APT34 is an advanced persistent threat group widely attributed by Western cybersecurity firms to the Islamic Republic of Iran, and assessed by several vendors to operate on behalf of Iranian intelligence services. The group is also tracked under the names OilRig (Palo Alto Unit 42), Helix Kitten (CrowdStrike), Cobalt Gypsy, and EUROPIUM.
Active publicly since at least 2014, APT34 has focused on espionage targets aligned with Iranian strategic interests: government ministries, financial institutions, energy and petrochemical companies, and telecommunications providers across the Middle East, particularly in Gulf Cooperation Council states, as well as occasional targeting in the United States, United Kingdom, and Asia.
The group is known for:
- Spear-phishing using lures themed around job offers, government correspondence, or industry events.
- Custom malware families including Helminth, QUADAGENT, POWBAT, BONDUPDATER, and the Karkoff backdoor.
- Heavy use of DNS tunneling for command-and-control, a tradecraft signature repeatedly highlighted by FireEye/Mandiant and Cisco Talos.
- Abuse of compromised legitimate accounts and supply-chain access to pivot into downstream targets.
In April 2019, a leaker operating under the handle Lab Dookhtegan published source code, tooling, and alleged operator identities for APT34 on Telegram, providing one of the most detailed public windows into an Iranian offensive cyber program. FireEye and other vendors confirmed the leaked material was consistent with previously observed APT34 operations.
For policy researchers, APT34 is frequently cited in discussions of Iranian cyber capability, regional escalation dynamics in the Gulf, and the blurred line between state intelligence collection and preparatory operations against critical infrastructure. It is commonly mentioned alongside other Iran-nexus clusters such as APT33 (Elfin), APT35 (Charming Kitten), and MuddyWater, though each is tracked as a distinct activity set.
Example
In 2019, the "Lab Dookhtegan" leaker published APT34's source code and victim lists on Telegram, exposing Iranian cyber-espionage operations against Gulf governments and energy firms.
Frequently asked questions
Cybersecurity vendors including FireEye/Mandiant and CrowdStrike attribute APT34 to the Iranian government, with assessments commonly linking it to Iran's Ministry of Intelligence and Security (MOIS), though Tehran has not acknowledged the group.
Keep learning