{ "id": "46cb440f-8547-4c41-8cf4-2b18c3c2bb83", "created_at": "2026-04-06T00:15:18.503169Z", "updated_at": "2026-04-10T03:37:37.138501Z", "deleted_at": null, "sha1_hash": "b43c8a29b106f92b9521b4d057e29d23692ff86d", "title": "APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78553, "plain_text": "APT34: The Helix Kitten Cybercriminal Group Loves to Meow\r\nMiddle Eastern and International Organizations\r\nArchived: 2026-04-02 12:32:27 UTC\r\nOrigin: 2014\r\nAliases: Helix Kitten, OilRig, Greenbug\r\nKey Target Sectors: Information Technology, Government, Military, Energy and Power, Communication,\r\nTransportation, Financial Services, Educational System\r\nAttack Vectors: Zero Day Attacks, Data theft, Spam Email, Remote Code Execution, Living off the Land Attack,\r\nSocial Engineering, Spearphishing, backdoor, Luring, Watering Hole Attack\r\nTarget Region: Western Asia, Western Europe, North America, South America, Southern Asia, South-East Asia,\r\nAfrica, Eastern Europe\r\nMalware Used: Quadagent, Twoface, Helminth, OopsIE, Karkoff, Fox Panel, HighShell, Glimpse, Webmask,\r\nRunningBee, HyperShell, ISMAgent, Poison Frog, PhpSpy, ThreeDollars, Neptun, Pickpocket, ValueVault, and\r\nLongwatch\r\nVulnerabilities Exploited: CVE-2017-0199 and CVE-2017-11882\r\nAPT34 is an Advanced Persistent Threat (APT) group, active since 2014. This group works on behalf of the\r\nIranian government and has been observed targeting victims mostly across the Middle Eastern region. They have\r\ntargeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and\r\nhas primarily focused its operations within the Middle East. This adversary was originally identified and tracked\r\nas two separate groups, OilRig and APT34. But further research and evidence revealed an overlap between their\r\nactivities, and eventually, most researchers agreed to track them as a single Threat Actor. Most recently in mid-2019, Turla (Cyber-espionage group from Russia) hijacked the Infrastructure of this APT, in one of their attack\r\ncampaigns.\r\nThe group was initially observed targeting financial organizations and government agencies across the Middle\r\nEastern region and the US, but gradually it moved to other regions and sectors.\r\nSince 2014, the group’s attacks were focused on Middle Eastern banks and government entities since 2014.\r\nLater, their primary targets changed, but the trend of targeting critical infrastructure and governmental\r\nentities remained the same.\r\nIn October 2016, the group was observed to be targeting government entities in Middle Eastern countries\r\nand the U.S., along with several airlines from Middle Eastern countries.\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 1 of 14\n\nBetween 2017 to 2018, the group focused more on Western-Asian and North American organizations\r\nworking in Education, Information Technology and Government sector.\r\nIn April 2019, information leaked by elite hackers “Lab Dookhtegan” and “Mr_L4nnist3r” revealed the\r\nvictim’s names as the Saudi Arabian Communications \u0026 Information Technology Commission, Dubai\r\nStatistics Association.\r\nIn the same duration, a small handful of targets were based outside the Middle East, including a telecom\r\ncompany in Zimbabwe, government bodies in Albania, and South Korean gaming business.\r\nMost recently in June 2019, a phishing campaign was observed, targeting energy companies, government\r\nutilities, and their workers.