Helminth

Malware Profile Updated 23 days ago
Download STIX
Preview STIX
Helminth is a malicious software (malware) used by an adversary group, often referred to as OilRig, APT34, or IRN2, to target high-value companies and organizations worldwide. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is typically delivered via ClaySlide delivery documents, where scripts related to the Helminth Trojan are obtained from specific cells within an "Incompatible" worksheet. Over time, the group has made changes to the variable names, such as changing "BackupVbs" to "Backup_Vbs", which is used to store the VB script that runs the Helminth payload. The adversary group has been observed actively updating their ClaySlide delivery documents and the Helminth backdoor used against victims. In June, testing activities began with the removal of payloads from the delivery document, suggesting that the delivery document no longer contained the malicious Helminth scripts used to infect the system. However, in November, all files generated during testing retained their Helminth payloads, all of which utilized the C2 domain of “updateorg[.]com”. This group has continued its global cyber attacks, with multiple Qatari organizations falling victim to spear-phishing attacks carrying Helminth samples earlier this year. The attacker's persistent use of the Helminth and ClaySlide malware families indicates a sophisticated and ongoing threat to various industries. Therefore, organizations are advised to remain vigilant and implement robust cybersecurity measures to protect against such threats.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Helminth Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
OilRig Malware Campaign Updates Toolset and Expands Targets
MITRE
a year ago
OilRig Actors Provide a Glimpse into Development and Testing Efforts
MITRE
a year ago
Helix Kitten | Threat Actor Profile | CrowdStrike