apt33-elfin

APT33 / Elfin

also known as: Elfin Peach Sandstorm Refined Kitten HOLMIUM Magnallium COBALT TRINITY ATK35 TA451

APT33 is an Iranian state-sponsored espionage group assessed with high confidence to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC), conducting operations since at least 2013. The group's targeting is singular and consistent: aerospace, defense, energy, and petrochemical organizations holding technology and intellectual property that Iran cannot acquire through legitimate channels due to international sanctions. What makes APT33 particularly significant in the current threat landscape is its evolution — from basic spearphishing in 2016 to cloud-native identity attacks and custom backdoors in 2024 and 2025, including large-scale password spraying against Microsoft 365 environments and Azure-hosted command-and-control infrastructure.

attributed origin Iran

suspected sponsor IRGC / Nasr Institute

first observed 2013

primary motivation Espionage — aerospace and energy IP theft; latent destructive capability

primary targets Aerospace, defense, energy, petrochemical, satellite, government

known campaigns 8+ confirmed

mitre att&ck group G0064

target regions US, Saudi Arabia, UAE, South Korea, Western Europe, Australia

threat level CRITICAL

Overview

APT33 was first publicly documented by FireEye (now Mandiant) in September 2017, though the group's operational history extends back to at least 2013. Attribution rests on multiple independent lines of evidence: Farsi language artifacts embedded in custom malware, operational activity patterns that align precisely with Iran Standard Time business hours (9 a.m. to 5 p.m.), and inactivity during the Iranian weekend (Thursday afternoon and Friday). A developer using the pseudonym xman_1365_x was linked both to APT33's TURNEDUP backdoor source code and to the Iranian Nasr Institute — an organization assessed to function as Iran's state-directed cyber development arm under IRGC oversight.

The group's decade-plus operational history demonstrates a clear and deliberate trajectory of increasing sophistication. Early campaigns from 2013 to 2019 relied on spearphishing with recruitment-themed lures, malicious HTML Application (.hta) files, and typosquatting domains impersonating aviation and defense companies including Boeing. By 2023 and into 2025, the primary initial access method had shifted to large-scale password spraying against Microsoft 365 and Azure Active Directory (Entra ID) environments — campaigns that have targeted thousands of organizations simultaneously using the distinctive go-http-client user agent string, often routed through TOR exit nodes. Microsoft's 2024 research described APT33's current tradecraft as "materially more sophisticated" than its earlier capabilities.

APT33 operates with two strategic objectives running in parallel: long-term industrial espionage to support Iran's economic and military goals, and a latent destructive capability staged for geopolitical contingencies. The DROPSHOT dropper has been directly linked to the SHAPESHIFT wiper — a disk-wiping tool capable of erasing the master boot record, volumes, and files. While Mandiant has not publicly confirmed APT33 using SHAPESHIFT in a live destructive operation, APT33 remains the only group observed deploying DROPSHOT, and the destructive capability is assessed as staged and ready.

analyst note

APT33's shift to cloud-native identity attacks represents a fundamental change in defensive requirements. Organizations that defended successfully against APT33's 2017 spearphishing tradecraft may be unprepared for their current password spray and Azure C2 methodology. MFA alone is not sufficient if it is not phishing-resistant — the group is specifically targeting identity-layer weaknesses that bypass perimeter defenses entirely.

Target Profile

APT33's targeting is sector-specific and sanctions-driven. The group consistently pursues technology, intellectual property, and strategic intelligence in fields where Iran faces international restrictions on legitimate acquisition.

Aerospace and Aviation: A primary focus from the group's earliest documented campaigns. Targets include commercial aviation firms, military aerospace contractors, and manufacturers of aircraft components — consistent with Iran's need for aviation technology under international sanctions. US and Saudi Arabian aerospace organizations have been targeted repeatedly.
Defense Industrial Base: US defense contractors and their supply chains, with particular interest in classified specifications for military systems. FalseFont backdoor deployments in 2023 specifically targeted DIB organizations. Australia's defense sector was targeted in 2024 password spray campaigns.
Energy and Petrochemical: Saudi Aramco and organizations throughout the Gulf region's oil and gas sector. Targeting aligns with Iran's interest in disruption capability against Gulf rivals and intelligence collection on energy markets affecting sanctions relief.
Satellite Communications: A notable 2024 campaign expansion, with Tickler malware deployed against satellite operators in the US and UAE — sectors with direct military and intelligence relevance.
Government and Education: Government agencies targeted for direct intelligence value. The education sector targeted specifically as an infrastructure procurement vector — compromised university accounts with Azure for Students entitlements used to provision C2 infrastructure.
Critical Infrastructure: Reporting from mid-2025 documents a sharp uptick in APT33-aligned activity targeting operational technology (OT) and critical infrastructure operators, including energy and oilfield service companies.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns and public threat intelligence spanning 2013 through early 2025.

mitre id	technique	description
T1110.003	Password Spraying	Primary initial access vector since 2023. Targets Microsoft 365 and Entra ID at scale using go-http-client user agent, often through TOR exit nodes. Campaigns targeted thousands of organizations from 2023 through 2025 across defense, aerospace, satellite, and government sectors.
T1566.001	Spearphishing Attachment	Primary access method in early campaigns (2013–2022). Recruitment-themed lures and aviation-industry decoys delivered malicious .hta files. Typosquatting domains impersonating Boeing and other aerospace firms used to lend legitimacy.
T1078	Valid Accounts	Post-spray, the group uses compromised credentials to authenticate directly to cloud environments. Compromised education sector accounts specifically used to establish Azure infrastructure for C2 via Azure for Students entitlements.
T1583.006	Acquire Infrastructure — Web Services	APT33 provisioned fraudulent Microsoft Azure subscriptions as C2 nodes in 2024 campaigns. C2 traffic to Azure IP ranges blends with legitimate cloud usage, evading network-based detection. Microsoft disrupted these subscriptions after detection.
T1059.001	PowerShell	Used extensively across all campaign phases for execution, lateral movement, credential harvesting, and C2 communication. POWERTON is a custom PowerShell-based implant using encrypted C2 and multiple persistence mechanisms. ALMA (2024) is a newer PowerShell-based implant targeting DIB contractors.
T1021.002	SMB/Windows Admin Shares	Lateral movement via SMB protocol after initial compromise. Documented in a 2024 campaign against a European defense organization — the group leveraged SMB file-sharing to take over additional systems across the network.
T1087.002	Account Discovery — Domain Account	Active Directory snapshots taken using Sysinternals AD Explorer against a Middle East-based satellite operator in 2024, mapping the full compromised environment for follow-on targeting.
T1036.004	Masquerading — Rename System Utilities	Tickler malware distributed in ZIP archives using double-extension masquerading (.pdf.exe) to appear as PDF documents. SHAPESHIFT and DROPSHOT historically disguised as legitimate files.
T1547.001	Boot or Logon Autostart — Registry Run Keys	Tickler persists via the Run registry key, registering itself as SharePoint.exe to blend with legitimate Microsoft process names.
T1557	Adversary-in-the-Middle	Golden SAML attacks observed in cloud-phase operations — forging SAML tokens to authenticate to federated cloud services without requiring valid credentials, bypassing MFA on services trusting the compromised identity provider.
T1588.002	Obtain Capabilities — Tool	Commodity malware including Remcos RAT, Quasar RAT, DarkComet, PoshC2, Pupy RAT, and NetWire used alongside custom tools — providing deniability and reducing development overhead for lower-priority operations.
T1568	Dynamic Resolution	Tickler uses Process Environment Block (PEB) traversal to dynamically locate kernel32.dll and resolve API calls at runtime, bypassing EDR solutions that hook common APIs at known offsets.

Known Campaigns

Confirmed or highly attributed operations linked to APT33 across its operational history.

Aviation and Petrochemical Espionage 2016–2017

APT33's first documented large-scale campaign, targeting aerospace, aviation, and petrochemical organizations in the US, Saudi Arabia, and South Korea. Spearphishing emails used recruitment-themed lures with malicious .hta files and typosquatting domains impersonating Boeing and other aviation companies. DROPSHOT and TURNEDUP backdoors delivered for persistent access. FireEye's September 2017 disclosure publicly attributed the campaign to Iran for the first time.

Operation OVERRULED 2018

A sustained espionage campaign targeting organizations in the Middle East, Europe, and the US. Notable for exploiting CVE-2017-11774 (Microsoft Outlook Home Page vulnerability) to establish persistent access via malicious WebView pages in Outlook — a technique that allowed code execution simply by opening the email client. The Ruler tool was also used to abuse Exchange server features for persistence. FireEye described APT33 as a "potentially destructive adversary" during this period due to links between DROPSHOT and SHAPESHIFT wiper capability.

