> threat_actor APT34 —— origin: Iran (MOIS) —— alias: OilRig / Helix Kitten —— signature: DNS tunnelling C2<span class="cursor-blink">_</span>_
APT34 — also tracked as OilRig, Helix Kitten, Earth Simnavaz, Crambus, Cobalt Gypsy, Hazel Sandstorm, EUROPIUM, Evasive Serpens, ITG13, and TA452 — is an Iranian state-sponsored cyber espionage group that has been operating since at least 2014. The group is assessed to work on behalf of Iran's Ministry of Intelligence and Security (MOIS), conducting sustained intelligence collection campaigns targeting government agencies, energy companies, financial institutions, telecommunications providers, and critical infrastructure — primarily across the Middle East, with the Persian Gulf states as the focal point.
APT34's calling card is DNS tunnelling. While many threat groups use DNS for basic C2 communications, APT34 has elevated it to an art form — building custom backdoors specifically designed to exfiltrate data and receive commands through DNS queries. This technique is remarkably effective because DNS traffic is permitted through virtually every firewall, is rarely inspected at the content level, and blends with the millions of legitimate DNS queries that any organisation generates daily. When APT34 is inside your network, your data may be leaving through the same protocol that resolves your email server's hostname.
APT34 is also notable for surviving what should have been an operational catastrophe. In April 2019, an anonymous entity leaked the group's entire toolkit — source code for backdoors, web shells, credential dumping tools, and operational infrastructure details — via Telegram. This would have been terminal for most threat groups. APT34 rebuilt, retooled, and continued operating. Their campaigns in 2023, 2024, and into 2025 demonstrate not just recovery but evolution — incorporating cloud-based C2, Microsoft Exchange abuse, steganography, and zero-day exploitation.
| Attribute | Detail |
|---|---|
| Tracked Names | APT34 (Mandiant/FireEye), OilRig (Palo Alto Unit 42), Helix Kitten (CrowdStrike), Earth Simnavaz (Trend Micro), Crambus (Symantec), Cobalt Gypsy (Secureworks), Hazel Sandstorm / EUROPIUM (Microsoft), Evasive Serpens (Palo Alto), ITG13 (IBM X-Force), TA452 (Proofpoint), IRN2, Greenbug (sub-group) |
| State Sponsor | Islamic Republic of Iran — Ministry of Intelligence and Security (MOIS). This is distinct from IRGC-affiliated groups (APT33, APT35, APT42). MOIS is Iran's primary civilian intelligence agency responsible for foreign and domestic intelligence collection. APT34's infrastructure contains references to Iran, uses Iranian hosting, and targeting aligns with MOIS intelligence requirements. |
| Active Since | At least 2014, originally identified by Unit 42 targeting Saudi Arabian organisations. Some evidence suggests earlier activity. Continuous operations observed through 2025, with Check Point documenting ongoing campaigns against Iraqi and Yemeni government entities. |
| Related Groups | APT34 works alongside other MOIS-affiliated clusters including Karkoff, Saitama, and IIS Group2, which share C2 mechanisms, malware, and attack methodologies. Greenbug and Volatile Kitten are recognised as APT34 sub-groups. Operational overlap observed with APT33 (IRGC) and FOX Kitten (which enables ransomware attacks). Russia's Turla group was discovered in 2019 hijacking APT34's infrastructure to deploy its own Neptun backdoor — a rare case of one nation-state group parasitising another's operations. |
| 2019 Tool Leak | In April 2019, source code for APT34's tools was leaked via Telegram — including web shells (HighShell, HyperShell), hacking tools (Fox Panel), DNS tunnelling tools (Glimpse), and DNS hijacking scripts (Webmask). The leak also exposed victim data. Despite this catastrophic operational exposure, APT34 rebuilt and continued operations with updated tooling. |
APT34's targeting aligns with MOIS intelligence requirements — understanding the political, economic, and military posture of Gulf states and regional adversaries. Notably, APT34 does not limit its targeting to Iran's enemies: Check Point documented sustained espionage against Iraqi government entities in 2024–2025, despite Iraq being a nominal Iranian ally. As one researcher noted, diplomatic ties with Iran do not preclude cyberespionage.
| Sector | Strategic Value | Observed Targeting |
|---|---|---|
| Government | Strategic intelligence on policy, diplomacy, defence planning, and sanctions. Understanding adversary and ally decision-making. Access to classified communications and inter-governmental negotiations. | Sustained campaigns against Middle Eastern government agencies. Iraqi government targeted with custom Veaty backdoor using hijacked government email addresses for C2. Saudi, UAE, Kuwaiti, Jordanian, Lebanese, and Turkish government entities documented in target lists. Multiple governments compromised simultaneously. |
| Energy and Oil & Gas | Competitive intelligence on production, pricing, and infrastructure. Iran's oil-dependent economy benefits from understanding competitors. Energy infrastructure intelligence supports potential disruptive pre-positioning. | Original OilRig campaigns (2014–2016) focused on Saudi energy sector. Targeting of energy organisations across the Gulf region. Connection to ZeroCleare destructive wiper targeting Middle Eastern energy sector (2019). |
| Financial Services | Intelligence on sanctions enforcement, financial flows, and economic policy. Understanding how sanctions are applied enables evasion planning. | Targeting of financial institutions in the Middle East. Israeli financial organisations targeted. Banking sector espionage across Gulf states. |
| Telecommunications | Access to communications metadata and content. Compromised telecoms infrastructure supports surveillance of individuals and organisations of intelligence interest. | Yemeni telecoms organisations targeted (2024). Middle Eastern telecoms sector consistently in APT34's target set. Telecommunications access enables broader intelligence collection. |
| Defence and Aviation | Military capability assessment, weapons procurement, defence cooperation between Gulf states and Western nations. Aviation intelligence supports understanding of military logistics and capability. | Defence organisations across the Middle East. Aviation sector targeting documented. Targeting patterns overlap with APT33's defence-focused operations. |
| IT and Technology Services | Supply chain access — compromising IT service providers enables indirect access to their clients. Managed service providers (MSPs) serving government and energy clients are high-value targets. | Technology service providers targeted as stepping stones to primary targets. Supply chain attacks leveraging trust relationships between organisations. Israeli IT vendors targeted. |
DNS tunnelling is APT34's most distinctive and operationally significant technique. Multiple APT34 backdoors — including Helminth, BONDUPDATER, Glimpse, and others — use DNS as their primary command-and-control channel. Understanding how this works reveals why it is so effective and so difficult to detect.
Detecting APT34's DNS tunnelling requires DNS query logging and analysis — specifically, monitoring for anomalously long subdomain labels, high query volumes to previously unseen domains, unusual TXT record responses, and entropy analysis on subdomain strings (Base64-encoded data has a distinctive entropy signature). Organisations that do not log and analyse DNS traffic have a significant blind spot that APT34 actively exploits.
| Tool | Type | Capabilities |
|---|---|---|
| Helminth | Custom backdoor (2014+) | APT34's original primary backdoor, deployed in the first OilRig campaigns against Saudi organisations. Delivered via macro-enabled Office documents. Provides command execution, file transfer, and system reconnaissance. C2 over HTTP and DNS. |
| BONDUPDATER | Custom backdoor (2017+) | DNS tunnelling backdoor targeting Middle Eastern government entities. Uses DNS TXT records for C2. Periodically updated to evade detection — FireEye documented modifications to anti-analysis techniques and communication protocols. |
| QUADAGENT | Custom PowerShell backdoor | Targeted technology service providers and government agencies. PowerShell-based for stealth — operates in memory without dropping executables. Demonstrates APT34's ability to craft customised malware for specific target environments. |
| ISMAgent / ISMDoor / ISMInjector | Custom trojan family (2017+) | ISMAgent is a variant of ISMDoor; ISMInjector is a purpose-built delivery mechanism for the ISMAgent backdoor. Signalled APT34's increasing investment in anti-analysis and modular malware design. |
| Veaty | Custom backdoor (2024) | Deployed against Iraqi government targets. Uses hijacked legitimate Iraqi government email addresses for C2 — commands are sent to and data exfiltrated from compromised systems via real government mailboxes. Highly customised for the specific operational context. |
| Outer Space / Juicy Mix | Cloud-service-powered downloaders (2023+) | ESET-documented campaigns using cloud services for C2 and payload delivery. Represents APT34's evolution toward cloud-integrated operations — C2 traffic blends with legitimate cloud service usage, complicating network-based detection. |
| Steganographic C2 | Technique (2020+) | Unit 42 documented APT34 targeting a Middle Eastern telecoms organisation using steganography — hiding C2 data within image files. Adds another evasion layer: even if network traffic is inspected, the C2 data is concealed within seemingly benign image content. |
| Web Shells (TwoFace, HighShell, HyperShell, RGDoor) | Persistence tools | APT34 routinely deploys web shells on compromised web servers and Exchange servers for persistent access. RGDoor is specifically an IIS backdoor. Multiple web shell families provide redundant access — if one is detected and removed, others remain active. |
In April 2019, an anonymous entity began leaking APT34's complete operational toolkit via a Telegram channel. The leak included source code for web shells (HighShell, HyperShell), hacking tools (Fox Panel), DNS tunnelling utilities (Glimpse — related to BONDUPDATER), DNS hijacking scripts (Webmask), and the TwoFace web shell family. Victim data from compromised organisations was also exposed.
For most threat groups, this level of exposure would be operationally terminal. Every security vendor received the source code, enabling signature development for every tool. Every defender could identify APT34's presence in their networks by scanning for the leaked indicators. The leak also exposed operational security failures — giving defenders and intelligence agencies insight into APT34's infrastructure, targeting, and methodology.
