Helminth is a malicious software (malware) used by an adversary group, often referred to as OilRig, APT34, or IRN2, to target high-value companies and organizations worldwide. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is typically delivered via ClaySlide delivery documents, where scripts related to the Helminth Trojan are obtained from specific cells within an "Incompatible" worksheet. Over time, the group has made changes to the variable names, such as changing "BackupVbs" to "Backup_Vbs", which is used to store the VB script that runs the Helminth payload.
The adversary group has been observed actively updating their ClaySlide delivery documents and the Helminth backdoor used against victims. In June, testing activities began with the removal of payloads from the delivery document, suggesting that the delivery document no longer contained the malicious Helminth scripts used to infect the system. However, in November, all files generated during testing retained their Helminth payloads, all of which utilized the C2 domain of “updateorg[.]com”.
This group has continued its global cyber attacks, with multiple Qatari organizations falling victim to spear-phishing attacks carrying Helminth samples earlier this year. The attacker's persistent use of the Helminth and ClaySlide malware families indicates a sophisticated and ongoing threat to various industries. Therefore, organizations are advised to remain vigilant and implement robust cybersecurity measures to protect against such threats.