Search Again
APT Iran
Overview :
APT Iran refers to a collection of threat actors suspected to operate under Iranian state interests. These actors conduct cyberespionage, sabotage, and information operations against regional and global targets.
- State-sponsored and geopolitically motivated
- Notable groups: APT33, APT34 (OilRig), APT35 (Charming Kitten), APT39
- Operations span surveillance, disinformation, and destructive attacks
- C2 over HTTPS and DNS
- Tools include PowerShell-based backdoors and wipers
- Use of new malware families (e.g. POWERSTAR, SHARPSTATS)
- Blending hacktivism with state-sponsored capabilities
Ballistic Bobcat
Agent Serpens
TEMP.Beanie
CharmingCypress
APT 35
+13
Target Countries
Brazil
Morocco
UK
Saudi Arabia
Iran
+18
Target Sectors
Manufacturing
Public Administration
Educational Services
Energy & Utilities
National Security&International Affairs
+5
Associated Malware/Software
Net
win.telegram_grabber
win.chairsmack
win.downpaper
Mimikatz
+20
️Related CVEs
ATT&CK IDs:
T1056
T1071.001 - Web Protocols
T1113
T1021.001
T1070 - Indicator Removal on Host
+153
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1125 | Video Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1558 | Steal or Forge Kerberos Tickets |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1482 | Domain Trust Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1499 | Endpoint Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1590 | Gather Victim Network Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1598 | Phishing for Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1593 | Search Open Websites/Domains |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1591 | Gather Victim Org Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1585 | Establish Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1584 | Compromise Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1586 | Compromise Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 263
https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysishttps://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/
http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/
https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions
https://www.clearskysec.com/thamar-reservoir/
https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://noticeofpleadings.com/phosphorus/files/Complaint.pdf
https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell
https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering
https://marcoramilli.com/2019/06/06/apt34-jason-project/
https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f
https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/
https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt
https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/
https://attack.mitre.org/groups/G0059/
https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf
https://blog.google/threat-analysis-group/countering-threats-iran/
https://iranthreats.github.io/resources/macdownloader-macos-malware/
https://www.clearskysec.com/oilrig/
https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.group-ib.com/blog/craxs-rat-malware/
https://securelist.com/freezer-paper-around-free-meat/74503/
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html
https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/
https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d
https://www.secureworks.com/research/threat-profiles/cobalt-illusion
https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a
https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf
https://marcoramilli.com/2019/05/02/apt34-glimpse-project/
https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/
https://github.com/n1nj4sec/pupy
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places
https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA
https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat
https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/
https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/
https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/
https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/
https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac
https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail
https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
http://www.arabnews.com/node/1195681/media
https://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/
https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38
https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf
https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
https://therecord.media/the-not-so-charming-kitten-working-for-iran/
https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf
https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr
https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/
https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/
https://attack.mitre.org/groups/G0049/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
https://www.ncsc.gov.uk/alerts/turla-group-malware
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/
https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
https://en.wikipedia.org/wiki/Charming_Kitten
https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933
https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain
https://en.wikipedia.org/wiki/Operation_Newscaster
https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks
https://twitter.com/P3pperP0tts/status/1135503765287657472
https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
https://www.cfr.org/interactive/cyber-operations/newscaster
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/
https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
https://www.secureworks.com/research/threat-profiles/cobalt-edgewater
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages
http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware
https://ironnet.com/blog/chirp-of-the-poisonfrog/
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors
https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/
https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever
https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
https://malwareindepth.com/shamoon-2012/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
https://www.cfr.org/interactive/cyber-operations/magic-hound
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412
https://cryptome.org/2012/11/parastoo-hacks-iaea.htm
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
https://cyble.com/blog/analysing-the-utg-q-010-campaign/
https://www.ibm.com/downloads/cas/OAJ4VZNJ
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html
https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/
https://www.infinitumit.com.tr/apt-35/
https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/
https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
https://www.symantec.com/connect/blogs/shamoon-attacks
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.cfr.org/interactive/cyber-operations/oilrig
https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
https://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/
https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
https://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/
https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf
https://content.fireeye.com/m-trends/rpt-m-trends-2017
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
https://blog.certfa.com/posts/the-return-of-the-charming-kitten/
https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
https://twitter.com/QW5kcmV3/status/1176861114535165952
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
https://pan-unit42.github.io/playbook_viewer/
https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/
http://www.clearskysec.com/oilrig/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
https://www.youtube.com/watch?v=GjquFKa4afU
https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://cocomelonc.github.io/book/2025/05/19/aiya-mmd-book.html
https://www.cfr.org/interactive/cyber-operations/apt-34
https://www.clearskysec.com/the-kittens-are-back-in-town/
https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor
https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/
https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html
https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897
http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html
https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/
https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
https://twitter.com/malwrhunterteam/status/1337684036374945792
https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
https://www.intrinsec.com/wp-content/uploads/2024/11/TLP-CLEAR-PROSPERO-Proton66-Uncovering-the-links-between-bulletproof-networks.pdf
http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf
https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://unit42.paloaltonetworks.com/atoms/evasive-serpens/
https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/
https://threatpost.com/oilrig-apt-unique-backdoor/157646/
https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/
https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://attack.mitre.org/groups/G0058/
https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
https://www.cfr.org/cyber-operations/apt-35
https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/
https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/
https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government
https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/
https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2
https://www.netscout.com/blog/asert/tunneling-under-sands
https://twitter.com/MJDutch/status/1074820959784321026?s=19
https://www.youtube.com/watch?v=nilzxS9rxEM
https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021
https://blog.certfa.com/posts/charming-kitten-christmas-gift/
https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/
https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/
http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
http://www.clearskysec.com/ismagent/
https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html
https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/
https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view
https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html
https://nsfocusglobal.com/apt34-event-analysis-report/
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf
https://home.treasury.gov/news/press-releases/jy0948>
https://labs.k7computing.com/index.php/spynote-an-android-snooper/
https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools
https://youtu.be/pBDu8EGWRC4?t=2492
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
https://labs.k7computing.com/index.php/spynote-targets-irctc-users/
https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/
https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf
https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf
https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/
https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/
https://therecord.media/charming-kitten-iran-targets-dissidents-in-germany
https://vblocalhost.com/uploads/VB2021-Haeghebaert.pdf
http://www.clearskysec.com/charmingkitten/
https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment/
https://securelist.com/shamoon-the-wiper-copycats-at-work/
https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/
https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/
https://www.bleepingcomputer.com/news/security/microsoft-iranian-hacking-groups-join-papercut-attack-spree/
https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json
https://www.secureworks.com/research/the-curious-case-of-mia-ash
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
