Peach Sandstorm

Threat Actor updated 2 months ago (2024-09-18T09:17:54.339Z)

Download STIX

Preview STIX

Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, or REFINED KITTEN, is a threat actor linked to the Iranian Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, this espionage group has primarily targeted aerospace and energy sectors, alongside government agencies, particularly in the United States and the United Arab Emirates. Microsoft has observed Peach Sandstorm's persistent efforts to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector, demonstrating its ongoing interest in organizations within satellite, defense, and pharmaceutical sectors. Throughout 2023 and 2024, Peach Sandstorm has shown consistent advancements in its tradecraft. In addition to FalseFont, the group has deployed a new custom multi-stage backdoor, Tickler, which was used for long-running intelligence gathering operations. The group leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Notably, between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks, attempting to authenticate to thousands of environments, further indicating their intent to improve their tactics, techniques, and procedures (TTPs). In specific incidents, Peach Sandstorm compromised a user account "with minimal access permissions at a county-level government in a swing state" as part of a broader password spray operation in May. Between April and July 2024, the group was observed performing lateral movement via SMB and targeting sectors such as government, defense, satellite, oil, and gas in the U.S. and UAE using the Tickler backdoor. These activities underscore Peach Sandstorm's persistent threat to global security and the need for robust cybersecurity measures against such advanced persistent threats.

Description last updated: 2024-09-18T09:16:09.471Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT33 is a possible alias for Peach Sandstorm. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily f	6
Refined Kitten is a possible alias for Peach Sandstorm. Refined Kitten, also known as APT33, Peach Sandstorm, Elfin, HOLMIUM, and MAGNALIUM, is a threat actor that has been active since at least 2013. This group is linked to Iran and specializes in cyberespionage, targeting sectors such as government, defense, satellite, oil, and gas primarily in the U.S	5
HOLMIUM is a possible alias for Peach Sandstorm. Holmium, also known as Curious Serpens, Peach Sandstorm, APT33, Elfin, MAGNALIUM, or REFINED KITTEN, is a threat actor that has been active since 2013. This group is responsible for executing malicious activities with the intent of breaching security and conducting cyber espionage. The group is link	5
Elfin is a possible alias for Peach Sandstorm. Elfin, also known as APT33, Peach Sandstorm, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group that has been active since at least 2013. This group has been associated with numerous cyber-espionage activities targeting various sectors including government, defense, satellite, oil, and	3
Magic Hound is a possible alias for Peach Sandstorm. Magic Hound, also known as APT33, Peach Sandstorm, Holmium, Elfin, and Refined Kitten, is an Iranian cyber-espionage group that poses a significant threat to various sectors worldwide. This threat actor has been involved in multiple malicious campaigns, leveraging different types of sophisticated ma	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Backdoor

Iran

Azure

Confluence

Exploit

Manageengine

Lateral Move...

Malware

Remote Code ...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Pegasus Malware is associated with Peach Sandstorm. Pegasus is a highly controversial and sophisticated malware, developed by Israel's NSO Group, designed to covertly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detec	Unspecified	2
The Falsefont Malware is associated with Peach Sandstorm. FalseFont is a new type of malware developed and used by the Iranian nation-state actor Peach Sandstorm, as observed by Microsoft. The custom backdoor malware, unveiled by Microsoft, provides its operators remote access to compromised systems, allowing for file execution and transfer to its command-	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-26134 Vulnerability is associated with Peach Sandstorm. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th	has used	3
The CVE-2022-47966 Vulnerability is associated with Peach Sandstorm. CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of	has used	3

Source Document References

Information about the Peach Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	As Geopolitical Tensions Mount, Iran's Cyber Operations Grow
Securityaffairs	3 months ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	3 months ago	Iranian Hackers Secretly Aid Ransomware Attacks on US
Securityaffairs	3 months ago	Iran-linked APT33 adds new Tickler malware to its arsenal
InfoSecurity-magazine	3 months ago	Microsoft Reveals Iranian US Election Interference Ops
CERT-EU	a year ago	Microsoft: Hackers target defense firms with new FalseFont malware
Unit42	8 months ago	Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
CERT-EU	a year ago	Les dernières cyberattaques (2 janvier 2024) • Cybersécurité OSINT
CERT-EU	a year ago	First American cyberattack, Iran APT33, ransomware victim spike \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Iran's APT33 targets US defense contractors with novel malware
CERT-EU	a year ago	Iran-linked APT33 targets Defense Industrial Base sector with FalseFont backdoor
Securityaffairs	a year ago	APT33 targets Defense Industrial Base sector with FalseFont
CERT-EU	a year ago	Iranian cyberspies target US defense orgs with new backdoor
BankInfoSecurity	a year ago	Iranian Hackers Peach Sandstorm Are Delivering New Backdoor
CERT-EU	a year ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	a year ago	Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor
DARKReading	a year ago	Iran's 'Peach Sandstorm' Cyberattackers Target Global Defense Network
CERT-EU	a year ago	New security features in Windows 11 protect users and empower IT teams \| Microsoft Security Blog
CERT-EU	a year ago	SprySocks, Lazarus, Fortinet, Juniper, CISA, AI Art, More News, & Jason Wood – SWN #326
CERT-EU	a year ago	Iranian Hackers Attack Thousands of Organizations Using Password Spraying \| IT Security News