\r\nThis group is known to use various malware and tools to collect strategic information that would benefit the\r\neconomic and geopolitical interests of the state of Iran. Also, Iran considers cyber-attacks as an offensive weapon\r\nagainst its rival countries like the United States of America and Israel. The cyberattacks linked to the group are not\r\nthat advanced or sophisticated, but highly persistent with their victim choice, which is directly or indirectly\r\nconnected to Iran’s military, financial, and political interests.\r\nSince 2014, the group is known to be using Microsoft Excel macros, PowerShell-based exploits, and social\r\nengineering to gain access to its targets. They use phishing emails to deliver weaponized Microsoft Excel\r\ndocuments, and most of their malware infect the target system with VisualBasic and PowerShell (.ps1) scripts.\r\nBetween 2014 to 2016, the group's attack campaigns targeted banks and technology organizations in Saudi\r\nArabia with phishing emails that included weaponized Microsoft Excel attachments. One spam email had a\r\nlegitimate conversation between employees, which was used as a lure, and forwarded to other employees\r\nwith a weaponized attachment. Other related campaign phishing emails used job or service offering.\r\nIn early-2017, the group was observed again, using a fake Juniper Networks VPN portal and few fake\r\nUniversity of Oxford websites to deliver malware to the victims. The group registered four domain names\r\nbelonging to Oxford University (including oxford-careers[.]com, oxford[.]in and oxford-employee[.]com).\r\nIn April 2017, they launched a massive cyber-espionage campaign against major Israeli institutions and\r\ngovernment officials. They exploited CVE-2017-0199 remote code execution vulnerability in the Windows\r\nObject Linking and Embedding (OLE) application programming interface. They managed to target the\r\nvictims before Microsoft issued a security update, and organizations rolled out the patch.\r\nIn May 2017, they expanded their geographical range with hundreds of new attacks targeting several\r\nmilitaries, financial and energy businesses in Europe as well as the United States. In these attacks, they\r\ncollaborated with Russian hackers-for-hire.\r\nIn Sep. 2017, an analysis done by a security firm on Two-face (web shell) disclosed a complex malicious\r\ninfrastructure that was targeting Israeli institutions earlier in April. The links between TwoFace and five\r\nother web shells were found, including RunningBee, PuTTY Link (plink) and RGDoor (for Microsoft IIS).\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 2 of 14\n\nIn Oct. 2017, the group developed the \"Agent Injector\" (Trojan with the specific purpose of installing the\r\nISMAgent backdoor) to target an organization within the United Arab Emirates government. The attack\r\nused a spearphishing spam email that had a subject of ‘Importan Issue'. The group was also found to be\r\nusing CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14, 2017.\r\nOn January 8, 2018, the group launched an attack on an insurance agency based in the Middle East. They\r\ntried to deliver a new Trojan called OopsIE, via using a variant of the ThreeDollars delivery document.\r\nThey sent two emails to two separate email addresses within the same organization. The email address was\r\nlinked with the Lebanese domain of a major global financial institution.