document:\r\nMD5: 6615c410b8d7411ed14946635947325e\r\nSHA1: 9bba72ac66af84253b55dd7789afc90e0344bf25\r\nSHA256: 13c27e5049a7fc5a36416f2c1ae49c12438d45ce50a82a96d3f792bfdacf3dcd\r\nSideTwist backdoor:\r\nMD5: 94004648630739c154f78a0bae0bec0a\r\nSHA1: 273488416b5d6f1297501825fa07a5a9325e9b56\r\nSHA256: 47d3e6c389cfdbc9cf7eb61f3051c9f4e50e30cf2d97499144e023ae87d68d5a\r\nC\u0026C server:\r\nsarmsoftware[.]com\r\nSource: https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nhttps://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" ], "report_names": [ "irans-apt34-returns-with-an-updated-arsenal" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434583, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6191785c9b36d5909ad58692193c3c12d302b00d.pdf", "text": "https://archive.orkl.eu/6191785c9b36d5909ad58692193c3c12d302b00d.txt", "img": "https://archive.orkl.eu/6191785c9b36d5909ad58692193c3c12d302b00d.jpg" } }