OopsIE uses HTTP for C2 communications.^[1][2]

OopsIE compresses collected files with GZipStream before sending them to its C2 server.^[1]

OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.^[1]

OopsIE uses the command prompt to execute commands on the victim's machine.^[1][2]

OopsIE creates and uses a VBScript as part of its persistent execution.^[1][2]

OopsIE encodes data in hexadecimal format over the C2 channel.^[1]

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.^[1]

OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.^[1]

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.^[1]

OopsIE can upload files from the victim's machine to its C2 server.^[1]

OopsIE has the capability to delete files and scripts from the victim's machine.^[2]

OopsIE can download files from its C2 server to the victim's machine.^[1][2]

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2.OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.^[1][2]

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.^[1]

OopsIE creates a scheduled task to run itself every three minutes.^[1][2]

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.^[2]

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.^[2]

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI querySELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.^[2]

OopsIE uses WMI to perform discovery techniques.^[2]

^[1]