| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
| 2021-04-08 ⋅ Checkpoint ⋅ Iran’s APT34 Returns with an Updated Arsenal DNSpionage SideTwist TONEDEAF |
| 2020-11-27 ⋅ PTSecurity ⋅ Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
| 2020-09-25 ⋅ APT vs Internet Service Providers TwoFace RGDoor |
| 2020-07-13 ⋅ FireEye ⋅ SCANdalous! (External Detection Using Network Scan Data and Automation) POWERTON QUADAGENT PoshC2 |
| 2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
| 2020-05-19 ⋅ Symantec ⋅ Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia ISMAgent ISMDoor |
| 2020-02-13 ⋅ Qianxin ⋅ APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2020-01-30 ⋅ Intezer ⋅ New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset TONEDEAF VALUEVAULT |
| 2020-01-17 ⋅ FireEye ⋅ State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY QUADAGENT Fox Kitten |
| 2020 ⋅ Secureworks ⋅ COBALT GYPSY TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig |
| 2020 ⋅ Secureworks ⋅ IRON HUNTER Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group |
| 2020-01 ⋅ FireEye ⋅ Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
| 2019-11-20 ⋅ ClearSky ⋅ MuddyWater Uses New Attack Methods in a Recent Attack Wave QUADAGENT RogueRobin |
| 2019-11-09 ⋅ NSFOCUS ⋅ APT34 Event Analysis Report BONDUPDATER DNSpionage |
| 2019-10-21 ⋅ NCSC UK ⋅ Advisory: Turla group exploits Iranian APT to expand coverage of victims Nautilus Neuron |
| 2019-09-18 ⋅ IronNet ⋅ Chirp of the PoisonFrog BONDUPDATER |
| 2019-07-18 ⋅ FireEye ⋅ Hard Pass: Declining APT34’s Invite to Join Their Professional Network LONGWATCH PICKPOCKET TONEDEAF VALUEVAULT |
| 2019-07-08 ⋅ SANS ⋅ Hunting Webshells: Tracking TwoFace TwoFace |
| 2019-05-02 ⋅ Marco Ramilli's Blog ⋅ APT34: Glimpse project BONDUPDATER |
| 2019-04-30 ⋅ Palo Alto Networks Unit 42 ⋅ Behind the Scenes with OilRig BONDUPDATER |
| 2019-04-19 ⋅ Medium ⋅ Hacking (Back) and Influence Operations BONDUPDATER |
| 2019-04-16 ⋅ DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent |
| 2019-02-13 ⋅ Youtube (SANS Digital Forensics & Incident Response) ⋅ Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018 TwoFace |
| 2019 ⋅ Council on Foreign Relations ⋅ APT 34 APT34 |
| 2018-09-14 ⋅ NetScout ⋅ Tunneling Under the Sands BONDUPDATER |
| 2018-09-12 ⋅ Palo Alto Networks Unit 42 ⋅ OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government BONDUPDATER |
| 2018-07-07 ⋅ Youtube (SteelCon) ⋅ You’ve Got Mail! TwoFace |
| 2018-04-20 ⋅ Booz Allen Hamilton ⋅ Researchers Discover New variants of APT34 Malware BONDUPDATER POWRUNER |
| 2018-01-17 ⋅ NCSC UK ⋅ Turla group malware Nautilus Neuron |
| 2018 ⋅ FireEye ⋅ M-TRENDS2018 APT34 APT35 |
| 2017-12-11 ⋅ Palo Alto Networks Unit 42 ⋅ OilRig Performs Tests on the TwoFace Webshell TwoFace |
| 2017-12-07 ⋅ FireEye ⋅ New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit APT34 OilRig |
| 2017-08-28 ⋅ ClearSky ⋅ Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug ISMAgent |
| 2017-07-31 ⋅ Palo Alto Networks Unit 42 ⋅ TwoFace Webshell: Persistent Access Point for Lateral Movement TwoFace OilRig |
| 2017-07-12 ⋅ Wired ⋅ Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies APT34 |
| 2017-04-27 ⋅ Morphisec ⋅ Iranian Fileless Attack Infiltrates Israeli Organizations Helminth OilRig |
| 2016-10-04 ⋅ Palo Alto Networks Unit 42 ⋅ OilRig Malware Campaign Updates Toolset and Expands Targets Helminth |
| 2016-05-26 ⋅ Palo Alto Networks Unit 42 ⋅ The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Helminth |
| 2016-05-22 ⋅ FireEye ⋅ Targeted Attacks against Banks in the Middle East Helminth OilRig |
| 2015-09-17 ⋅ F-Secure ⋅ The Dukes: 7 Years Of Russian Cyber-Espionage TwoFace BONDUPDATER DNSpionage |