Elfin: Relentless Saudi and US Targeting 2019

Symantec documented a sustained multi-year campaign against US and Saudi Arabian organizations across chemical, engineering, manufacturing, defense, consulting, finance, and telecommunications sectors. The group compromised targets in at least six US states. A notable tactic was exploitation of CVE-2018-20250 — a WinRAR ACE path traversal vulnerability — via compressed file attachments that dropped malware to the Windows Startup folder on extraction.

Cloud Identity Attack Campaign 2023–2024

A strategic shift in methodology documented by Microsoft (tracking the cluster as Peach Sandstorm). Beginning in February 2023 and continuing through at least July 2024, APT33 conducted large-scale password spray attacks against thousands of organizations in the US, Australia, and the UAE across defense, space, satellite, oil and gas, education, and government sectors. Post-compromise activity included AD snapshot collection via Sysinternals AD Explorer, SMB lateral movement, AnyDesk deployment for persistence, and the introduction of the Tickler backdoor (July 2024). Fraudulent Azure subscriptions — some provisioned using compromised university accounts with Azure for Students entitlements — were used as C2 infrastructure. Microsoft disrupted the attacker-controlled subscriptions after detection.

FalseFont — Defense Industrial Base 2023

Microsoft disclosed APT33 deploying FalseFont, a previously undocumented backdoor, against US defense contractors following password spray initial access. FalseFont provides remote access capabilities and was specifically designed for DIB targets — organizations holding classified weapons specifications and military technology. The campaign ran concurrently with the broader cloud identity attack campaign.

Energy Sector OT Reconnaissance 2025

Reporting from mid-2025 documents APT33-aligned activity sharply increasing against operational technology (OT) and critical infrastructure operators — energy companies, oilfield service firms, and industrial control system environments. Campaigns employed phishing and credential harvesting to map industrial control networks. The shift toward OT targeting is consistent with APT33's latent destructive capability and assessed pre-positioning behavior aligned with Iranian geopolitical interests.

Tools & Malware

APT33 maintains a layered toolkit combining custom-developed malware, commodity RATs for deniability, and legitimate system utilities. Tooling strategy has evolved over time: early operations favored custom backdoors, a middle period shifted toward commodity tools, and recent operations (2023–2025) have returned to sophisticated custom malware alongside cloud infrastructure abuse.

Tickler (2024): Custom multi-stage C/C++ backdoor — APT33's current primary implant. Distributed in ZIP archives using double-extension masquerading (.pdf.exe). Uses PEB traversal to locate kernel32.dll and dynamically resolve API calls, bypassing EDR hooks. Persists via Run registry key as SharePoint.exe. C2 hosted on attacker-controlled Azure subscriptions. Samples found in compromised environments as recently as July 2024.
FalseFont (2023): Custom backdoor deployed specifically against US defense industrial base targets following password spray initial access. Provides persistent remote access with capabilities designed for long-term intelligence collection in high-security environments.
TURNEDUP: APT33's long-standing flagship custom backdoor. Capable of downloading and uploading files, gathering system information, and creating reverse shells. Linked to developer pseudonym xman_1365_x via PDB path artifacts — the clearest human attribution connection between APT33 and the Nasr Institute.
DROPSHOT: Custom dropper used to deliver TURNEDUP and, in multiple wild samples, SHAPESHIFT. Contains Farsi language artifacts. APT33 is the only group observed using DROPSHOT, making it a reliable attribution indicator.
SHAPESHIFT (aka STONEDRILL): Destructive disk wiper delivered via DROPSHOT. Capable of erasing the master boot record, overwriting volumes, and deleting files. Uses in-memory injection and advanced anti-emulation techniques — more sophisticated than earlier Shamoon-era wipers. Deployed via DROPSHOT; direct use in a live destructive operation has not been publicly confirmed by Mandiant, though the capability is assessed as staged.
POWERTON: Custom PowerShell-based implant first observed in 2018. Uses encrypted C2 channels, multiple persistence mechanisms, and can dump password hashes. Designed for stealth and long-term dwell in enterprise environments.
ALMA (2024): A newer PowerShell-based implant introduced in 2024, targeting defense contractors and logistics firms in North America and the Gulf region. Performs espionage and credential exfiltration.
Commodity RATs: Remcos RAT, Quasar RAT, DarkComet, PoshC2, Pupy RAT, NetWire, and NanoCore — used alongside custom tools to complicate attribution and reduce operational cost for lower-priority targets.
Legitimate Tools: AnyDesk (remote management persistence), Sysinternals AD Explorer (Active Directory reconnaissance), Mimikatz and Procdump (credential access), Ruler (Exchange server abuse), and standard Windows utilities for living-off-the-land execution.

