← All Threat Actors / OilRig
Last updated: April 02, 2026
Oilrig
OilRig
Iranian Ministry of Intelligence and Security (MOIS)
🇮🇷 IranNation-State● ActiveG0049
Key Intelligence
MITRE ID
G0049
Country
🇮🇷 Iran
Motivation
Espionage, Sabotage
Active Since
2014
Last Seen
2025
Techniques
27 across 12 tactics
Attribution
Iranian Ministry of Intelligence and Security (MOIS)
Also Known As
APT34Helix KittenHazel SandstormEUROPIUMCrambusCobalt GypsyIRN2ITG13Scarred ManticoreGreenBug
Target Profile
Targeted Industries
GovernmentEnergy/Oil & GasTelecommunicationsAviationFinancial Services
Targeted Countries
🇸🇦 Saudi Arabia🇮🇱 Israel🇦🇪 UAE🇮🇶 Iraq🇹🇷 Turkey

Overview

OilRig is an Iranian state-sponsored cyber espionage group linked to Iran's Ministry of Intelligence. The group primarily targets organizations in the Middle East with a focus on government, energy, chemical, and telecommunications sectors. Known for sophisticated spearphishing campaigns, custom DNS tunneling implants, and exploitation of trust relationships. OilRig frequently operates alongside other Iranian groups and shares infrastructure.

Tools & Malware

BONDUPDATERQUADAGENTOopsIEALMA CommunicatorHelminthISMAgentVALUEVAULTSideTwistKarkoffPowerExchangeMimikatzDNS Tunneling Toolsdnscat2Plink

Malware & Tool Details

Arsenal attributed to OilRig.

BONDUPDATER
DNS Tunneling Backdoor
DNS Tunneling Backdoor
QUADAGENT
Malware / Tool
ATT&CK Software
OopsIE
Malware / Tool
ATT&CK Software
ALMA Communicator
Malware / Tool
ATT&CK Software
Helminth
Backdoor
Backdoor
ISMAgent
Malware / Tool
ATT&CK Software
VALUEVAULT
Malware / Tool
ATT&CK Software
SideTwist
Backdoor
Backdoor
Karkoff
Malware / Tool
ATT&CK Software
PowerExchange
Exchange Web Shell
Exchange Web Shell
Mimikatz
Credential Dumping
Credential Dumping
DNS Tunneling Tools
DNS C2
DNS C2

Attack Path DNSpionage / PowerExchange (2017-2023)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWDNSpionage / PowerExchange (2017-2023)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
MOIS (Iranian Ministry of Intelligence), overlaps with MuddyWater
CAPABILITY
BONDUPDATER, QUADAGENT, Helminth, SideTwist, PowerExchange, ISMAgent
INFRASTRUCTURE
DNS tunneling infrastructure, compromised webmail portals, fake LinkedIn job portals
VICTIM
Middle East government, energy, telecom, aviation

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for OilRig (G0049).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2017-118822017Office Equation Editor RCE for macro phishing
CVE-2021-268552021ProxyLogon Exchange RCE for PowerExchange deployment

Notable Campaigns

2023
PowerExchange Campaign
Exploitation of Exchange servers using novel PowerShell-based backdoor.
2021
Lyceum/Hexane Overlap
Targeting of Israeli and Tunisian organizations using new backdoors.
2019
HardPass Campaign
LinkedIn-based social engineering targeting aerospace and energy companies.
2017
DNSpionage
DNS hijacking campaign targeting government domains in Middle East.

Detection Engineering

DNS Tunneling via TXT Records
Monitor for high-volume DNS TXT record queries to single domains. Alert on DNS query subdomain lengths exceeding 50 characters. Deploy passive DNS monitoring to identify C2 domain registration patterns. Sigma rule: net_dns_susp_txt_exec_query.
View Detection Rule / Guide
Exchange Web Shell Detection
Monitor IIS/Exchange log files for unusual .aspx file creation in OWA directories. Detect w3wp.exe spawning cmd.exe or PowerShell. Implement file integrity monitoring on Exchange virtual directories.
View Detection Rule / Guide
VBA Macro Execution Chain
Enable ASR rules to block Office applications from creating child processes. Monitor for WINWORD.EXE or EXCEL.EXE spawning powershell.exe, wscript.exe, or mshta.exe. Sigma rule: proc_creation_win_office_spawn_exe_from_temp.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

MuddyWater
MOIS co-operator
MuddyWater uses RMM tools; OilRig uses DNS tradecraft.
Charming Kitten
Iranian co-operator
IRGC-linked, different command structure.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Implement DNS RPZ and sinkholing. OilRig's entire C2 relies on DNS tunneling.
CIS Control 9
Patch Exchange vulnerabilities (ProxyLogon, ProxyShell). Monitor OWA directories for web shells.
CISA AA21-062A
Block Office macros via GPO and ASR. Implement Mark of the Web enforcement.
Microsoft ASR
Implement SPF strict, DKIM, DMARC p=reject on all domains.
CISA BOD 18-01

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
Multiple vendor attributions to Iranian MOIS
https://attack.mitre.org/groups/G0049/
Symantec, Unit 42, Check Point consistent tracking
https://unit42.paloaltonetworks.com/tag/oilrig/
Leaked tools confirm Iranian origin (2019)
https://www.zdnet.com/article/source-code-of-iranian-cyber-e

Threat Assessment

Capability7/10
Intent8/10
Targeting7/10
High
Overall Threat Level
Persistent Iranian espionage actor specializing in DNS-based tradecraft. Targets Middle East government and energy sectors with custom tooling.

Legal Actions & Sanctions

No documented legal actions.

Recent Reporting

2023-06

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
MITRE CTID - OilRig Full Emulation PlanMITRE CTIDOpen SourceComplete OilRig emulation focused on DNS tunneling and credential harvestingOpen
ATT&CK Evaluations Library - OilRigMITRE EngenuityFrameworkOfficial OilRig evaluation with DNS-based C2 emulationOpen
MITRE CTID - OilRig Emulation PlanMITRE CTIDOpen SourceFull emulation plan with VALUEVAULT credential theft, DNS tunneling, and Exchange exploitationOpen
ATT&CK Evaluations - OilRigMITRE EngenuityFrameworkOfficial managed services evaluation with OilRig C2 and lateral movement scenariosOpen
Emulating Recent Activity from OilRigAttackIQBlog PostFull attack graph emulating OilRig DNS tunneling C2, credential harvesting, and Exchange exploitationOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange