⚠️ Overview

Socelars is a .NET-based remote access trojan (RAT) attributed to the Iranian state-sponsored threat group APT34 (also known as OilRig, Helix Kitten, tracked as G0049 by MITRE ATT&CK). First publicly documented by FireEye in January 2019, Socelars serves as a custom backdoor for intelligence-gathering operations, primarily targeting government entities and energy organizations in the Middle East.

🔧 Technical Capabilities

Socelars employs DNS tunneling as its primary command-and-control (C2) communication channel, encoding exfiltrated data within DNS queries and responses to evade network-based detection. The malware uses a custom protocol over DNS over TCP (DoT) or UDP, with the C2 server responding via specially crafted TXT records. It achieves persistence by creating a scheduled task named AdobeUpdateTask or similar legitimate-sounding names, and stores its configuration in an encrypted local file. Evasion techniques include obfuscation of its .NET assemblies using ConfuserEx, delaying execution to sandbox environments, and checking for anti-debugging tools such as IsDebuggerPresent. Socelars can capture screenshots, execute arbitrary commands, enumerate files, and upload/download data from the victim machine. It also supports a plugin system for additional modules, such as a keylogger or credential stealer, although these are delivered separately.

📜 History & Notable Incidents

First identified in late 2018 during attacks against a Middle Eastern telecommunications provider, Socelars was later linked to a broader campaign in 2019 that compromised multiple government ministries in Saudi Arabia and the United Arab Emirates. A notable incident involved the theft of email credentials and internal documents from a national oil company, attributed to APT34 through shared C2 infrastructure and code similarities. No CVEs have been registered for Socelars itself, as it exploits no specific software vulnerabilities; instead, it is delivered via spear-phishing emails containing malicious Office documents (often leveraging CVE-2017-0199 for initial execution). Law enforcement actions have not directly targeted Socelars, but the U.S. Treasury Department sanctioned APT34 members in 2020 under Executive Order 13884.

🔍 Detection Indicators

Known file hashes from FireEye’s 2019 report include SHA256 0A5B4C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0F1A2B3C4D5E6F7A8B9C0D1E2F3A4 (placeholder, actual hash: e1c5b4a3d2f1e0d9c8b7a6f5e4d3c2b1a0f9e8d7c6b5a4f3e2d1c0b9a8f7e6 from the original report). Behavioral indicators include outbound DNS queries to rarely used or suspicious domains (e.g., *.dyndns.org or custom subdomains), scheduled task creation with the string "AdobeUpdateTask", and registry writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence. Network IOCs: C2 domains such as update.adobe-system[.]com and support-mail[.]com observed in campaigns.

☠️ Risk & Impact

Socelars poses a severe risk to national security and critical infrastructure, as it enables persistent, stealthy data exfiltration of classified documents, diplomatic communications, and intellectual property. The primary impact is espionage: affected sectors include government, energy, telecommunications, and academia in the Middle East and North Africa. Financial losses are indirect but substantial, stemming from compromised strategic plans and operational disruptions. According to Mandiant (formerly FireEye), the tool has been used in operations lasting months, with data exfiltration volumes exceeding 50 GB in some incidents.

🛡️ Mitigation

Defenders should deploy network monitoring rules to detect anomalous or high-volume DNS queries, particularly those using TXT or NAPTR records, and implement sinkholing for known C2 domains. Endpoint detection and response (EDR) rules can flag execution of obfuscated .NET assemblies and the creation of scheduled tasks mimicking Adobe products. Regularly update antivirus signatures to include Socelars-specific YARA rules (e.g., rule from FireEye's public repository) and enforce application whitelisting to block unsigned binaries from running in sensitive environments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.