| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”
| 2025-06-05
⋅
ESET Research
⋅
BladedFeline: Whispering in the dark Hawking RDAT Spereal Veaty |
| 2025-05-19
⋅
cocomelonc
⋅
AIYA - Mobile malware development book. First edition AndroRAT Anubis CraxsRAT Dendroid FakeGram Hydra IPStorm SpyNote |
| 2025-04-10
⋅
DomainTools
⋅
Newly Registered Domains Distributing SpyNote Malware SpyNote |
| 2025-02-09
⋅
Medium (@mvaks)
⋅
Analysis of malicious mobile applications impersonating popular Polish apps — OLX, Allegro, IKO SpyNote TrickMo |
| 2024-11-21
⋅
Intrinsec
⋅
PROSPERO & Proton66: Uncovering the links between bulletproof networks Coper SpyNote FAKEUPDATES GootLoader EugenLoader |
| 2024-11-20
⋅
Intrinsec
⋅
PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks Coper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware Pikabot |
| 2024-10-11
⋅
Trend Micro
⋅
Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East STEALHOOK OilRig |
| 2024-10-11
⋅
Trend Micro
⋅
Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions STEALHOOK |
| 2024-10-08
⋅
Hunt.io
⋅
Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages SpyNote |
| 2024-08-14
⋅
cyble
⋅
Cryptocurrency Lures and Pupy RAT: Analysing the UTG-Q-010 Campaign pupy UTG-Q-010 |
| 2024-06-26
⋅
Group-IB
⋅
Craxs Rat, the master tool behind fake app scams and banking fraud CraxsRAT SpyMax SpyNote |
| 2024-06-20
⋅
Hunt.io
⋅
Caught in the Act: Uncovering SpyNote in Unexpected Places SpyNote |
| 2024-02-19
⋅
Fortinet
⋅
Android/SpyNote bypasses Restricted Settings + breaks many RE tools SpyNote |
| 2024-02-15
⋅
Fortinet
⋅
Android/SpyNote Moves to Crypto Currencies SpyNote |
| 2023-09-21
⋅
ESET Research
⋅
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes Mango Solar |
| 2023-08-30
⋅
NSFOCUS
⋅
APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan SideTwist |
| 2023-07-31
⋅
Cleafy
⋅
SpyNote continues to attack financial institutions SpyNote |
| 2023-05-10
⋅
K7 Security
⋅
spynote SpyNote |
| 2023-02-02
⋅
Trend Micro
⋅
New APT34 Malware Targets The Middle East Karkoff RedCap Saitama Backdoor |
| 2023-01-05
⋅
Bleeping Computer
⋅
SpyNote Android malware infections surge after source code leak SpyNote |
| 2023-01-05
⋅
ThreatFabric
⋅
SpyNote: Spyware with RAT capabilities targeting Financial Institutions SpyMax SpyNote |
| 2023-01-04
⋅
K7 Security
⋅
Pupy RAT hiding under WerFault’s cover pupy |
| 2022-12-06
⋅
⋅
360 Threat Intelligence Center
⋅
Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism AhMyth Meterpreter SpyNote AsyncRAT |
| 2022-09-26
⋅
CrowdStrike
⋅
The Anatomy of Wiper Malware, Part 3: Input/Output Controls CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
| 2022-09-08
⋅
Microsoft
⋅
Microsoft investigates Iranian attacks against the Albanian government ZeroCleare |
| 2022-08-17
⋅
⋅
360
⋅
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East SpyNote Loda Nanocore RAT NjRAT |
| 2022-08-12
⋅
CrowdStrike
⋅
The Anatomy of Wiper Malware, Part 1: Common Techniques Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
| 2022-08-10
⋅
K7 Security
⋅
spynote SpyNote |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Evasive Serpens TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig |
| 2022-06-24
⋅
XJunior
⋅
APT34 - Saitama Agent Saitama Backdoor |
| 2022-06-20
⋅
⋅
Infinitum IT
⋅
Charming Kitten (APT35) LaZagne DownPaper MimiKatz pupy |
| 2022-06-15
⋅
Volexity
⋅
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach pupy Sliver DriftingCloud |
| 2022-06-13
⋅
SANS ISC
⋅
Translating Saitama's DNS tunneling messages Saitama Backdoor |
| 2022-05-23
⋅
Trend Micro
⋅
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
| 2022-05-11
⋅
Fortinet
⋅
Please Confirm You Received Our APT Saitama Backdoor |
| 2022-05-10
⋅
Malwarebytes Labs
⋅
APT34 targets Jordan Government using new Saitama backdoor Saitama Backdoor |
| 2022-04-28
⋅
Fortinet
⋅
An Overview of the Increasing Wiper Malware Threat AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare |
