OilRig (APT34 / Helix Kitten / Earth Simnavaz / Crambus / Hazel Sandstorm / Evasive Serpens / Cobalt Gypsy / Greenbug / EUROPIUM / ITG13 / TA452 / G0049) is one of the most operationally active Iranian state-sponsored cyber-espionage actors, formally attributed by multiple vendors to Iran's Ministry of Intelligence and Security (MOIS, also known as VAJA or VEVAK). Active since at least 2014 (with some indicators pointing to 2012 activity), OilRig has sustained the longest continuous operational cadence among Iranian APTs in public reporting, described by Hunt & Hackett as the central component of Iran's cyber-espionage and intelligence-gathering operations. Targeting is sharply focused on the Middle East and North Africa, with particular emphasis on Gulf Cooperation Council states (Saudi Arabia, UAE, Kuwait, Bahrain, Qatar, Oman), Levant countries (Jordan, Lebanon, Israel, Iraq, Palestine), Turkey, Egypt, and increasingly Iraq. Secondary targeting extends to Eurasia (Azerbaijan, Armenia, Georgia, Kazakhstan) and Western states with Middle East policy interests. Sectoral focus consistently covers government and foreign ministries, diplomatic missions, oil and gas, petrochemical, financial services, telecommunications, and increasingly identity infrastructure (Microsoft Exchange, Microsoft 365). OilRig is technically distinguished by sustained, sophisticated DNS tunneling for C2, across BONDUPDATER, QUADAGENT, ALMA Communicator, DNSExfiltrator, Saitama, Mango, and successor implants, establishing the technique as a defining OilRig fingerprint that other Iranian clusters later adopted. Other tradecraft hallmarks include: (a) supply-chain compromise via trust-relationship abuse (per FireEye's earliest profiles); (b) heavy use of Outlook Home Page abuse (CVE-2017-11774) and Exchange-based persistence (transport agent, mailbox rules, ExchangeLeech)
(c) LinkedIn-based social engineering with academic-persona pretexts (the 2019 'Hard Pass' campaign); (d) increasingly cloud-integrated tooling (Outer Space, Juicy Mix using cloud-service downloaders.
StealHook abusing on- premises Exchange)
(e) extensive custom backdoor families including Helminth, POWRUNER, BONDUPDATER, QUADAGENT, ISMAgent / ISMDoor, Saitama, SideTwist, StealHook, Menorah, Outer Space, Juicy Mix, Karkoff, RDAT, TONEDEAF, VALUEVAULT, LONGWATCH, PowerExchange. The March-April 2019 'Lab Dookhtegan' / 'Read My Lips' leak, in which a Persian-named persona dumped portions of OilRig's operational toolkit, source code, credentials, and operator identities via Telegram and GitHub, represented one of the most damaging open-source exposures of an active state actor's operational data. Despite this exposure, OilRig rapidly rebuilt and has continued aggressive operations, demonstrating strong state backing and operational resilience. The October 2019 NSA / NCSC UK disclosure that Russian FSB Turla had hijacked OilRig infrastructure and reused OilRig tooling as a false- flag layer compounded the operational complications from the Lab Dookhtegan exposure, the first openly-documented case of one state actor hijacking another's compromised victim access. Recent operations (2023-2026) emphasize identity-infrastructure compromise (Exchange, Microsoft 365), cloud-service-powered C2 downloaders, sustained Iraqi government targeting (Check Point June 2024), the StealHook backdoor against UAE Exchange servers (Trend Micro October 2024), and 2025 LLM use (Google Gemini, per Google Threat Intelligence reporting). The March 2, 2026 'Operation Epic Fury' US-Israeli joint coordinated action against Iranian infrastructure has implications for OilRig operations under continued vendor tracking.