SYMBOLCOMMON_NAMEaka. SYNONYMS

Cleaver  (Back to overview)

aka: APT34, Alibaba, Cobalt Gypsy, EUROPIUM, G0003, Hazel Sandstorm, OilRig, Op Cleaver, Operation Cleaver, TG-2889, Tarh Andishan

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.


Associated Families
asp.twoface ps1.bondupdater ps1.oilrig ps1.powruner ps1.quadagent win.alma_communicator win.csext win.google_drive_rat win.helminth win.ismagent win.jason win.jasus win.kagent win.karkoff win.longwatch win.mango win.nautilus win.netc win.neuron win.oopsie win.pickpocket win.pvzout win.rdat win.redcap win.saitama win.sidetwist win.solar win.synflooder win.tinyzbot win.tonedeaf win.valuevault win.wndtest win.zerocleare apk.spynote win.zhmimikatz win.pupy

References
2024-08-14cybleCyble
Cryptocurrency Lures and Pupy RAT: Analysing the UTG-Q-010 Campaign
pupy UTG-Q-010
2024-06-20Hunt.ioMichael R
Caught in the Act: Uncovering SpyNote in Unexpected Places
SpyNote
2024-02-19FortinetAxelle Apvrille
Android/SpyNote bypasses Restricted Settings + breaks many RE tools
SpyNote
2024-02-15FortinetAxelle Apvrille
Android/SpyNote Moves to Crypto Currencies
SpyNote
2023-09-21ESET ResearchZuzana Hromcová
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
Mango Solar
2023-08-30NSFOCUSNSFOCUS
APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
SideTwist
2023-07-31CleafyFrancesco Iubatti
SpyNote continues to attack financial institutions
SpyNote
2023-05-10K7 SecurityBaran S
spynote
SpyNote
2023-02-02Trend MicroMahmoud Zohdy, Mohamed Fahmy, Sherif Magdy
New APT34 Malware Targets The Middle East
Karkoff RedCap Saitama Backdoor
2023-01-05Bleeping ComputerBill Toulas
SpyNote Android malware infections surge after source code leak
SpyNote
2023-01-05ThreatFabricThreatFabric
SpyNote: Spyware with RAT capabilities targeting Financial Institutions
SpyMax SpyNote
2023-01-04K7 SecuritySaikumaravel
Pupy RAT hiding under WerFault’s cover
pupy
2022-12-06360 Threat Intelligence Center360 Beacon Lab
Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism
AhMyth Meterpreter SpyNote AsyncRAT
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-08MicrosoftMicrosoft Security Threat Intelligence
Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare
2022-08-17360360 Threat Intelligence Center
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East
SpyNote Loda Nanocore RAT NjRAT
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-10K7 SecurityBaran S
spynote
SpyNote
2022-07-18Palo Alto Networks Unit 42Unit 42
Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2022-06-24XJuniorMohamed Ashraf
APT34 - Saitama Agent
Saitama Backdoor
2022-06-20Infinitum ITinfinitum IT
Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver DriftingCloud
2022-06-13SANS ISCRenato Marinho
Translating Saitama's DNS tunneling messages
Saitama Backdoor
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-11FortinetFred Gutierrez
Please Confirm You Received Our APT
Saitama Backdoor
2022-05-10Malwarebytes LabsThreat Intelligence Team
APT34 targets Jordan Government using new Saitama backdoor
Saitama Backdoor
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27TrendmicroTrendmicro
IOCs for Earth Berberoka - Linux
Rekoobe pupy Earth Berberoka
2022-03-30Recorded FutureInsikt Group
Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2021-12-14Recorded FutureInsikt Group®
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace
2021-09-21civilsphereprojectcivilsphereproject
Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN
SpyNote
2021-06-16VenustechADLab
APT34 organization latest in-depth analysis report on attack activities
Karkoff
2021-05-06xorl %eax, %eaxAnastasios Pingios
Iran Cyber Operations Groups
Cleaver
2021-04-21FacebookDavid Agranovich, Mike Dvilyanski
Taking Action Against Hackers in Palestine
SpyNote Houdini NjRAT
2021-04-08CheckpointCheck Point Research
Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-18PTSecurityPTSecurity
