An APT group from Iran has been using a new backdoor named Marlin to target several organizations in the Middle East. The backdoor was employed in a long-running espionage campaign that started in April 2018.

Marlin for espionage

Researchers have linked the recent attack campaign, Out to Sea, to a threat actor known as OilRig.
  • The victims include diplomatic, technology, and medical organizations based in Israel, Tunisia, and the UAE.
  • The infection chains have evolved to drop multiple backdoors since the campaign was first spotted in 2018.
  • The attackers first used DanBot until late 2020 and then switched to Shark, SideTwist, and Milan in 2021.
  • Later, the attack campaigns were found using a new Marlin backdoor in August 2021.
  • Marlin uses Microsoft's OneDrive API for its C2 operations, which shows that the group quit its traditional use of DNS and HTTPS for C2 communications.

Similarities between OilRig and Lyceum

Researchers have linked OilRig’s activities to the Iranian cybercriminal group known as Lyceum owing to numerous TTPs overlaps.
  • The initial access to the network is gained using spear-phishing, remote access, and admin software (e.g. ITbrain and TeamViewer).
  • The ToneDeaf backdoor mainly communicates with its C2 over HTTP/S, along with a secondary technique, DNS tunneling, which functions similar to the Shark malware used by the Lyceum group.
  • Additionally, the overlapping was observed in the use of DNS as a C2 communication channel, the use of various folders in a backdoor's working directory for downloading/uploading files from the C2 server.


The shift in OilRig APT’s techniques of adopting new backdoor tactics over the years and continuous attacks in the Middle East say a lot about their ongoing efforts. With Lyceum on its side, they seem to make it more challenging for cyber analysts out there.
Cyware Publisher