APT33

Threat Actor updated 10 days ago (2024-08-29T11:18:03.429Z)

Download STIX

Preview STIX

APT33, an Iran-linked threat actor also known as Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound, has been involved in a series of cyber espionage activities targeting various sectors. The group's primary targets include the government, defense, satellite, oil, and gas sectors in the U.S. and UAE. APT33 has developed and deployed a new custom multi-stage backdoor malware named Tickler to compromise these organizations, demonstrating the group's evolving capabilities and persistent threat. In a recent campaign, APT33 utilized the FalseFont backdoor to target the Defense Industrial Base sector. Microsoft researchers have observed the group creating Azure tenants using Microsoft Outlook email accounts and setting up Azure for Students subscriptions within these tenants. This new strategy underlines the sophisticated tactics employed by APT33 and its continuous efforts to infiltrate high-value targets globally. Starting from February 2023, APT33 launched an extensive password spray attack campaign that affected thousands of organizations worldwide, including those in the defense sector. Microsoft issued a warning in September about this coordinated effort by APT33. To mitigate the risks associated with these attacks, network defenders are advised to reset credentials for targeted accounts, thereby reducing the attack surface exploited by APT33 hackers.

Description last updated: 2024-08-29T11:15:54.250Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
HOLMIUM	5	Holmium, also known as Curious Serpens, Peach Sandstorm, APT33, Elfin, MAGNALIUM, or REFINED KITTEN, is a threat actor that has been active since 2013. This group is responsible for executing malicious activities with the intent of breaching security and conducting cyber espionage. The group is link
Peach Sandstorm	5	Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and Refined Kitten, is a threat actor that has been active since 2013. This Iran-linked cyberespionage group has targeted various sectors, including aerospace, energy, government, defense, satellite, oil, and gas. It h
Refined Kitten	4	Refined Kitten, also known as APT33, Peach Sandstorm, Elfin, HOLMIUM, and MAGNALIUM, is a threat actor that has been active since at least 2013. This group is linked to Iran and specializes in cyberespionage, targeting sectors such as government, defense, satellite, oil, and gas primarily in the U.S
Elfin	3	Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and
Magic Hound	2	Magic Hound, also known as APT33, Peach Sandstorm, Holmium, Elfin, and Refined Kitten, is an Iranian cyber-espionage group that poses a significant threat to various sectors worldwide. This threat actor has been involved in multiple malicious campaigns, leveraging different types of sophisticated ma

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Microsoft

Confluence

Exploit

Iran

Backdoor

Outlook

Espionage

Azure

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Falsefont	Unspecified	2	FalseFont is a malicious software (malware) developed and used by the Iranian nation-state actor Peach Sandstorm, which has been targeting organizations in the Defense Industrial Base (DIB) sector. This malware allows its operators to gain remote access to compromised systems, execute files, and tra

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Lazarus Group	Unspecified	2	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
APT34	Unspecified	2	APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2017-11774	Unspecified	2	None

Source Document References

Information about the APT33 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	5 days ago	2nd September – Threat Intelligence Report - Check Point Research
Securityaffairs	6 days ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	10 days ago	Iran-linked APT33 adds new Tickler malware to its arsenal
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
CERT-EU	9 months ago	Microsoft: Hackers target defense firms with new FalseFont malware
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini