Introduction
OilRig, tracked by numerous names such as APT34, Helix Kitten, Greenbug, and Earth Simnavaz, is one of the largest Iranian cyber-espionage groups still operating. Since its original detection in late 2014, OilRig has engaged in sustained campaigns targeting governments, energy companies, and critical infrastructure, primarily in the Middle East and globally. Its operations represent the general development of Iranian cyber capability transitioning from various forms of disruptive attack and basic phishing, towards long-term intelligence gathering and sustained access into critical sectors.
Operations attributed to OilRig broadly align with the objectives of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization, demonstrating active investment of IRGC resources specifically targeted at Tehran’s national security priorities. The threat actor’s operations forecast the attributes of a maturing threat actor: modular development of malware, reuse of infrastructure across campaigns, and potential collaboration with other Iranian threat clusters such as MuddyWater (APT35), Agrius, and Peach Sandstorm.
Identity & Motivation
OilRig is engaged in activities that fundamentally support Iranian strategic interests. This organization is focused on collecting political, economic, and military intelligence to bolster the state’s geopolitical posture against its regional rivals in the Gulf, as well as Western powers engaged in sanctions and defense cooperation with Israel. In addition to espionage, the activities undertaken by OilRig serve in larger efforts of deterrence and retaliation in cyber-space.
OilRig’s primary motivations are as follows:
1. Strategic Espionage: Targeting government agencies and diplomatic networks to gain long-term access and to gather intelligence.
2. Economic Surveillance: Monitoring energy production, exports and industrial activity to anticipate or counter foreign sanctions.
3. Regional Influence: Undermining or surveilling neighboring states’ defense and critical infrastructure capabilities.
Financial gain is not OilRig’s principle motivation; however, theft of credentials or sensitive data could benefit these espionage and economic intelligence efforts.
TTPs: Methods, Tools, and Access Strategies
OilRig’s TTPs have matured significantly over the past decade, reflecting Iran’s advancing cyber maturity. The group employs extensive use of social engineering, along with custom backdoors, but has begun to leverage cloud exploitation and hybrid intrusions.
1. Initial Access
Spearphishing has become the group’s signature access technique. Emails are often impersonating a trusted regional organization, such as ministries, telecommunications companies, or defense contractors. Attachments and hyperlinks either land malware loader or direct individuals to credential-phishing portals. OilRig has taken advantage of certain VPN exploits and delivered misconfigured email gateways in some campaigns, establishing an initial foothold into a target’s network.
2. Persistence and Privilege Escalation
After an initial foothold is established, the group is known to deploy lightweight implants like Tonedeaf, Helminth, or Karkoff that provide persistence. These tools provide a method for executing commands, collecting files, and deploying additional malware. OilRig often takes advantage of credential reuse against multiple domains and establishing different layers of persistence to survive remediation efforts.
3. Command and Control (C2)
OilRig is known to use encrypted HTTPS traffic and DNS tunneling to communicate with its C2 infrastructure. This type of command and control allows it to bypass perimeter security and blend with normal network activity. Recently, it has adopted cloud-based hosting, including abuse of Microsoft Azure and Google Drive, to anonymize traffic and maintain operational capabilities.
4. Malware Arsenal
The group’s malware arsenal includes: – Tonedeaf: an HTTP-based backdoor used for command execution. – Helminth: a PowerShell implant used for data theft and lateral movement. – Karkoff: a lightweight backdoor used for command execution and data upload. – PoisonFrog and BONDUPDATER: credential stealing and data exfiltration tools. OilRig constantly customizes its malware to avoid signature detection and includes aspects from open-source security tools to minimize attribution.
5. Exfiltration and Impact
OilRig exfiltrates data via encrypted HTTPS or DNS channels. Sensitive documents, credentials, and configuration files are often extracted first. Compromised accounts are often reused for reconnaissance or lateral movement in the targeted network. Destruction is also rare, but OilRig’s intrusions did create data loss and operational problems for its victims in the energy and government sectors.
Notable Operations
Throughout their history, OilRig has been responsible for several key campaigns that helped establish themselves as an actor in Iran’s cyber ecosystem.
