Peach Sandstorm

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group believed to be linked to the Iranian nation-state. The group has been active since at least 2013 and has previously targeted sectors such as aerospace and energy for espionage purposes. Microsoft's Threat Intelligence team first observed Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working in the Defense Industrial Base (DIB) sector in early November. The use of the FalseFont backdoor malware is consistent with Peach Sandstorm's activities over the past year, indicating that the group is continually improving their tradecraft. Once authenticated to an account, Peach Sandstorm actors have used both publicly available and custom tools to search for information of interest, maintain persistence, and perform lateral movement within networks. This recent activity suggests that Peach Sandstorm is now focusing its efforts on organizations in the satellite, defense, and pharmaceutical sectors globally. Since February 2023, Microsoft has observed password spraying activity against thousands of organizations carried out by Peach Sandstorm. Password spraying is a type of cyber attack where the attacker attempts to access a large number of accounts with a few commonly used passwords. The group's persistent and evolving tactics underscore the importance of robust cybersecurity measures, particularly for high-value targets in sensitive industries.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
HOLMIUM
5
Holmium, also known as Curious Serpens, Peach Sandstorm, APT33, Elfin, Magnallium, and Refined Kitten, is a threat actor that has been active since at least 2013. This group has been identified as having malicious intent and is often associated with cyber-espionage activities. They are believed to b
APT33
5
APT33, an Iran-linked threat actor, has been identified as a significant cyber threat to the Defense Industrial Base sector. The group is known for its sophisticated and malicious activities, which primarily involve executing actions with harmful intent. APT33, like other threat actors, could be a s
Refined Kitten
4
Refined Kitten, also known as APT33, Peach Sandstorm, Elfin, HOLMIUM, and MAGNALIUM, is a threat actor group that has been active since at least 2013. Operating under various aliases, this group has been linked to several cyber espionage activities, primarily associated with the Iranian government.
Elfin
3
Elfin, also known by various names including Curious Serpens, Peach Sandstorm, APT33, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a significant threat actor with a track record of malicious cyber activities dating back to at least 2013. The group has been particularly active from 2016 to 2019, target
Magic Hound
2
Magic Hound, also known as APT33, Peach Sandstorm, and Holmium, is a threat actor attributed to Iranian nation-state actors. This group has been observed conducting malicious cyber activities with the primary aim of espionage. Over the years, Magic Hound has targeted various sectors worldwide, notab
Curious Serpens
1
Curious Serpens, also known by various other names such as Peach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor believed to be affiliated with Iran. This group has been active since at least 2013, engaging in cyber espionage activities primarily against the aerosp
Magnalium
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Backdoor
Exploit
Manageengine
Iran
Confluence
Azure
Lateral Move...
Remote Code ...
Malware
Spyware
Known Exploi...
Ransom
Telegram
Github
Chrome
Ddos
Phishing
RCE (Remote ...
Espionage
Apt
Android
Linux
Ransomware
Kubernetes
Windows
Zero Day
Firefox
Acrobat
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PegasusUnspecified
2
Pegasus is a highly sophisticated malware developed by the NSO Group, known for its advanced and invasive capabilities. It is classified as mercenary spyware, often used by governments to target individuals such as journalists, political activists, and others of interest. Pegasus is particularly not
3amUnspecified
1
3AM is a new and sophisticated ransomware family that has recently emerged in the cyber threat landscape. The malware, known for its malicious intent to exploit and damage computer systems, operates by infiltrating the target infrastructure through suspicious downloads, emails, or websites. Once ins
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
HijackloaderUnspecified
1
HijackLoader is a new type of malware that has been rapidly gaining popularity within the cybercrime community. As with other types of malicious software, it is designed to exploit and damage computer systems. It can infiltrate these systems through suspicious downloads, emails, or websites, often u
ShamoonUnspecified
1
Shamoon is a malicious software (malware) known for its destructive capabilities, particularly in wiping out data from infected systems. It first gained notoriety in 2012 when it was used in an attack on Saudi Aramco, crippling approximately 30,000 systems at the company. The malware replaced the co
ShapeshiftUnspecified
1
Shapeshift is a sophisticated malware associated with other malicious software including DROPSHIFT, TURNEDUP, NANOCORE, NETWIRE, and ALFA Shell. This malware has been linked to APT33 (also known as Elfin or Refined Kitten), an Iranian hacking group notorious for its spear-phishing attacks against th
Rhysida RansomwareUnspecified
1
Rhysida ransomware is a type of malicious software that has been causing significant disruptions worldwide. The malware, which infiltrates systems via suspicious downloads, emails, or websites, is designed to exploit and damage computers or devices. Once inside, it can steal personal information, di
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Anonymous SudanUnspecified
1
Anonymous Sudan, a threat actor group known for its malicious cyber activities, has recently been the subject of increased attention in the cybersecurity industry. This entity, which could consist of a single individual, a private company, or part of a government organization, is responsible for exe
Charming KittenUnspecified
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
RhysidaUnspecified
1
Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
RedflyUnspecified
1
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-47966has used
3
CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of
CVE-2022-26134has used
3
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
Apt33 Elfin Refined KittenUnspecified
1
None
CVE-2017-11774Unspecified
1
None
RepojackingUnspecified
1
Repojacking is a software vulnerability that specifically targets repositories on platforms such as GitHub. This flaw in software design or implementation can lead to unauthorized access and manipulation of repositories, potentially leading to data breaches, codebase corruption, or dissemination of
Source Document References
Information about the Peach Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
4 months ago
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
CERT-EU
7 months ago
Les dernières cyberattaques (2 janvier 2024) • Cybersécurité OSINT
CERT-EU
7 months ago
First American cyberattack, Iran APT33, ransomware victim spike | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
Iran's APT33 targets US defense contractors with novel malware
CERT-EU
7 months ago
Iran-linked APT33 targets Defense Industrial Base sector with FalseFont backdoor
Securityaffairs
7 months ago
APT33 targets Defense Industrial Base sector with FalseFont
CERT-EU
7 months ago
Iranian cyberspies target US defense orgs with new backdoor
BankInfoSecurity
7 months ago
Iranian Hackers Peach Sandstorm Are Delivering New Backdoor
CERT-EU
7 months ago
Cyber Security Week In Review: December 22, 2023
CERT-EU
7 months ago
Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor
DARKReading
7 months ago
Iran's 'Peach Sandstorm' Cyberattackers Target Global Defense Network
CERT-EU
10 months ago
New security features in Windows 11 protect users and empower IT teams | Microsoft Security Blog
CERT-EU
10 months ago
SprySocks, Lazarus, Fortinet, Juniper, CISA, AI Art, More News, & Jason Wood – SWN #326
CERT-EU
10 months ago
Iranian Hackers Attack Thousands of Organizations Using Password Spraying | IT Security News
CERT-EU
10 months ago
Microsoft: Iranian espionage campaign targeted satellite and defense sectors
CERT-EU
10 months ago
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets - Cyber Security Review
Securityaffairs
10 months ago
Security Affairs newsletter Round 437 by Pierluigi Paganini
Securityaffairs
10 months ago
Iranian Peach Sandstorm group behind recent password spray attacks - Security Affairs
DARKReading
10 months ago
Microsoft: 'Peach Sandstorm' Cyberattacks Target Defense, Pharmaceutical Orgs
CERT-EU
10 months ago
Cyber Security Today, Sept. 13, 2023 – Warning: This group specializes in SMS texting scams | IT World Canada News