> threat_actor APT33 —— origin: Iran (IRGC) —— sector: aerospace, defence, energy —— objective: espionage<span class="cursor-blink">_</span>_
APT33 — also tracked as Elfin, Peach Sandstorm, Refined Kitten, Magnallium, HOLMIUM, and Cobalt Trinity — is an Iranian state-sponsored cyber espionage group that has been conducting operations since at least 2013. First publicly documented by FireEye (now Mandiant) in 2017, the group is assessed with high confidence to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC), with activities aligned to Iran's strategic military and economic objectives.
APT33's targeting is distinctive and consistent: aerospace, defence, energy, and petrochemical organisations — the sectors that hold the technology, intellectual property, and strategic intelligence that Iran needs but cannot acquire through legitimate channels due to international sanctions. They have compromised US aerospace firms, Saudi petrochemical conglomerates, South Korean oil refineries, European defence contractors, and satellite operators. Every target selection maps directly to Iranian national interests.
What makes APT33 particularly significant in the current threat landscape is their evolution. The group that relied on basic spear-phishing and commodity malware in 2016 is not the same group operating today. By 2024, APT33 had developed custom backdoors like Tickler and FalseFont, adopted cloud-based command and control infrastructure on Azure, launched password spray campaigns targeting thousands of organisations simultaneously, and demonstrated sophisticated cloud-based TTPs that Microsoft described as "materially more sophisticated" than their earlier capabilities. They are getting better, and they are getting faster.
Attribution of APT33 to Iran rests on multiple independent lines of evidence. FireEye's original 2017 analysis identified Farsi (Persian) language artefacts in the group's custom malware, operational activity patterns aligning with Iran Standard Time business hours, and inactivity during the Iranian weekend (Thursday afternoon and Friday). More directly, a hacker using the pseudonym xman_1365_x was linked both to APT33's TurnedUp backdoor source code and to the Iranian Nasr Institute — an organisation previously connected to the Iranian Cyber Army.
| Attribute | Detail |
|---|---|
| Tracked Names | APT33 (Mandiant), Peach Sandstorm (Microsoft, current), HOLMIUM (Microsoft, legacy), Elfin (Symantec), Refined Kitten (CrowdStrike), Magnallium (Dragos), Cobalt Trinity (SecureWorks), TA451 (Proofpoint) |
| State Sponsor | Islamic Republic of Iran — Islamic Revolutionary Guard Corps (IRGC). Distinct from MOIS-affiliated groups such as APT39 (Chafer) and APT34 (OilRig). The IRGC connection aligns APT33's operations with Iran's military and strategic ambitions rather than domestic intelligence. |
| Active Since | At least 2013. Public reporting begins with FireEye's September 2017 disclosure. Activity has been continuous through 2024, with Microsoft documenting ongoing campaigns as recently as July 2024. |
| Primary Objective | Intellectual property theft and strategic intelligence collection — aerospace technology, defence capabilities, energy sector operational data, satellite systems, and military supply chain information. Intelligence obtained is assessed to directly support Iran's domestic defence programmes and regional power projection. |
| Secondary Capability | Links to destructive operations. APT33 is the only group observed using the DROPSHOT dropper, which delivers the SHAPESHIFT wiper — malware with similarities to the Shamoon wiper used in destructive attacks against Saudi energy infrastructure. While APT33 has not been directly observed conducting destructive attacks, the capability exists. |
| Relationship to Other Iranian Groups | Shares some infrastructure and objectives with APT34 (OilRig), another IRGC-linked group. Distinct from APT35 (Charming Kitten / Mint Sandstorm), which focuses on think tanks, journalists, and political targets. APT33 is the aerospace and defence specialist within Iran's cyber operations ecosystem. |
APT33's target selection is not opportunistic. It directly reflects Iran's strategic requirements: the aerospace and missile technology that sanctions prevent Iran from acquiring, the defence intelligence that informs Iran's military planning, the energy sector knowledge that underpins Iran's economic survival, and the satellite capabilities that support both military and civilian objectives.
| Target Sector | Strategic Value to Iran | Observed Campaigns |
|---|---|---|
| Aerospace and Aviation | Iran's aviation fleet is ageing and sanctioned. Aerospace IP — engine designs, avionics systems, materials science, manufacturing processes — directly supports Iran's domestic production ambitions. Military aerospace intelligence informs defensive capabilities. | 2016–2017: Compromised a US aerospace organisation. Registered domains impersonating Boeing, Northrop Grumman, and Alsalam Aircraft Company for phishing. 2018: Phishing campaigns impersonating aerospace and defence recruiters. 2023–2024: Password spray targeting US and Australian defence/space sectors. |
| Defence and Military | Intelligence on defence capabilities, weapons systems, military supply chains, and defence contractor relationships. Directly supports IRGC strategic planning and Iran's asymmetric military posture. | 2019: Spoofed domains of US defence contractors in phishing campaigns. 2023: FalseFont backdoor deployed against Defence Industrial Base (DIB) organisations worldwide. 2024: Tickler malware targeting US government and defence sectors. |
| Energy and Petrochemical | Iran's economy depends on oil and gas exports. Intelligence on competitors' operations, pricing strategies, and infrastructure provides both economic and strategic advantage. Potential pre-positioning for destructive attacks against regional rivals' energy infrastructure. | 2016–2017: Targeted Saudi petrochemical conglomerate and South Korean oil refining company. Links to Shamoon-style destructive attacks against Saudi energy sector. 2024: Oil and gas sector targeting via Tickler campaign. |
| Satellite and Space | Satellite technology supports both civilian communications and military intelligence, surveillance, and reconnaissance (ISR). Iran has an active space programme and seeks satellite launch and operation capabilities. | 2023: Microsoft observed consistent targeting of satellite sector organisations. 2024: Tickler malware deployed against satellite operators and communications equipment manufacturers in the US and UAE. |
| Government and Education | Government agencies hold policy intelligence and defence procurement data. Universities conduct aerospace, nuclear, and defence research that Iran seeks for domestic programmes. | 2019: Targeted US federal government agencies. 2021: Operations against US and European universities involved in aerospace and nuclear research. 2023–2024: Education sector compromised for operational infrastructure procurement — student Azure subscriptions used for C2. |
APT33's targeting concentrates on the United States, Saudi Arabia, the United Arab Emirates, and South Korea — but has also been observed against organisations in the United Kingdom, Europe, and Australia. Any organisation in the aerospace, defence, or energy supply chain, regardless of country, falls within APT33's potential target set. Tier 2 and Tier 3 suppliers are often targeted as stepping stones to larger prime contractors.
APT33's operational history demonstrates a clear trajectory of increasing sophistication. Understanding this evolution is important because it indicates where the group is heading next — and the defences that were adequate against their 2017 capabilities are not adequate against their 2024 tradecraft.
| Period | Tradecraft | Significance |
|---|---|---|
| 2013–2016 | Basic spear-phishing with malicious HTA (HTML Application) files. Custom malware: TURNEDUP backdoor, DROPSHOT dropper, SHAPESHIFT wiper. Infrastructure: domains impersonating target organisations. | Foundational period. Established targeting patterns against aerospace and energy. Demonstrated destructive capability through SHAPESHIFT wiper links. Techniques effective but unsophisticated. |
| 2017–2018 | Expanded spear-phishing with job-themed lures impersonating aerospace and defence recruiters. Adopted commodity RATs (DarkComet, Remcos, Quasar RAT) alongside custom tools. Began using compromised credentials to manipulate email clients. | Diversification. Moved beyond reliance on custom malware to include publicly available tools — making attribution harder and reducing development overhead. |
| 2019 | Password spray campaigns targeting cloud-hosted infrastructure. Spoofed US defence contractor domains. Targeted ICS (Industrial Control System) vendors. Used over 1,200 operational domains. | Scale shift. Transitioned from targeted spear-phishing to mass password spraying — orders of magnitude more organisations targeted simultaneously. Industrial control system interest suggests potential for destructive operations. |
| 2023 | Massive password spray campaign from February–July targeting thousands of organisations globally. Post-compromise: AzureHound and Roadtools for cloud reconnaissance. Golden SAML attacks. DLL search order hijacking. FalseFont custom backdoor against DIB sector (November). | Cloud-native pivot. Sophisticated cloud-based TTPs — Microsoft described these as 'materially more sophisticated' than previous capabilities. First deployment of FalseFont indicates continued custom malware development. |
| 2024 | Tickler multi-stage custom backdoor. Leveraged fraudulent Azure subscriptions for C2 infrastructure. LinkedIn social engineering posing as students, developers, and recruiters. Compromised education sector Azure accounts to procure operational infrastructure. | Current peak capability. Custom malware, cloud infrastructure abuse, social engineering, and the operational creativity to use compromised educational Azure subscriptions as C2 hosting — turning a victim's cloud resources into attack infrastructure. |
APT33 uses two primary initial access methods, and their balance has shifted over time. Early campaigns relied heavily on spear-phishing. Recent campaigns increasingly use password spraying — a technique that scales massively and exploits weak or reused passwords across thousands of organisations simultaneously.
| Technique | MITRE ATT&CK | Implementation |
|---|---|---|
| Spear-Phishing with Links and Attachments | T1566.001, T1566.002 | Targeted emails with malicious HTA files, macro-enabled Office documents, or links to credential harvesting pages. Lures are sector-specific: job postings from aerospace firms, conference invitations, defence contractor communications. Domains registered to impersonate Boeing, Northrop Grumman, Alsalam Aircraft Company, and other legitimate organisations. Exploited CVE-2017-11882 (Equation Editor) in document-based attacks. |
| Password Spraying | T1110.003 | Since February 2023, APT33's primary initial access method. Attempts authentication to thousands of accounts across thousands of organisations using common or commonly leaked passwords. Low and slow — avoids account lockout thresholds. Targets Microsoft 365, Exchange Online, VPN gateways, and any externally accessible authentication endpoint. Successful authentication provides immediate access to cloud email, SharePoint, OneDrive, and Azure resources. |
| Social Engineering via LinkedIn | T1593.001 | Profiles masquerading as students, software developers, and talent acquisition managers based in the US and Western Europe. Used for intelligence gathering and relationship building with employees at target organisations in aerospace, satellite, and defence sectors. Provides targeting data for subsequent spear-phishing or identifies employees with useful access for credential targeting. |
| Valid Accounts | T1078 | Credentials obtained through password spraying, third-party data breaches, credential harvesting phishing, or infostealer malware. Legitimate credentials provide the stealthiest access — the logon appears normal to every security control and the attacker inherits the account's permissions. |
APT33 maintains a broad arsenal spanning custom-developed malware, open-source offensive tools, and legitimate system utilities. Their tooling strategy has evolved: early operations relied on custom backdoors, middle-period campaigns shifted to commodity RATs for deniability, and recent operations have returned to custom malware (Tickler, FalseFont) while leveraging cloud infrastructure — indicating renewed investment in capability development.
| Tool | Type | Purpose |
|---|---|---|
| Tickler | Custom multi-stage backdoor (2024) | APT33's most recent custom implant. 64-bit C/C++ binary. Deployed via ZIP archives masquerading as PDF documents. Collects system and network information, downloads and executes additional payloads. Uses Azure infrastructure in attacker-controlled subscriptions for C2. Represents the current state of APT33's malware development capability. |
| FalseFont | Custom backdoor (2023) | Targeted specifically at Defence Industrial Base (DIB) organisations. Wide-ranging functionality: remote system access, file execution, information exfiltration. Deployed via social engineering against defence sector employees. First observed November 2023. |
| POWERTON | Custom PowerShell backdoor (2018+) | PowerShell-based implant with encrypted C2 communications and multiple persistence mechanisms. Used in operations against engineering and energy sectors. Demonstrates APT33's ability to develop stealthy, script-based implants that evade traditional antivirus. |
| TURNEDUP | Custom backdoor (2013+) | APT33's original primary backdoor. File upload/download, system information collection, reverse shell capability. Source code linked to Iranian Nasr Institute — a key attribution indicator. |
| DROPSHOT / SHAPESHIFT | Custom dropper and wiper | DROPSHOT delivers either TURNEDUP (for espionage) or SHAPESHIFT (for destruction). SHAPESHIFT is a disk wiper with similarities to Shamoon. Contains Farsi language artefacts. APT33 is the only group observed using DROPSHOT — making it a reliable attribution indicator. |
| Commodity RATs | Public tools (multiple) | Remcos, DarkComet, Quasar RAT, Pupy RAT, NanoCore RAT. Off-the-shelf remote access tools used to reduce development overhead and complicate attribution. Configured with APT33-controlled C2 infrastructure. |
| Offensive Frameworks and Utilities | Public tools | PoshC2 and PowerShell Empire (C2 frameworks). Mimikatz (credential theft). LaZagne (password recovery). Procdump (LSASS memory dumping). Ruler (Exchange/Outlook exploitation). AzureHound and Roadtools (cloud reconnaissance). |
APT33's 2023–2024 campaigns reveal a significant operational shift: the group now leverages cloud infrastructure — specifically Microsoft Azure — both as a target and as a tool. This cloud-native approach provides several advantages that align with sophisticated espionage operations.
APT33 occupies an unusual position among espionage groups: they maintain destructive capabilities. The SHAPESHIFT wiper, delivered by APT33's exclusive DROPSHOT dropper, shares code similarities with the Shamoon wiper malware used in devastating attacks against Saudi Aramco (2012, destroying 35,000 workstations), Saudi government agencies (2016–2017), and Italian oil company Saipem (2018).
FireEye and other researchers have noted that while APT33 has not been directly observed deploying SHAPESHIFT for destructive purposes, the capability exists within their toolkit. This creates an unsettling dual-threat: the same access that enables espionage — persistent presence within aerospace, defence, and energy networks — could be repurposed for destructive attacks if Iran's strategic calculus changes. A group that has spent months mapping a petrochemical company's network for intelligence collection could, with a single command change, deploy a wiper instead.
For defenders in the energy and critical infrastructure sectors, this dual-threat nature means that APT33 compromise indicators warrant immediate, high-priority response — not just because of the espionage risk, but because of the latent destructive potential that every APT33 foothold represents.
| Tactic | Key Techniques | Detection Opportunity |
|---|---|---|
| Initial Access | T1566 Phishing (HTA files, malicious documents), T1110.003 Password Spraying, T1078 Valid Accounts | Email gateway analysis for HTA attachments. Authentication monitoring: spikes in failed authentication attempts across many accounts from limited IP ranges. Conditional access alerting on anomalous logon geography/device. |
| Execution | T1059.001 PowerShell, T1059.005 Visual Basic (macros), T1204 User Execution (HTA and document lures) | PowerShell script block logging (Event ID 4104). Monitoring for mshta.exe process creation. Macro execution alerting in EDR. Suspicious parent-child processes (Office → PowerShell/cmd). |
| Persistence | T1547.001 Registry Run Keys, T1053.005 Scheduled Tasks, T1546.003 WMI Event Subscription | Registry modification monitoring. Scheduled task creation (Event ID 4698). WMI event subscription creation. Startup folder changes on servers. |
| Credential Access | T1003.001 LSASS Memory, T1003.004 LSA Secrets, T1003.005 Cached Domain Credentials, T1555.003 Web Browser Credentials | LSASS access monitoring (Sysmon Event ID 10). Procdump execution against LSASS. LaZagne or SniffPass execution. Credential Guard deployment prevents LSASS extraction. |
| Discovery | AzureHound / Roadtools (cloud enumeration), AD Explorer (Active Directory snapshots), standard Windows discovery commands | Cloud audit logs for bulk Microsoft Graph API queries. AD Explorer generates distinctive LDAP query patterns. Process creation logging for discovery command clusters. |
| Lateral Movement | T1021.002 SMB/Windows Admin Shares, Pass-the-Hash, RMM tool deployment (AnyDesk for persistence) | Service creation events (Event ID 7045). Unexpected RMM tool installations. NTLM authentication anomalies. SMB traffic to unusual destinations. |
| Exfiltration | T1041 Exfiltration Over C2 Channel, data staged in archives prior to exfiltration | Unusual outbound data volumes to Azure IP ranges or uncategorised domains. Large archive file creation in staging directories. Outbound traffic anomalies during non-business hours. |
APT33's shift to password spraying as a primary initial access technique means that the first detectable signal is often an authentication anomaly — not a malware detection. Organisations that rely solely on endpoint detection will miss the initial compromise entirely. Detection must span identity, cloud, network, and endpoint telemetry.
| Hunt Hypothesis | Data Sources | Indicators |
|---|---|---|
| Password spray targeting your tenancy | Microsoft Entra ID sign-in logs, Azure AD audit logs, SIEM correlation | High volume of failed authentication attempts across many accounts from a limited set of source IPs. Attempts distributed across time to avoid lockout thresholds. Successful authentication following a period of spray activity against the same tenancy. |
| Post-compromise cloud reconnaissance | Microsoft Entra ID audit logs, Azure activity logs, Cloud Access Security Broker (CASB) | Execution of AzureHound, Roadtools, or similar cloud enumeration tools. Bulk Microsoft Graph API queries from a single account. Azure Resource Manager queries from accounts that do not normally manage Azure resources. |
| Fraudulent Azure resource creation | Azure subscription and resource creation logs | New Azure subscriptions created under compromised accounts — particularly education sector accounts. Virtual machine or App Service creation in subscriptions without prior resource usage. Azure resources communicating with external endpoints inconsistent with the subscription's purpose. |
| FalseFont or Tickler deployment | EDR telemetry, file system monitoring, network flow data | ZIP archives containing executables masquerading as PDFs (double extensions). Unknown 64-bit executables performing PEB traversal and dynamic API resolution. Outbound HTTPS connections from newly created processes to Azure IP ranges not associated with legitimate organisational use. |
| Golden SAML preparation | AD FS event logs, certificate store access logs, Entra ID sign-in logs | Access to AD FS private key material. Token signing certificate export. SAML token issuance for accounts that did not authenticate through normal channels. Sign-ins to cloud services from accounts without corresponding on-premises authentication events. |
| LinkedIn social engineering | Employee reporting, security awareness programme, LinkedIn platform alerts | Connection requests from profiles claiming to be recruiters, students, or developers at organisations with no verifiable presence. Requests specifically targeting employees in aerospace, satellite, or defence roles. Profiles created recently with limited connection networks. |
APT33 is Iran's aerospace and defence specialist — a persistent, evolving threat group that has been stealing intellectual property and strategic intelligence from organisations in these sectors for over a decade. Their operations directly support Iran's military ambitions, compensating for the technology gap that international sanctions create.
The group's evolution from basic spear-phishing to cloud-native operations — password spraying thousands of organisations, leveraging Azure infrastructure for C2, deploying custom malware like Tickler and FalseFont, and conducting Golden SAML attacks — demonstrates a trajectory of increasing capability. Organisations that defended successfully against APT33's 2017 tactics may be unprepared for their 2024 tradecraft.
For organisations in the aerospace, defence, energy, satellite, or military supply chain: APT33 is a specific, documented, and active threat to your intellectual property and strategic data. Their TTPs are catalogued. Their targeting patterns are predictable. Defending against them requires MFA as a baseline, cloud monitoring as a necessity, and threat-informed hunting as an ongoing discipline. The group that stole aerospace technology in 2017 is still operating today — and they are better at it than they have ever been.
Our penetration testing engagements can model specific nation-state threat actor TTPs — including APT33's password spraying, cloud-based operations, and lateral movement techniques — to test whether your defences hold against the threats you actually face.