\r\nIn Feb 2018, it was discovered that threat actor dubbed ‘Chafer’ (having an association or related to\r\nAPT34) successfully compromised one of the biggest telecom firms in the Middle East using leaked NSA\r\nhacking tools.\r\nIn March 2018, the group improved their Critical Infrastructure attacks with new off-the-shelf tools, dual-purpose utilities. They were found to be using earlier unseen malware, that uses SmartFile, Google Drive,\r\nand internet server API (ISAPI) filters for compromising Microsoft Internet Information Services (IIS)\r\nservers.\r\nIn July 2018, they launched multiple attacks using spearphishing email (having attached PhpSpy and\r\nQuadAgent backdoor) to target an unnamed technology services provider, the Lebanese intelligence\r\nagency, and healthcare facilities in Saudi Arabia. Their initial infection paths were based on watering hole\r\nattacks using compromised web servers. In Sep., they deployed a new variant of their OopsIE Trojan that\r\ncame with new evasion techniques.\r\nIn the same month, they also conducted at least one attack campaign containing an updated variant of the\r\nBondUpdater Trojan (uses DNS tunneling) as its final payload.\r\nIn Nov. 2018, new information shed light on the fact that the group tests their malicious documents before\r\nthey are being used in their attacks.\r\nIn April 2019, a group that calls itself Lab Dookhtegan exposed several tools (Poison Frog, Glimpse,\r\nHyperShell, HighShell, Fox Panel, and Webmask) used by this group.\r\nIn the same month, a DNSpionage malware campaign was also discovered, using a new malware called\r\n'Karkoff.' The malware was delivered via an Excel document that included malicious macros. They also\r\ncreated a new remote administration tool that supported HTTP and DNS communication.\r\nMost recently in June 2019, a Russian cyber-espionage group \"Turla\" was discovered to be using attack\r\ninfrastructure belonging to APT34. The infrastructure was used to deliver a backdoor called \"Neptun,\"\r\ninstalled on Microsoft Exchange servers.\r\nAlso in June, a phishing campaign was observed asking victims to join their social network. This time the\r\ngroup masqueraded as a Cambridge University lecturer, also setting up a LinkedIn page in order to gain\r\nvictims’ trust. From there they asked victims to open malicious documents. In this phishing campaign,\r\nthree new malware families were detected, named as Pickpocket, ValueVault, and Longwatch.\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 3 of 14\n\nThis group is known to use multiple custom malware and tools for stealing intellectual information, lateral\r\nmovement, and getting an initial foothold into the targeted network.\r\nMalicious programs used by APT34\r\nTwoface - A web shell, which is used to harvest credentials\r\nPowruner - A backdoor known to be used by APT34.\r\nRGDoor - An Internet Information Services backdoor which is created using C++.\r\nHelminth - A Trojan that is developed to target the Windows platform.\r\nOopsIE - A Trojan deployed and known to be used by APT34.\r\nKarkoff - A malware designed to execute code remotely on compromised hosts.\r\nISMAgent - A backdoor which has a sophisticated architecture and contains anti-analysis techniques.\r\nPoison Frog - A backdoor used along with BondUpdater tool.\r\nPhpSpy - A backdoor used for an initial foothold in the targeted network.\r\nNeptun - A backdoor installed on Microsoft Exchange servers as a service.\r\nPickpocket - It is a browser credential-theft tool.