| 2022-04-27
⋅
Trendmicro
⋅
IOCs for Earth Berberoka - Linux Rekoobe pupy Earth Berberoka |
| 2022-03-30
⋅
Recorded Future
⋅
Social Engineering Remains Key Tradecraft for Iranian APTs Liderc pupy |
| 2021-12-14
⋅
Recorded Future
⋅
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE TwoFace ASPXSpy SharPyShell |
| 2021-12-14
⋅
Recorded Future
⋅
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE TwoFace |
| 2021-09-21
⋅
civilsphereproject
⋅
Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN SpyNote |
| 2021-06-16
⋅
⋅
Venustech
⋅
APT34 organization latest in-depth analysis report on attack activities Karkoff |
| 2021-04-21
⋅
Facebook
⋅
Taking Action Against Hackers in Palestine SpyNote Houdini NjRAT |
| 2021-04-08
⋅
Checkpoint
⋅
Iran’s APT34 Returns with an Updated Arsenal DNSpionage SideTwist TONEDEAF |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-02-18
⋅
PTSecurity
⋅
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/ Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
| 2020-12-10
⋅
Intel 471
⋅
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
| 2020-12-01
⋅
Qianxin
⋅
Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed SpyNote BladeHawk |
| 2020-11-27
⋅
PTSecurity
⋅
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
| 2020-09-25
⋅
APT vs Internet Service Providers TwoFace RGDoor |
| 2020-09-15
⋅
CrowdStrike
⋅
Nowhere to Hide - 2020 Threat Hunting Report NedDnLoader RDAT TRACER KITTEN |
| 2020-07-22
⋅
Palo Alto Networks Unit 42
⋅
OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory RDAT OilRig |
| 2020-07-22
⋅
Threatpost
⋅
OilRig APT Drills into Malware Innovation with Unique Backdoor OilRig |
| 2020-07-15
⋅
Relativity
⋅
An in-depth analysis of SpyNote remote access trojan SpyNote |
| 2020-07-13
⋅
FireEye
⋅
SCANdalous! (External Detection Using Network Scan Data and Automation) POWERTON QUADAGENT PoshC2 |
| 2020-06-18
⋅
Australian Cyber Security Centre
⋅
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
| 2020-05-19
⋅
Symantec
⋅
Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia ISMAgent ISMDoor |
| 2020-03-31
⋅
Volexity
⋅
Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign SpyNote Stitch Godlike12 Storm Cloud |
| 2020-03-12
⋅
Recorded Future
⋅
Swallowing the Snake’s Tail: Tracking Turla Infrastructure TwoFace Mosquito |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-03-02
⋅
Yoroi
⋅
Karkoff 2020: a new APT34 espionage operation involves Lebanon Government Karkoff |
| 2020-03-02
⋅
Telsy
⋅
APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants Karkoff |
| 2020-02-13
⋅
Qianxin
⋅
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2020-01-30
⋅
Intezer
⋅
New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset TONEDEAF VALUEVAULT |
| 2020-01-23
⋅
Recorded Future
⋅
European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019 pupy pupy pupy |
| 2020-01-17
⋅
FireEye
⋅
State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY QUADAGENT Fox Kitten |
| 2020-01-01
⋅
FireEye
⋅
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
| 2020-01-01
⋅
Secureworks
⋅
COBALT EDGEWATER DNSpionage Karkoff DNSpionage |
| 2020-01-01
⋅
Secureworks
⋅
COBALT GYPSY TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig |
| 2020-01-01
⋅
Secureworks
⋅
IRON HUNTER Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla |
| 2019-12-09
⋅
IBM Security
⋅
New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East ZeroCleare |
| 2019-11-20
⋅
ClearSky
⋅
MuddyWater Uses New Attack Methods in a Recent Attack Wave QUADAGENT RogueRobin |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-11-09
⋅
NSFOCUS
⋅
APT34 Event Analysis Report BONDUPDATER DNSpionage |
| 2019-10-21
⋅
NCSC UK
⋅
Advisory: Turla group exploits Iranian APT to expand coverage of victims Nautilus Neuron |
| 2019-09-18
⋅
IronNet
⋅
Chirp of the PoisonFrog BONDUPDATER |
| 2019-08-22
⋅
Cyware
⋅
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT |
| 2019-08-22
⋅
Github (n1nj4sec)
⋅
Pupy RAT pupy pupy pupy |
| 2019-07-18
⋅
FireEye
⋅
Hard Pass: Declining APT34’s Invite to Join Their Professional Network LONGWATCH PICKPOCKET TONEDEAF VALUEVAULT |
| 2019-07-08
⋅
SANS
⋅
Hunting Webshells: Tracking TwoFace TwoFace |
| 2019-06-06
⋅
APT34: Jason project jason |
| 2019-06-03
⋅
Twitter (@P3pperP0tts)
⋅
Tweet on APT34 jason |
| 2019-05-02
⋅
Marco Ramilli's Blog
⋅
APT34: Glimpse project BONDUPDATER |
| 2019-04-30
⋅
Palo Alto Networks Unit 42
⋅
Behind the Scenes with OilRig BONDUPDATER |
| 2019-04-30
⋅
ClearSky
⋅
Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis SpyNote OopsIE |
| 2019-04-23
⋅
Talos
⋅
DNSpionage brings out the Karkoff DNSpionage Karkoff DNSpionage |
| 2019-04-19
⋅
Medium
⋅
Hacking (Back) and Influence Operations BONDUPDATER |
| 2019-04-17
⋅
Malware Reversing Blog
⋅
The Dukes: 7 Years Of Russian Cyber-Espionage TwoFace BONDUPDATER DNSpionage |
| 2019-04-16
⋅
DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent |
| 2019-03-27
⋅
Symantec
⋅
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
| 2019-03-27
⋅
Symantec
⋅
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
| 2019-02-13
⋅
Youtube (SANS Digital Forensics & Incident Response)
⋅
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018 TwoFace |
| 2019-01-01
⋅
Dragos
⋅
Adversary Reports ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
Chrysene CHRYSENE |
| 2018-12-21
⋅
FireEye
⋅
OVERRULED: Containing a Potentially Destructive Adversary POWERTON PoshC2 pupy |
| 2018-12-17
⋅
Twitter (@MJDutch)
⋅
Tweet on APT39 OilRig |
| 2018-09-14
⋅
NetScout
⋅
Tunneling Under the Sands BONDUPDATER |
| 2018-09-12
⋅
Palo Alto Networks Unit 42
⋅
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government BONDUPDATER |
| 2018-07-07
⋅
Youtube (SteelCon)
⋅
You’ve Got Mail! TwoFace |
| 2018-04-20
⋅
Booz Allen Hamilton
⋅
Researchers Discover New variants of APT34 Malware BONDUPDATER POWRUNER |
| 2018-03-25
⋅
Vitali Kremez Blog
⋅
Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence OilRig |
| 2018-03-01
⋅
Dragos
⋅
INDUSTRIAL CONTROL SYSTEM THREATS APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm |
| 2018-03-01
⋅
Nyotron
⋅
OilRig is Back with Next-Generation Tools and Techniques GoogleDrive RAT |
| 2018-02-23
⋅
Palo Alto Networks Unit 42
⋅
OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan OopsIE |
| 2018-01-17
⋅
NCSC UK
⋅
Turla group malware Nautilus Neuron |
| 2017-12-11
⋅
Palo Alto Networks Unit 42
⋅
OilRig Performs Tests on the TwoFace Webshell TwoFace |
| 2017-11-08
⋅
Palo Alto Networks Unit 42
⋅
OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan Alma Communicator |
| 2017-10-24
⋅
ClearSky
⋅
Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies ISMDoor |
| 2017-08-28
⋅
ClearSky
⋅
Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug ISMAgent |
| 2017-07-31
⋅
Palo Alto Networks Unit 42
⋅
TwoFace Webshell: Persistent Access Point for Lateral Movement TwoFace OilRig |
| 2017-04-27
⋅
Morphisec
⋅
Iranian Fileless Attack Infiltrates Israeli Organizations Helminth OilRig |
| 2017-02-16
⋅
SecurityAffairs
⋅
Iranian hackers behind the Magic Hound campaign linked to Shamoon pupy APT35 |
| 2017-02-15
⋅
Secureworks
⋅
Iranian PupyRAT Bites Middle Eastern Organizations pupy Cleaver |
| 2017-02-15
⋅
Palo Alto Networks Unit 42
⋅
Magic Hound Campaign Attacks Saudi Targets Leash MPKBot pupy Rocket Kitten |
| 2017-02-10
⋅
⋅
JPCERT/CC
⋅
Malware that infects using PowerSploit pupy |
| 2017-01-23
⋅
Symantec
⋅
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug |
| 2017-01-23
⋅
Symantec
⋅
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug |
| 2016-10-04
⋅
Palo Alto Networks Unit 42
⋅
OilRig Malware Campaign Updates Toolset and Expands Targets Helminth |
| 2016-05-26
⋅
Palo Alto Networks Unit 42
⋅
The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Helminth |
| 2016-05-22
⋅
FireEye
⋅
Targeted Attacks against Banks in the Middle East Helminth OilRig |