APT34 survived. Within months, they deployed updated tooling with modified signatures, new C2 protocols, and different evasion techniques. By 2020, Unit 42 documented fresh campaigns using steganography — a capability not present in the leaked toolkit. By 2023, ESET documented entirely new cloud-service-powered downloaders. By 2024, Check Point documented bespoke backdoors using hijacked government email addresses for C2. The 2019 leak forced a complete retool, but APT34's mission, targeting, and operational tempo continued uninterrupted. The state protection and funding behind the group simply absorbed the blow and rebuilt.
APT34 is primarily an espionage group, but it has connections to destructive operations. In December 2019, IBM X-Force documented ZeroCleare — a destructive wiper malware targeting the energy sector in the Middle East. ZeroCleare used the legitimate EldoS RawDisk driver to bypass Windows security controls and directly overwrite the Master Boot Record (MBR) and disk partitions, rendering systems unbootable.
ZeroCleare was linked to both APT34 and APT33 (Elfin) infrastructure — suggesting collaborative development or shared resources between the two Iranian groups. The deployment against energy sector targets echoes the Shamoon attacks of 2012, 2016, and 2018, reinforcing that Iranian threat groups maintain destructive capabilities alongside their espionage operations. For defenders in the energy sector, an APT34 intrusion cannot be treated as 'merely' espionage — the same access that enables intelligence collection could be used to deploy a wiper.
Iran's cyber operations are conducted by two distinct intelligence structures — the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). Understanding which structure sponsors a group helps predict their targeting patterns and operational behaviour.
| Group | Sponsor | Focus |
|---|---|---|
| APT34 (OilRig) | MOIS | Government, energy, financial, telecoms across the Middle East. Infrastructure-focused espionage with DNS tunnelling speciality. Supply chain attacks. Destructive capability via ZeroCleare. |
| APT39 (Chafer) | MOIS | Telecoms, travel, aviation for surveillance data (CDRs, PNRs). Individual tracking through third-party data. Complements APT34's infrastructure-focused approach with person-tracking capability. |
| MuddyWater | MOIS | Telecoms, energy, government, academia — Middle East and South Asia. Uses legitimate admin tools and RATs. Espionage and disruption. |
| APT35 (Charming Kitten) | IRGC | Government, military, diplomatic, energy, media. Long-term social engineering and rapid vulnerability exploitation. Ransomware capability. |
| APT42 | IRGC-IO | Surveillance of individuals: journalists, academics, dissidents, political campaigns. Social engineering specialists. 2024 US election interference. |
| APT33 (Elfin) | IRGC | Aerospace, defence, energy. IP theft and strategic intelligence. Destructive capability via SHAPESHIFT wiper. Cloud-native operations. |
APT34's MOIS affiliation means its targeting is driven by civilian intelligence priorities — understanding regional adversaries and allies, supporting sanctions evasion, monitoring energy competitors, and collecting strategic intelligence. The MOIS groups (APT34, APT39, MuddyWater) tend to focus on Middle Eastern infrastructure and institutions, while IRGC groups (APT35, APT42, APT33) have broader global reach and more varied targeting including individuals, political campaigns, and aerospace/defence sectors.
APT34 is one of Iran's most technically capable and persistent cyber espionage groups. Operating on behalf of MOIS since at least 2014, they have conducted sustained intelligence collection against government, energy, financial, and telecommunications targets across the Middle East — including allies such as Iraq. Their signature DNS tunnelling C2 technique enables stealthy data exfiltration through a protocol that virtually every network permits and few organisations monitor.
The group's resilience is remarkable. The 2019 leak of their entire toolkit — source code, web shells, operational infrastructure — would have ended most threat groups. APT34 rebuilt and evolved, incorporating cloud-based C2, steganography, hijacked email addresses for command channels, and zero-day exploitation. Their 2024–2025 campaigns against Iraqi and Yemeni government entities demonstrate that the group is not just surviving but advancing.
For organisations in APT34's target sectors — particularly government, energy, financial services, and telecoms in the Middle East — the defensive priority is DNS monitoring. If you are not logging, analysing, and alerting on DNS query content, you have a blind spot that APT34 has spent a decade learning to exploit. Beyond DNS, defenders must address macro-based phishing, supply chain trust relationships, web server integrity, and the possibility that any espionage intrusion could pivot to destructive wiper deployment. APT34 is an espionage group that maintains the capability and the willingness to destroy what it has penetrated.
Our internal penetration testing engagements include DNS tunnelling testing — demonstrating whether your network monitoring and security controls can detect data exfiltration through DNS queries. We identify gaps in DNS visibility and provide specific, actionable recommendations for hardening this critical but often overlooked attack surface.