Helix Kitten

Threat Actor updated a year ago (2024-11-29T14:33:55.345Z)
Download STIX
Preview STIX
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. The group is associated with Iran's Ministry of Intelligence and Security (MOIS) and has been active since at least 2014, targeting sectors such as telecommunications, government, defense, oil, and financial services primarily in the Middle East. The group's operations have involved sophisticated techniques including spear-phishing lures that lead to the deployment of various backdoors. In one notable incident, Helix Kitten assumed the identity of Ganjavi Global Marketing Services (GGMS), a marketing services company, to conduct a phishing attack. This operation was detected by NSFOCUS Security Labs, highlighting the group's ability to adapt and evolve its tactics to achieve its objectives. Moreover, the group has demonstrated its capabilities by exploiting publicly available tools and previously undiscovered pieces of malware to access systems, maintain persistence, and steal data. One of its more innovative efforts involved hijacking attack tools and command-and-control servers used by another Iranian nation-state group, Turla. As such, Helix Kitten represents a significant threat due to its advanced capabilities, persistent activities, and links to state-sponsored cyber espionage.
Description last updated: 2024-05-04T16:15:46.505Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT34 is a possible alias for Helix Kitten. APT34, a threat actor suspected to be linked to Iran, has been operational since at least 2014 and is involved in long-term cyber espionage operations largely focused on reconnaissance efforts. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunic
2
OilRig is a possible alias for Helix Kitten. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
2
Crambus is a possible alias for Helix Kitten. The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Helix Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more