- 2017 – Greenbug Campaign: They compromised Middle Eastern telecom operators and financial institutions using spearphishing and a backdoor – Helminth – to steal credentials and internal information.
- 2019 – DNSMessenger Operation: This operation included cases of DNS tunneling being used to exfiltrate sensitive data from oil and gas companies in Gulf-region countries. The campaign illustrates OilRig’s initial foray into covert C2 methodology.
- 2022 – European Energy Breach: OilRig led phishing campaigns against a European energy firm, maintaining access to steal internal documents by exploiting cloud storage misconfigurations.
- 2024 – Cloud Credential Harvesting: Almost all attacks were targeting Israeli and Emirati defense companies using hacked Microsoft 365 sites that were trying to steal user credentials and utilize PowerShell-based loaders.
- 2025 – Oil and Energy Espionage Drive: They conducted sustained cyber intrusion campaigns against energy and defense companies across Europe and the Middle East using compromised Microsoft 365 accounts and Azure persistence.
These operations also illustrate that the group’s intelligence gathering and campaign synchronization may have increased, and this has been notably demonstrated by OilRig as they have operated in cloud environments undertaken over several years, adapting to geopolitical tensions developing in the region.
Evolution and Collaboration
OilRig’s development reflects Iran’s broader investment in cyber operations as a warfare method. The early campaigns (2014–2018) by OilRig were primitive, mainly comprised of phishing and/or basic backdoors to obtain presence on victim systems. The group began being modular, utilizing cloud access mechanisms for systems of interest since late 2019 and improved operational security in their tactics.
Current reporting indicates that OilRig cooperates with or in some cases has shared a footprint with other Iranian clusters such as MuddyWater, Agrius, and Peach Sandstorm. These same groups have oftentimes conducted operations linearly – one group establishes access and the other conducts exploitation or data theft, a telltale of a coordinated national level cyber strategy.
OilRig’s utilization of legitimate IT administration tools (living off the land) and commercial VPN products as anonymization mechanisms exist due to prior exposure and lessons learned. Over the course of the campaign, each time the group established new infrastructure they modulated the methods used for multi-stage credential collection, and there appear to be additional measures in place to support improvements in takedowns and evade detection.
Strategic Impact and Defensive Measures
OilRig’s operations pose significant risks to both regional and global cyber security. The band’s focus on industries related to critical infrastructure, specifically those within the energy and defense sectors, indicates that Iran is interested in developing intelligence that they can use in relation to sanctions, energy production and regional defense partnerships.
With respect to the defensive perspective, organizations should take the following into consideration:
1. Develop Email Security: Things like sandboxing and URL filtering will prevent spearphishing payloads to end users.
2. Cloud Abuse Monitoring: Examine authentication logs for suspicious sign-ins, with great attention to Azure and Microsoft 365 tenants.
3. Behavioral Detection: OilRig containers utilize PowerShell-based loaders and traditional signature-based antivirus may prove ineffective. Using an EDR solution with process behavior indication will be critical.
4. Multi-Factor Authentication (MFA): is an excellent way to reduce the potential impact of credential theft as well as phishing attempts
5. Shared Intelligence: cross-sector targeting which highlights the need for cooperation between CERTs and ISAC sharing organizations and private-sector security teams to share information on risk.
Conclusion
In conclusion, OilRig is among the most established and agile Iranian Advanced Persistent Threat (APT). The group’s prolonged campaigns demonstrate a disciplined approach to cyber-espionage that values stealth, persistence, and regional context over more ambitious harmful cyber-attack campaigns. With OilRig relying on the intersection of geopolitics and technology, with each successive operation, OilRig promotes Iran’s strategic aspirations and advances its own methods of offering its services.
By 2025, OilRig is emblematic of the transition from state-backed cyber-attacks to ongoing cyber intelligence operations by nation-states. For defenders, understanding OilRig’s hybrid methods of conducting cyber-operations, which include phishing, credential theft, and cloud exploitation, is key to protecting against its efforts. OilRig reminds us that cyber-espionage should be viewed not only as a technical threat, but also a state-based geo-political tool that is increasingly normalized and refined with each advanced operation carried out by states like Iran.
You can download and review the sheet for all the details!