\r\nValueVault - It is used to extract and view the credentials stored in the Windows Vault.\r\nLongWatch - A Pickpocket variant, and browser credential-theft tool.\r\nCustom tools used by APT34\r\nQuadagent - A PowerShell backdoor tool, that is attributed to APT34.\r\nThreeDollars - A delivery document, which is identified as part of the OilRig toolset.\r\nFox Panel - A hacking tool is known to be linked and used by APT34\r\nHighShell - A web shell-based TwoFace payload used by APT34.\r\nGlimpse - A tool within the data dump, related to the updated BondUpdater tool.\r\nWebmask - A series of scripts specifically meant to perform DNS hijacking.\r\nRunningBee - A web-based TwoFace payload used by APT34.\r\nHyperShell - A TwoFace loader known to used by APT34.\r\nKnown Zero Days Vulnerabilities\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 4 of 14\n\nMicrosoft Office Remote Code Execution Vulnerability (CVE-2017-0199) - A remote code-execution\r\nvulnerability in Microsoft Office/Wordpad.\r\nMicrosoft Office Memory Corruption Vulnerability (CVE-2017-11882) - A memory-corruption\r\nvulnerability in Microsoft Office.\r\nThe use of infrastructure linked to Iranian operations, alignment, and timing with the national interests of Iran lead\r\nto the conclusion that this group acts or works on behalf of the Iranian government. The persistency in the targets\r\nof their attack, which are mostly from middle-east countries, also proves the fact that the cyberattacks originated\r\nfrom Iran. Most of their cyber campaigns became active when there was a holiday in Iran, and targeted specific\r\ncountries with conflict of interest with Iran.\r\nOrganizations and security experts should review the Indicators of Compromise (IoCs) and use them with their\r\nEndpoint Detection and Response (EDR) tool. Organizations should also consider having threat intel ingestion for\r\ntheir existing investments in the stack of security tools like Firewalls, Intrusion Detection and Prevention Systems\r\n(IDS/IPS), etc. with support for automated enrichment from external sources, which would ensure protection from\r\nlatest threats across the industry. The security experts must understand the fact that fully up-to-date antivirus (AV)\r\nor reliable antivirus software do not provide 100% protection against sophisticated attacks from threats like\r\nAPT34. For adequate protection, they need a layered approach to their endpoint security. Ideally, these layers must\r\ncombine solutions based on dynamic security policy (e.g., behavioral-based Firewalls, Data Loss Prevention\r\nsystems) as well as the control-based security policy (e.g., whitelisting, application control). Enterprise networks\r\nwith endpoint security solutions based on the OS-Centric security approach are more secure against the new types\r\nof APT34 attacks. The OS-centric security solutions focus on the final stage of the attack kill chain, and intended\r\ndamage, so it provides better protection no matter what attack vector or method is used.\r\nIranian Intelligence Server\r\n185[.]56[.]91[.]61\r\n46[.]165[.]246[.]196\r\n185[.]236[.]76[.]80\r\n185[.]236[.]77[.]17\r\n185[.]181[.]8.252\r\n185[.]191[.]228[.]103\r\n70[.]36[.]107[.]34\r\n109[.]236[.]85[.]129\r\n185[.]15[.]247[.]140\r\n185[.]181[.]8.158\r\n178[.]32[.]127[.]230\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 5 of 14\n\n146[.]112[.]61[.]108\r\n23[.]106[.]215[.]76\r\n185[.]20[.]187[.]8\r\n95[.]168[.]176[.]172\r\n173[.]234[.]153[.]194\r\n173[.]234[.]153[.]201\r\n172[.]241[.]140[.]238\r\n23[.]19[.]226[.]69 185.