APT34 [1] [2] [3] [4] [5], also known as Cobalt Gypsy [3] [4] [5], Hazel Sandstorm [5], Helix Kitten [2] [5], and OilRig [2] [5], is an Iranian threat actor that has recently been linked to a new phishing attack [3] [4].


APT34 has a history of targeting sectors such as telecommunications, government [1] [3] [4] [5], defense [1] [2] [3] [4] [5], oil [1] [3] [4] [5], and financial services in the Middle East since 2014 [1] [3] [4] [5]. They are known for their advanced attack technology and ability to design different intrusion methods for different targets [1], including supply chain attacks [5]. A key characteristic of APT34 is its ability to create new and updated tools to avoid detection and maintain control over compromised hosts for extended periods [5].

In addition to the phishing attack involving SideTwist, APT34 has also been linked to spear-phishing lures that lead to the deployment of various backdoors. These lures have been used since 2014 and target sectors such as telecommunications, government [1] [3] [4] [5], defense [1] [2] [3] [4] [5], oil [1] [3] [4] [5], and financial services in the Middle East [1] [3] [4] [5]. APT34 is highly skilled and capable of designing different intrusion methods for various targets [5]. They have also been known to utilize supply chain attacks.

Furthermore, APT34 used the identity of a marketing services company called Ganjavi Global Marketing Services (GGMS) in a phishing attack [2]. They targeted enterprises using a variant of the SideTwist Trojan [2], which allowed them to gain control over victim hosts [2]. The attack involved a decoy file named “GGMS Overview.doc” that contained a malicious macrocode [2]. This macrocode extracted the Trojan and created an activation switch [2]. The Trojan communicated with a CnC server at IP address [2]. The SideTwist variant exhibited differences in compilation but shared similarities with previous versions [2]. It checked for the presence of an “update.xml” file and collected victim host information [2]. The CnC communication involved encrypted instructions decoded using a multi-byte XOR key [2]. The CnC IP address used in the attack belonged to the United States Department of Defense Network Information Center [2], suggesting APT34 may have used it for testing [2]. This attack demonstrates APT34’s consistent methodology and adaptability [2].

Another phishing campaign has been discovered [4], which involves the deployment of a new variant of Agent Tesla. This campaign utilizes a specially crafted Excel document that exploits a six-year-old memory corruption vulnerability in Microsoft Office [4]. It is worth noting that this vulnerability remains popular among threat actors.

Furthermore, a phishing attack has been identified that utilizes ISO image file lures to launch various malware strains, including Agent Tesla, LimeRAT [4], and Remcos RAT [4]. This demonstrates the versatility and adaptability of threat actors in their attempts to compromise systems and gain unauthorized access.


The activities of APT34 highlight the ongoing threat posed by sophisticated threat actors. Organizations in sectors such as telecommunications [1], government [1] [3] [4] [5], defense [1] [2] [3] [4] [5], oil [1] [3] [4] [5], and financial services in the Middle East should remain vigilant and implement robust security measures to mitigate the risk of attacks. Additionally, the discovery of new phishing campaigns and the continued exploitation of old vulnerabilities emphasize the need for regular security updates and employee awareness training. As threat actors continue to evolve their tactics, organizations must adapt and enhance their cybersecurity strategies to protect sensitive information and maintain the integrity of their systems.


[1] https://vulnera.com/newswire/apt34-linked-to-new-phishing-attacks-deploying-sidetwist-backdoor-and-agent-tesla-variant/
[2] https://gbhackers.com/hacker-group-disguised-as-marketing/
[3] https://www.443news.com/2023/09/phishing-campaigns-deliver-new-sidetwist-backdoor-and-agent-tesla-variant/
[4] https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html
[5] https://www.redpacketsecurity.com/alert-phishing-campaigns-deliver-new-sidetwist-backdoor-and-agent-tesla-variant/