Peach Sandstorm

Threat Actor updated a month ago (2024-11-29T13:39:27.211Z)
Download STIX
Preview STIX
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, or REFINED KITTEN, is a threat actor linked to the Iranian Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, this espionage group has primarily targeted aerospace and energy sectors, alongside government agencies, particularly in the United States and the United Arab Emirates. Microsoft has observed Peach Sandstorm's persistent efforts to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector, demonstrating its ongoing interest in organizations within satellite, defense, and pharmaceutical sectors. Throughout 2023 and 2024, Peach Sandstorm has shown consistent advancements in its tradecraft. In addition to FalseFont, the group has deployed a new custom multi-stage backdoor, Tickler, which was used for long-running intelligence gathering operations. The group leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Notably, between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks, attempting to authenticate to thousands of environments, further indicating their intent to improve their tactics, techniques, and procedures (TTPs). In specific incidents, Peach Sandstorm compromised a user account "with minimal access permissions at a county-level government in a swing state" as part of a broader password spray operation in May. Between April and July 2024, the group was observed performing lateral movement via SMB and targeting sectors such as government, defense, satellite, oil, and gas in the U.S. and UAE using the Tickler backdoor. These activities underscore Peach Sandstorm's persistent threat to global security and the need for robust cybersecurity measures against such advanced persistent threats.
Description last updated: 2024-09-18T09:16:09.471Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT33 is a possible alias for Peach Sandstorm. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily f
6
Refined Kitten is a possible alias for Peach Sandstorm. Refined Kitten, also known as APT33, Peach Sandstorm, Elfin, HOLMIUM, and MAGNALIUM, is a threat actor that has been active since at least 2013. This group is linked to Iran and specializes in cyberespionage, targeting sectors such as government, defense, satellite, oil, and gas primarily in the U.S
5
HOLMIUM is a possible alias for Peach Sandstorm. Holmium, also known as Curious Serpens, Peach Sandstorm, APT33, Elfin, MAGNALIUM, or REFINED KITTEN, is a threat actor that has been active since 2013. This group is responsible for executing malicious activities with the intent of breaching security and conducting cyber espionage. The group is link
5
Elfin is a possible alias for Peach Sandstorm. Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and
3
Magic Hound is a possible alias for Peach Sandstorm. Magic Hound, also known as APT33, Peach Sandstorm, Holmium, Elfin, and Refined Kitten, is an Iranian cyber-espionage group that poses a significant threat to various sectors worldwide. This threat actor has been involved in multiple malicious campaigns, leveraging different types of sophisticated ma
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Backdoor
Iran
Azure
Confluence
Exploit
Manageengine
Lateral Move...
Malware
Remote Code ...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Pegasus Malware is associated with Peach Sandstorm. Pegasus is a highly controversial and sophisticated malware, developed by Israel's NSO Group, designed to covertly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detecUnspecified
2
The Falsefont Malware is associated with Peach Sandstorm. FalseFont is a new type of malware developed and used by the Iranian nation-state actor Peach Sandstorm, as observed by Microsoft. The custom backdoor malware, unveiled by Microsoft, provides its operators remote access to compromised systems, allowing for file execution and transfer to its command-Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2022-26134 Vulnerability is associated with Peach Sandstorm. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized thhas used
3
The CVE-2022-47966 Vulnerability is associated with Peach Sandstorm. CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-ofhas used
3
Source Document References
Information about the Peach Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
3 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
CERT-EU
a year ago
Unit42
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago