OilRig

Repository Navigation

• Actor workbench: OilRig
• TTP-to-detection matrix: all mapped techniques
• Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution; Internet-Facing Servers, Webshells, And Passive Access; Email, Cloud-Service, IMAP, And DNS C2
• Detection status: dashboard
• Hunt workflow: hunt workflow
• ATT&CK mappings: T1505.003 Web Shell (M3); T1049 System Network Connections Discovery (M1)
• Mapped detections: None currently mapped.
• Mapped hunts: None currently mapped.
• IOC reference sources: SRC-MITRE-G0049 Technique references
• Tool detail pages: OilBooster; Saitama; BONDUPDATER; certutil; ftp; Helminth; ipconfig; ISMInjector; LaZagne; Mango; Mimikatz; Net; netstat; ngrok; ODAgent; OilCheck; OopsIE; PowerExchange; POWRUNER; PsExec; QUADAGENT; RDAT; Reg; RGDoor; SampleCheck5000; SEASHARPEE; SideTwist; Solar; Systeminfo; Tasklist; ZeroCleare
• Tool matrix: all actor-linked tools (31 mapped tool row(s))
• Evidence records: EVD-013 / CLM-OILRIG-001; EVD-014 / CLM-OILRIG-002
• Imported research intakes: OilRig And Magic Hound Deep Research Intake (High, Needs source validation); APT35 And OilRig Israel Deep Research Intake (High, Needs source validation)
• Intel update candidates: 1 current candidate(s)
• Source IDs in structured data: SRC-ESET-OILRIG-ISRAEL, SRC-MITRE-G0049, SRC-UNIT42-OILRIG-DNS-TUNNELING

Aliases: APT34, Helix Kitten, Hazel Sandstorm, COBALT GYPSY, Crambus.

Assessed sponsor: Iran state-linked in public reporting.

Relevance

OilRig is high priority for Israeli government exposure because public reporting describes long-running espionage campaigns against Middle Eastern government, critical infrastructure, technology, and telecom targets.

Defensive Focus

• Webshell persistence on externally exposed systems.
• Credential theft and mailbox access.
• Custom downloader and command execution activity.
• Internal discovery using native commands.

Detection Ideas

• w3wp.exe or web server worker processes spawning shells or scripting engines.
• Unexpected archive creation under web application directories.
• Authentication from unusual infrastructure after web exploitation.

Sources: SRC-MITRE-G0049, SRC-ESET-OILRIG-ISRAEL, SRC-UNIT42-OILRIG-DNS-TUNNELING, SRC-KASPERSKY-ICS-H2-2023, SRC-BRANDEFENSE-OILRIG-2025.

Source note: ESET and Unit 42 are the preferred anchors for OilBooster/cloud-service and DNS-tunneling claims. Kaspersky ICS and Brandefense are supporting synthesis sources.