\r\n161[.]211[.]86\r\n185[.]174[.]100[.]56\r\n194[.]9.177[.]15\r\n185[.]140[.]249[.]63\r\n81[.]17[.]56[.]249\r\n213[.]227[.]140[.]32\r\n46[.]105[.]251[.]42\r\n185[.]140[.]249[.]157\r\n198[.]143[.]182[.]22\r\n213[.]202[.]217[.]9\r\n158[.]69[.]57[.]62\r\n168[.]187[.]92[.]92\r\n38[.]132[.]124[.]153\r\n176[.]9.164[.]215\r\n88[.]99[.]246[.]174\r\n190[.]2.142[.]59\r\n103[.]102[.]44[.]181\r\n217[.]182[.]217[.]122\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 6 of 14\n\n46[.]4.69[.]52\r\n185[.]227[.]108[.]35\r\n172[.]81[.]134[.]226\r\n103[.]102[.]45[.]14\r\n95[.]168[.]176[.]173\r\n142[.]234[.]200[.]99\r\n194[.]9.179[.]23\r\n194[.]9.178[.]10\r\n185[.]174[.]102[.]14\r\n185[.]236[.]76[.]35\r\n185[.]236[.]77[.]75\r\n185[.]161[.]209[.]157\r\n185[.]236[.]76[.]59\r\n185[.]236[.]78[.]217\r\n23[.]227[.]201[.]6\r\n185[.]236[.]78[.]63\r\nIoCs of Leaked Hacking Tools (April 219)\r\nSHA256\r\n27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed\r\nb1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768\r\n2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459\r\n07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741\r\ndd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229\r\n3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e\r\na6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 7 of 14\n\nFe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392\r\nShells\r\nhxxps://202[.]183[.]235[.]31/owa/auth/signout[.]aspx\r\nhxxps://202[.]183[.]235[.]4/owa/auth/signout[.]aspx\r\nhxxps://122[.]146[.]71[.]136/owa/auth/error3[.]aspx\r\nhxxps://59[.]124[.]43[.]229/owa/auth/error0[.]aspx\r\nhxxps://202[.]134[.]62[.]169/owa/auth/signin[.]aspx\r\nhxxps://202[.]164[.]27[.]206/owa/auth/signout[.]aspx\r\nhxxps://213[.]14[.]218[.]51/owa/auth/logon[.]aspx\r\nhxxps://88[.]255[.]182[.]69/owa/auth/getidtoken[.]aspx\r\nhxxps://95[.]0.139[.]4/owa/auth/logon[.]aspx\r\nhxxps://1[.]202[.]179[.]13/owa/auth/error1[.]aspx\r\nhxxps://1[.]202[.]179[.]14/owa/auth/error1[.]aspx\r\nhxxps://114[.]255[.]190[.]1/owa/auth/error1[.]aspx\r\nhxxps://180[.]166[.]27[.]217/owa/auth/error3[.]aspx\r\nhxxps://180[.]169[.]13[.]230/owa/auth/error1[.]aspx\r\nhxxps://210[.]22[.]172[.]26/owa/auth/error1[.]aspx\r\nhxxps://221[.]5.148[.]230/owa/auth/outlook[.]aspx\r\nhxxps://222[.]178[.]70[.]8/owa/auth/outlook[.]aspx\r\nhxxps://222[.]66[.]8.76/owa/auth/error1[.]aspx\r\nhxxps://58[.]210[.]216[.]113/owa/auth/error1[.]aspx\r\nhxxps://60[.]247[.]31[.]237/owa/auth/error3[.]aspx\r\nhxxps://60[.]247[.]31[.]237/owa/auth/logoff[.]aspx\r\nhxxps://202[.]104[.]127[.]218/owa/auth/error1[.]aspx\r\nhxxps://202[.]104[.]127[.]218/owa/auth/exppw[.]aspx\r\nhxxps://132[.]68[.]32[.]165/owa/auth/logout[.]aspx\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 8 of 14\n\nhxxps://132[.]68[.]32[.]165/owa/auth/signout[.]aspx\r\nhxxps://209[.]88[.]89[.]35/owa/auth/logout[.]aspx\r\nhxxps://114[.]198[.]235[.]22/owa/auth/login[.]aspx\r\nhxxps://114[.]198[.]237[.]3/owa/auth/login[.]aspx\r\nhxxps://185[.]10[.]115[.]199/owa/auth/logout[.]aspx\r\nhxxps://195[.]88[.]204[.]17/owa/auth/logout[.]aspx\r\nhxxps://46[.]235[.]95[.]125/owa/auth/signin[.]aspx\r\nhxxps://51[.]211[.]184[.]170/owa/auth/owaauth[.]aspx\r\nhxxps://91[.]195[.]89[.]155/owa/auth/signin[.]aspx\r\nhxxps://82[.]178[.]124[.]59/owa/auth/gettokenid[.]aspx\r\nhxxps://83[.]244[.]91[.]132/owa/auth/logon[.]aspx\r\nhxxps://195