Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated attacks and evolving methodologies, which often involve custom malware and advanced persistent threats (APTs). Given the nature of their activities, they pose a significant risk to both private and public sector entities, particularly those with sensitive data. In recent years, Siamesekitten has escalated its operations. Researchers at cybersecurity firm ClearSky reported that this Iranian APT group was specifically targeting Israeli companies in a supply chain attack campaign. These attacks typically aim to infiltrate an organization's network through a less secure element in the supply chain, allowing the threat actors to gain unauthorized access to critical systems and data. Such targeted campaigns demonstrate the group's strategic approach to cyberespionage and their ability to exploit vulnerabilities within interconnected business ecosystems. The threat actor group has continued to innovate, deploying four new downloaders—SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster—in their attacks as revealed by ESET researchers on December 14th. These tools were added to Siamesekitten's already large arsenal of custom malware over the past year, indicating their commitment to refining their tactics and enhancing their capabilities. As such, organizations are advised to remain vigilant and implement robust cybersecurity measures to mitigate the risks posed by this persistent and evolving threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Samplecheck5000 Sc5kUnspecified
SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c
Source Document References
Information about the Siamesekitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
7 months ago
OilRig’s persistent attacks using cloud service-powered downloaders
7 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
10 months ago
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
a year ago
Phishing Campaign Targets Job Seekers, Employers