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2020-12-10Intel 471Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-01QianxinQi Anxin Threat Intelligence Center
Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed
SpyNote BladeHawk
2020-11-27PTSecurityAlexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-09-25Emanuele De Lucia
APT vs Internet Service Providers
TwoFace RGDoor
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22Palo Alto Networks Unit 42Robert Falcone
OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
2020-07-22ThreatpostTara Seals
OilRig APT Drills into Malware Innovation with Unique Backdoor
OilRig
2020-07-15RelativityBartlomiej Czyż
An in-depth analysis of SpyNote remote access trojan
SpyNote
2020-07-13FireEyeAaron Stephens, Andrew Thompson
SCANdalous! (External Detection Using Network Scan Data and Automation)
POWERTON QUADAGENT PoshC2
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-05-19SymantecCritical Attack Discovery and Intelligence Team
Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
ISMAgent ISMDoor
2020-03-31VolexityVolexity Threat Research
Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign
SpyNote Stitch Godlike12 Storm Cloud
2020-03-12Recorded FutureInsikt Group
Swallowing the Snake’s Tail: Tracking Turla Infrastructure
TwoFace Mosquito
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-02YoroiZLAB-Yoroi
Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
Karkoff
2020-03-02TelsyTelsy
APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
Karkoff
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-30IntezerMichael Kajiloti, Paul Litvak
New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
TONEDEAF VALUEVAULT
2020-01-23Recorded FutureInsikt Group
European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy
2020-01-17FireEyeFireEye
State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY
QUADAGENT Fox Kitten
2020-01-01FireEyeMandiant, Mitchell Clarke, Tom Hall
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020-01-01SecureworksSecureWorks
COBALT EDGEWATER
DNSpionage Karkoff DNSpionage
2020-01-01SecureworksSecureWorks
COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2020-01-01SecureworksSecureWorks
IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-12-09IBM SecurityIBM IRIS
New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
2019-11-20ClearSkyClearSky Cyber Security
MuddyWater Uses New Attack Methods in a Recent Attack Wave
QUADAGENT RogueRobin
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-09NSFOCUSMina Hao
APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-10-21NCSC UKNCSC UK
Advisory: Turla group exploits Iranian APT to expand coverage of victims
Nautilus Neuron
2019-09-18IronNetJonathan Lepore
Chirp of the PoisonFrog
BONDUPDATER
2019-08-22CywareCyware
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-08-22Github (n1nj4sec)n1nj4sec
Pupy RAT
pupy pupy pupy
2019-07-18FireEyeJessica Rocchio, Matt Bromiley, Nick Schroeder, Noah Klapprodt
Hard Pass: Declining APT34’s Invite to Join Their Professional Network
LONGWATCH PICKPOCKET TONEDEAF VALUEVAULT
2019-07-08SANSJosh M. Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace
TwoFace
2019-06-06Marco Ramilli
APT34: Jason project
jason
2019-06-03Twitter (@P3pperP0tts)Pepper Potts
Tweet on APT34
jason
2019-05-02Marco Ramilli's BlogMarco Ramilli
APT34: Glimpse project
BONDUPDATER
2019-04-30Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Behind the Scenes with OilRig
BONDUPDATER
2019-04-30ClearSkyClearSky Cyber Security
Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis
SpyNote OopsIE
2019-04-23TalosPaul Rascagnères, Warren Mercer
DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage
2019-04-19Mediumx0rz
Hacking (Back) and Influence Operations
BONDUPDATER
2019-04-16Robert Falcone
DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent
2019-04-08SANS Cyber Security SummitTaha Karim
Trails of WindShift
WindTail ZhMimikatz
2019-03-27SymantecSecurity Response Attack Investigation Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27MicrosoftTom Burt
New steps to protect customers from hacking
APT35 Charming Kitten Cleaver
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2019-01-01Council on Foreign RelationsCyber Operations Tracker
Operation Cleaver
Cleaver
2019-01-01MITREMITRE ATT&CK
Group description: Cleaver
Cleaver
2019-01-01MITREMITRE ATT&CK
Group description: Magic Hound
APT35 Cleaver
2019-01-01Council on Foreign RelationsCyber Operations Tracker
Magic Hound
APT35 Cleaver
2018-12-21FireEyeAlex Orleans, Andrew Thompson, Geoff Ackerman, Nick Carr, Rick Cole
OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
2018-12-17Twitter (@MJDutch)Justin
Tweet on APT39
OilRig
2018-09-14NetScoutASERT Team
Tunneling Under the Sands
BONDUPDATER
2018-09-12Palo Alto Networks Unit 42Kyle Wilhoit, Robert Falcone
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
BONDUPDATER
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
You’ve Got Mail!
TwoFace
2018-04-20Booz Allen HamiltonJay Novak, Matthew Pennington
Researchers Discover New variants of APT34 Malware
BONDUPDATER POWRUNER
2018-03-25Vitali Kremez BlogVitali Kremez
Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig
2018-03-01NyotronNYOTRON ATTACK RESPONSE CENTER
OilRig is Back with Next-Generation Tools and Techniques
GoogleDrive RAT
2018-02-23Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OopsIE
2018-01-17NCSC UKNCSC UK
Turla group malware
Nautilus Neuron
2017-12-11Palo Alto Networks Unit 42Robert Falcone
OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-11-08Palo Alto Networks Unit 42Robert Falcone
OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator
2017-08-28ClearSkyClearSky Research Team
Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
ISMAgent
2017-07-31Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig
2017-07-27SecureworksCTU Research Team
The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
Cleaver
2017-04-27MorphisecMichael Gorelik
Iranian Fileless Attack Infiltrates Israeli Organizations
Helminth OilRig
2017-02-16SecurityAffairsPierluigi Paganini
Iranian hackers behind the Magic Hound campaign linked to Shamoon
pupy APT35
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Magic Hound Campaign Attacks Saudi Targets
APT35 Cleaver
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten
2017-02-10JPCERT/CCShusei Tomonaga
Malware that infects using PowerSploit
pupy
2016-10-04Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
OilRig Malware Campaign Updates Toolset and Expands Targets
Helminth
2016-05-26Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
Helminth
2016-05-22FireEyeSudeep Singh, Yin Hong Chang
Targeted Attacks against Banks in the Middle East
Helminth OilRig
2016-04-06CylanceCylance
Operation Cleaver
Cleaver
2016-04-06CylanceCylance
Operation Cleaver
CsExt Jasus KAgent NetC PvzOut SynFlooder TinyZbot WndTest ZhCat ZhMimikatz Cleaver
2015-11-01Check PointCheck Point
ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES
FireMalv MPKBot Woolger Cleaver Rocket Kitten
2015-10-07Dell SecureworksDell Secureworks CTU
Hacker Group Creates Network of Fake LinkedIn Profiles
Cleaver
2015-10-07SecureworksCTU Research Team
Hacker Group Creates Network of Fake LinkedIn Profiles
Cleaver Cutting Kitten
2015-10-06NetenrichNetenrich
CUTTING KITTEN
TinyZbot Cleaver
2015-09-17F-SecureF-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
2015-09-01Trend MicroCedric Pernet, Eyal Sela
The Spy Kittens Are Back:Rocket Kitten 2
Cleaver
2015-03-19Trend MicroTrend Micro
Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign
Cleaver Rocket Kitten
2015-02-17SecurityAffairsPierluigi Paganini
Ali Baba, the APT group from the Middle East
Cleaver
2014-01-01Council on Foreign RelationsCyber Operations Tracker
Operation Cleaver
Cleaver

Credits: MISP Project