[.]12[.]113[.]50/owa/auth/error3[.]aspx\r\nhxxps://78[.]100[.]87[.]199/owa/auth/logon[.]aspx\r\nhxxps://110[.]74[.]202[.]90/owa/auth/errorff[.]aspx\r\nhxxps://211[.]238[.]138[.]68/owa/auth/error1[.]aspx\r\nhxxps://168[.]63[.]221[.]220/owa/auth/error3[.]aspx\r\nhxZps://213[.]189[.]82[.]221/owa/auth/errorff[.]aspx\r\nhxxps://205[.]177[.]180[.]161/owa/auth/erroref[.]aspx\r\nhxxps://77[.]42[.]251[.]125/owa/auth/logout[.]aspx\r\nhxxps://202[.]175[.]114[.]11/owa/auth/error1[.]aspx\r\nhxxps://202[.]175[.]31[.]141/owa/auth/error3[.]aspx\r\nhxxps://213[.]131[.]83[.]73/owa/auth/error4[.]aspx\r\nhxxps://187[.]174[.]201[.]179/owa/auth/error1[.]aspx\r\nhxxps://200[.]33[.]162[.]13/owa/auth/error3[.]aspx\r\nhxxps://202[.]70[.]34[.]68/owa/auth/error0[.]aspx\r\nhxxps://202[.]70[.]34[.]68/owa/auth/error1[.]aspx\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 9 of 14\n\nhxxps://197[.]253[.]14[.]10/owa/auth/logout[.]aspx\r\nhxxps://41[.]203[.]90[.]221/owa/auth/logout[.]aspx\r\nhxxp://www[.]abudhabiairport[.]ae/english/resources[.]aspx\r\nhxxps://mailkw[.]agility[.]com/owa/auth/RedirSuiteService[.]aspx\r\nhxxp://www[.]ajfd[.]gov[.]ae/_layouts/workpage[.]aspx\r\nhxxps://mail[.]alfuttaim[.]ae/owa/auth/change_password[.]aspx\r\nhxxps://mail[.]alraidah[.]com[.]sa/owa/auth/GetLoginToken[.]aspx\r\nhxxp://www[.]alraidah[.]com[.]sa/_layouts/WrkSetlan[.]aspx\r\nhxxps://webmail[.]alsalam[.]aero/owa/auth/EventClass[.]aspx\r\nhxxp://www[.]alraidah[.]com[.]sa/_layouts/WrkSetlan[.]aspx\r\nhxxps://webmail[.]alsalam[.]aero/owa/auth/EventClass[.]aspx\r\nhxxps://webmail[.]bix[.]bh/owa/auth/Timeoutctl[.]aspx\r\nhxxps://webmail[.]bix[.]bh/owa/auth/EventClass[.]aspx\r\nhxxps://webmail[.]bix[.]bh/ecp/auth/EventClass[.]aspx\r\nhxxps://webmail[.]citc[.]gov[.]sa/owa/auth/timeout[.]aspx\r\nhxxps://mail[.]cma[.]org[.]sa/owa/auth/signin[.]aspx\r\nhxxps://mail[.]dallah-hospital[.]com/owa/auth/getidtokens[.]aspx\r\nhxxps://webmail[.]dha[.]gov[.]ae/owa/auth/outlookservice[.]aspx\r\nhxxps://webmail[.]dnrd[.]ae/owa/auth/getidtoken[.]aspx\r\nhxxp://dnrd[.]ae:8080/_layouts/WrkStatLog[.]aspx\r\nhxxps://www[.]dns[.]jo/statistic[.]aspx\r\nhxxps://webmail[.]dsc[.]gov[.]ae/owa/auth/outlooklogonservice[.]aspx\r\nhxxps://e-albania[.]al/dptaktkonstatim[.]aspx\r\nhxxps://owa[.]e-albania[.]al/owa/auth/outlookdn[.]aspx\r\nhxxps://webmail[.]eminsco[.]com/owa/auth/outlookfilles[.]aspx\r\nhxxps://webmail[.]eminsco[.]com/owa/auth/OutlookCName[.]aspx\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 10 of 14\n\nhxxps://webmail[.]emiratesid[.]ae/owa/auth/RedirSuiteService[.]aspx\r\nhxxps://mailarchive[.]emiratesid[.]ae/EnterpriseVault/js/jquery[.]aspx\r\nhxxps://webmail[.]emiratesid[.]ae/owa/auth/handlerservice[.]aspx\r\nhxxp://staging[.]forus[.]jo/_layouts/explainedit[.]aspx\r\nhxxps://government[.]ae/tax[.]aspx\r\nhxxps://formerst[.]gulfair[.]com/GFSTMSSSPR/webform[.]aspx\r\nhxxps://webmail[.]ictfund[.]gov[.]ae/owa/auth/owaauth[.]aspx\r\nhxxps://jaf[.]mil[.]jo/ShowContents[.]aspx\r\nhxxp://www[.]marubi[.]gov[.]al/aspx/viewpercthesaurus[.]aspx\r\nhxxps://mail[.]mindware[.]ae/owa/auth/outlooktoken[.]aspx\r\nhxxps://mail[.]mis[.]com[.]sa/owa/auth/Redirect[.]aspx\r\nhxxps://webmail[.]moe[.]gov[.]sa/owa/auth/redireservice[.]aspx\r\nhxxps://webmail[.]moe[.]gov[.]sa/owa/auth/redirectcache[.]aspx\r\nhxxps://gis[.]moei[.]gov[.]ae/petrol[.]aspx\r\nhxxps://gis[.]moenr[.]gov[.]ae/petrol[.]aspx\r\nhxxps://m[.]murasalaty[.]moenr[.]gov[.]ae/signproces[.]aspx\r\nhxxps://mail[.]mofa[.]gov[