Iranian APT34 Hackers Conduct Cyberespionage Operations in Iraq and Yemen

Cybersecurity researchers have uncovered ongoing cyberespionage campaigns attributed to APT34 (also known as OilRig, Helix Kitten, and MuddyWater), a hacking group linked to Iran’s Ministry of Intelligence and Security (MOIS).

  Asia Cyber affairs News   Apr 1, 2025  Add to Reading List
Iranian APT34 Hackers Conduct Cyberespionage Operations in Iraq and Yemen

Cybersecurity researchers have uncovered ongoing cyberespionage campaigns attributed to APT34 (also known as OilRig, Helix Kitten, and MuddyWater), a hacking group linked to Iran’s Ministry of Intelligence and Security (MOIS). Despite diplomatic ties, Iran has been actively spying on organizations in Iraq and Yemen, leveraging custom malware and sophisticated data exfiltration techniques.

Iraq: APT34’s Custom Backdoors and Unique Data Theft Methods

Evidence of APT34’s cyber activities in Iraq dates back to March 2024, when researchers discovered three previously unseen backdoorsVeaty, Spearal, and an unnamed SSH tunneling tool—uploaded to VirusTotal. These tools were likely distributed via phishing emails, disguised with double file extensions to appear as documents.

One of the most notable tactics involved using hijacked Iraqi government email accounts to send commands and extract data from compromised systems. In addition to email-based exfiltration, APT34 employed SSH connections and DNS tunneling, demonstrating their highly customized and stealthy approach.

Although APT34’s operations were exposed in September 2024, they continued their attacks into 2025 with only minor adjustments to infrastructure and tooling. Researchers suggest this is due to insufficient cybersecurity investments in Iraq, making it easier for the group to maintain access and repeatedly infiltrate targeted organizations.

Yemen: A Less Sophisticated, Broadly Targeted Operation

APT34’s espionage efforts in Yemen took a different approach, focusing on less advanced tactics and more generic targeting methods. The campaign, observed in mid-2024, relied on "Power Service"—a PowerShell-based backdoor—to infiltrate victims, with indications that the telecommunications sector was among the targets.

Researchers noted that while this subgroup also operated in Iraq, their methods differed from those used against Iraq’s government, reinforcing the idea that MOIS-backed hacking teams share resources but also function independently with their own tools and objectives.

Iran’s Expanding Cyber Operations in the Middle East

The dual campaigns in Iraq and Yemen highlight how Iranian intelligence groups operate across different attack scenarios, customizing their tools and strategies based on the target’s defenses. Experts believe APT34 consists of multiple teams working in tandem, sharing infrastructure, malware, and access points, but also deploying custom solutions tailored to specific missions.

Despite growing public exposure, Iran’s cyberespionage efforts remain persistent and adaptable, reinforcing its commitment to gathering intelligence across the Middle East—even from supposed allies.