Threat-actor profile

← Back to main site

Home/ Threat Actors/ APT34

🇮🇷APT34

🇮🇷 APT34 is a tracked threat actor in the Clankerusecase corpus. Attributed to IR. Primary motivation: State. We map 26 detection use cases to this actor across 96 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-02-26 to 2026-03-12.

crit 2

View full actor card → All threat actors MITRE ATT&CK group spec (G0049) ↗

26Use cases

2Articles

96Techniques

5IOCs

Known aliases

APT34OilRigHelix KittenCobalt GypsyHazel SandstormCOBALT GYPSYIRN2Evasive SerpensEUROPIUMITG13Earth SimnavazCrambusTA452

Top techniques

T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1566 · Phishing

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.004 · LSA Secrets T1003.005 · Cached Domain Credentials T1005 · Data from Local System T1007 · System Service Discovery T1008 · Fallback Channels T1012 · Query Registry T1016 · System Network Configuration Discovery T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1021.004 · SSH T1025 · Data from Removable Media T1027 · Obfuscated Files or Information T1027.005 · Indicator Removal from Tools T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036 · Masquerading T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1056.001 · Keylogging T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1068 · Exploitation for Privilege Escalation T1069.001 · Local Groups T1069.002 · Domain Groups T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.004 · DNS T1078 · Valid Accounts T1078.002 · Domain Accounts T1082 · System Information Discovery T1087 · Account Discovery T1087.001 · Local Account T1087.002 · Domain Account T1098.005 · Device Registration T1105 · Ingress Tool Transfer T1110 · Brute Force T1110.003 · Password Spraying T1112 · Modify Registry T1113 · Screen Capture T1115 · Clipboard Data T1119 · Automated Collection T1120 · Peripheral Device Discovery T1127.001 · MSBuild T1133 · External Remote Services T1137.004 · Outlook Home Page T1140 · Deobfuscate/Decode Files or Information T1195 · Supply Chain Compromise T1199 · Trusted Relationship T1201 · Password Policy Discovery T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1218.001 · Compiled HTML File T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1497.001 · System Checks T1505.003 · Web Shell T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1552.001 · Credentials In Files T1553.002 · Code Signing T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1555.004 · Windows Credential Manager T1556.002 · Password Filter DLL T1556.006 · Multi-Factor Authentication T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.003 · Spearphishing via Service T1569.002 · Service Execution T1572 · Protocol Tunneling T1573.002 · Asymmetric Cryptography T1574.002 · T1574.002 T1583.001 · Domains T1586.002 · Email Accounts T1587.001 · Malware T1588.002 · Tool T1588.003 · Code Signing Certificates T1608.001 · Upload Malware T1621 · Multi-Factor Authentication Request Generation T1686.003 · Windows Host Firewall

Detection use cases (26)

APT34 (OilRig) DNS-tunnel C2 — high-entropy long subdomain beaconing under a single parent domain AI · profile SDD APT34 (OilRig / Helix Kitten) Outlook Home Page WebView persistence (Ruler-style) AI · profile SΣDD MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Trusted vendor binary / installer launching unusual children Internal PlugX phishing lure — 'Meeting Invitation' email linking to gesecole.net ZIP Bespoke 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match

Threat-intel articles (2)

crit Cyber fallout from the Iran war: What to have on your radar · 2026-03-12

crit PlugX Meeting Invitation via MSBuild and GDATA · 2026-02-26

Tracked indicators

Domains (5)

decoorat.net decoraat.net gesecole.net onedow.gesecole.net onedown.gesecole.net