.]iq/owa/auth/RedirSuiteService[.]aspx\r\nhxxp://ictinfo[.]moict[.]gov[.]jo/DI7Web/libraries/aspx/RegStructures[.]aspx\r\nhxxp://www[.]mpwh[.]gov[.]jo/_layouts/CreateAdAccounts[.]aspx\r\nhxxps://mail[.]mygov[.]ae/owa/auth/owalogin[.]aspx\r\nhxxps://ksa[.]olayan[.]net/owa/auth/signin[.]aspx\r\nhxxps://mail[.]omantourism[.]gov[.]om/owa/auth/GetTokenId[.]aspx\r\nhxxps://email[.]omnix-group[.]com/owa/auth/signon[.]aspx\r\nhxxps://mail[.]orange-jtg[.]jo/OWA/auth/signin[.]aspx\r\nhxxp://fwx1[.]petra[.]gov[.]jo/SEDCOWebServer/global[.]aspx\r\nhxxp://fwx1[.]petranews[.]gov[.]jo/SEDCOWebServer/content/rtl/QualityControl[.]aspx\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 11 of 14\n\nhxxps://webmail[.]presflt[.]ae/owa/auth/logontimeout[.]aspx\r\nhxxps://webmail[.]qchem[.]com/OWA/auth/RedirectCache[.]aspx\r\nhxxps://meet[.]saudiairlines[.]com/ClientResourceHandler[.]aspx\r\nhxxps://mail[.]soc[.]mil[.]ae/owa/auth/expirepw[.]aspx\r\nhxxps://email[.]ssc[.]gov[.]jo/owa/auth/signin[.]aspx\r\nhxxps://mail[.]sts[.]com[.]jo/owa/auth/signout[.]aspx\r\nhxxp://www[.]sts[.]com[.]jo/_layouts/15/moveresults[.]aspx\r\nhxxps://mail[.]tameen[.]ae/owa/auth/outlooklogon[.]aspx\r\nhxxps://webmail[.]tra[.]gov[.]ae/owa/auth/outlookdn[.]aspx\r\nhxxp://bulksms[.]umniah[.]com/gmgweb/MSGTypesValid[.]aspx\r\nhxxps://evserver[.]umniah[.]com/index[.]aspx\r\nhxxps://email[.]umniah[.]com/owa/auth/redirSuite[.]aspx\r\nhxxps://webmail[.]gov[.]jo/owa/auth/getidtokens[.]aspx\r\nhxxps://www[.]tra[.]gov[.]ae/signin[.]aspx\r\nhxxps://www[.]zakatfund[.]gov[.]ae/zfp/web/tofollowup[.]aspx\r\nhxxps://mail[.]zayed[.]org[.]ae/owa/auth/espw[.]aspx\r\nhxxps://mail[.]primus[.]com[.]jo/owa/auth/getidtoken[.]aspx\r\nC2 Servers\r\n185[.]56[.]91[.]61\r\n46[.]165[.]246[.]196\r\n185[.]236[.]76[.]80\r\n185[.]236[.]77[.]17\r\n185[.]181[.]8.252\r\n185[.]191[.]228[.]103\r\n70[.]36[.]107[.]34\r\n109[.]236[.]85[.]129\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 12 of 14\n\n185[.]15[.]247[.]140\r\n185[.]181[.]8.158\r\n178[.]32[.]127[.]230\r\n146[.]112[.]61[.]108\r\n23[.]106[.]215[.]76\r\n185[.]20[.]187[.]8\r\n95[.]168[.]176[.]172\r\n173[.]234[.]153[.]194\r\n173[.]234[.]153[.]201\r\n172[.]241[.]140[.]238\r\n23[.]19[.]226[.]69\r\n185[.]161[.]211[.]86\r\n185[.]174[.]100[.]56\r\n194[.]9.177[.]15\r\n185[.]140[.]249[.]63\r\n81[.]17[.]56[.]249\r\n213[.]227[.]140[.]32\r\n46[.]105[.]251[.]42\r\n185[.]140[.]249[.]157\r\n198[.]143[.]182[.]22\r\n213[.]202[.]217[.]9\r\n158[.]69[.]57[.]62\r\n168[.]187[.]92[.]92\r\n38[.]132[.]124[.]153\r\n176[.]9.164[.]215\r\n88[.]99[.]246[.]174\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 13 of 14\n\n190[.]2.142[.]59\r\n103[.]102[.]44[.]181\r\n217[.]182[.]217[.]122\r\n46[.]4.69[.]52\r\n185[.]227[.]108[.]35\r\n172[.]81[.]134[.]226\r\n103[.]102[.]45[.]14\r\n95[.]168[.]176[.]173\r\n142[.]234[.]200[.]99\r\n194[.]9.179[.]23\r\n194[.]9.178[.]10\r\n185[.]174[.]102[.]14\r\n185[.]236[.]76[.]35\r\n185[.]236[.]77[.]75\r\n185[.]161[.]209[.]157\r\n185[.]236[.]76[.]59\r\n185[.]236[.]78[.]217\r\n23[.]227[.]201[.]6\r\n185[.]236[.]78[.]63\r\nSource: https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48\r\nae\r\nhttps://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "report_names": [ "apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b43c8a29b106f92b9521b4d057e29d23692ff86d.pdf", "text": "https://archive.orkl.eu/b43c8a29b106f92b9521b4d057e29d23692ff86d.txt", "img": "https://archive.orkl.eu/b43c8a29b106f92b9521b4d057e29d23692ff86d.jpg" } }