Indicators of Compromise

Publicly available IOCs from documented campaigns. Verify currency before operational use — many indicators from 2023–2024 campaigns have been burned after Microsoft's public disclosure.

warning

IOCs may be stale or burned after public disclosure. APT33 rotates infrastructure rapidly following exposure. Cross-reference with live threat intel feeds and behavioral indicators before blocking. The go-http-client user agent and TOR exit node patterns are more durable detection signals than specific IP or domain indicators.

behavioral indicators of compromise

user-agent go-http-client/1.1 (password spray campaigns — consistent across 2023–2025)

registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run — SharePoint.exe (Tickler persistence)

filename Network Security.zip containing *.pdf.exe (Tickler delivery archive pattern)

process mshta.exe spawning from Outlook.exe (CVE-2017-11774 Outlook Home Page exploitation)

network C2 traffic to Microsoft Azure IP ranges from non-standard internal hosts — review for attacker-provisioned subscriptions

tool ADExplorer.exe execution followed by snapshot creation (Active Directory reconnaissance)

Mitigation & Defense

Recommended defensive measures for organizations in APT33's target profile — primarily aerospace, defense, energy, satellite, and government sectors.

Enforce phishing-resistant MFA: Standard MFA does not stop password spraying if the attacker can phish the OTP or exploit MFA fatigue. FIDO2 hardware keys or certificate-based authentication are the appropriate controls for high-value accounts. Microsoft's own research shows MFA stops over 99% of automated credential attacks — APT33's password spray campaigns are precisely the threat MFA is designed to defeat.
Harden cloud identity configuration: Review and restrict Azure AD conditional access policies. Disable legacy authentication protocols that bypass MFA. Audit and limit Azure for Students and trial subscription creation — APT33 specifically abused these entitlements for C2 infrastructure provisioning.
Monitor for password spray patterns: Configure smart lockout in Entra ID. Alert on high-volume authentication failures from single IP addresses or distributed TOR exit node ranges. The go-http-client user agent string is a consistent APT33 indicator across documented campaigns.
Audit cloud infrastructure for unauthorized subscriptions: APT33 created fraudulent Azure tenants using compromised accounts. Regularly audit all Azure subscriptions associated with your tenant and investigate any unexpected Azure for Students or trial resources.
Patch Outlook and WinRAR: CVE-2017-11774 (Outlook Home Page) and CVE-2018-20250 (WinRAR ACE path traversal) remain relevant APT33 exploitation paths for organizations with unpatched endpoints. Confirm remediation status across the environment.
Enable PowerShell logging and script block logging: POWERTON, ALMA, and commodity tools used by APT33 rely heavily on PowerShell for execution and C2. Script block logging captures obfuscated commands that evade command-line logging. Map detections to T1059.001.
Monitor SMB lateral movement: After initial compromise, APT33 pivots via SMB. Alert on unusual SMB connections from non-administrative workstations and unexpected admin share access.
Hunt for AD Explorer artifacts: Sysinternals AD Explorer creates snapshot files (.dat) containing the full Active Directory schema. Detection of ADExplorer.exe execution or .dat snapshot files in unexpected locations should trigger immediate investigation.
Segment OT networks: Given confirmed 2025 expansion toward operational technology targeting, organizations in energy and industrial sectors should verify air-gap integrity and network segmentation between IT and OT environments. OT systems with IT network connectivity that lack proper segmentation represent the highest-priority exposure.
Integrate geopolitical context into threat modeling: APT33 activity historically escalates during periods of increased US-Iran tension. Adjust defensive posture and monitoring thresholds accordingly during geopolitical flashpoints.

note

APT33's operational tempo aligns with Iranian Standard Time business hours (approximately UTC+3:30). Security teams observing sustained authentication anomalies exclusively within a 9-to-5 Iran Standard Time window should treat that pattern as a high-fidelity behavioral indicator, independent of any specific IP or tool signature.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile