APT34

APT34, also known as OilRig and HelixKitten, is a cyber threat group based in Iran that focuses on conducting espionage operations. The group develops and deploys custom malware and hacking tools to infiltrate target networks. Its activities have been directed primarily at government entities and organizations across the Middle East. According to a 2019 data leak, the group’s toolkit includes backdoors such as Poison Frog and Glimpse, as well as various web shells used to maintain persistent access. The leaked information also showed that APT34 alters compromised credentials to disrupt legitimate access and hinder defenders. Analysts noted that most of the disclosed tools would require significant modification before they could be reused by other actors. The exposure of the group’s internal data was intended to undermine Iranian cyber capabilities and forced the operators to reconsider their tactics and infrastructure. These actions indicate a strategy aimed at gathering intelligence while impairing the target’s ability to respond.

The same leak revealed personal data purportedly belonging to members of the group who are affiliated with Iran’s Ministry of Intelligence, suggesting a state‑sponsored relationship. This connection distinguishes APT34 from financially motivated cybercrime groups and aligns its objectives with national intelligence priorities. The group’s specialization in creating bespoke tools, rather than relying solely on publicly available exploits, highlights a notable technical capability. While the exact size of the organization or its internal structure is not disclosed in the available sources, the affiliation with a ministry implies organizational backing and resources typical of a state‑linked unit. No public details about parent companies, subsidiaries, or ownership beyond the alleged ministry link are provided in the source material.