CTI & OSINT

INTELLIGENCE REPORT – APT33

by  • 

TLP:CLEAR | CTI Analysts | Updated: March 2026

1. IDENTIFICATION & ATTRIBUTION

Naming (known aliases by vendor)

The group is tracked under the following names across vendors: APT33 (Mandiant/FireEye, reference designation), Elfin / Elfin Team (Broadcom/Symantec), Refined Kitten (CrowdStrike), Peach Sandstorm (Microsoft, formerly HOLMIUM), MAGNALLIUM (Dragos), COBALT TRINITY (SecureWorks), ATK35, TA451, G0064 (MITRE ATT&CK) (1)(2)(3)(4).

Origin

Iran.

Presumed sponsor

The group is assessed to operate on behalf of the Iranian government, with a probable affiliation to the Islamic Revolutionary Guard Corps (IRGC) (1)(2). Attribution rests on multiple converging lines of evidence: Farsi language artifacts in custom malware (DropShot, ShapeShift), operational activity patterns aligned with Iran Standard Time (IRST), and documented inactivity during the Iranian weekend (Thursday afternoon and Friday) (8)(12). The handle xman_1365_x, identified in PDB paths of the TurnedUp backdoor, has been linked to the Iranian Nasr Institute, itself associated with the Iranian Cyber Army (8).

Sophistication level

High and continuously improving. The group evolved from campaigns relying on basic spearphishing and commodity malware toward cloud-native operations combining large-scale password spraying, fraudulent Azure C2 infrastructure, and custom backdoors (Tickler, FalseFont). This evolution has been described as materially more sophisticated compared to earlier capabilities (5)(12).

Motivation

Strategic espionage — collection of technical intelligence and intellectual property in the aerospace, defense, and energy sectors. Documented latent destructive capability via links to the ShapeShift wiper and Shamoon attacks (1)(4).

Targeted sectors

Aerospace, defense, Defense Industrial Base (DIB), satellite/space, energy (oil, gas, petrochemicals), government, education (leveraged as access infrastructure), pharmaceutical (2)(3)(5).

Geographic scope

United States (primary target), Saudi Arabia, South Korea, United Arab Emirates, United Kingdom, Belgium, Australia (2)(3)(5).

2. INFRASTRUCTURE & TTPs

C2 infrastructure

Between April and July 2024, the group leveraged Microsoft Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (5). Subscriptions were created using Outlook accounts and compromised education sector accounts with Azure for Students entitlements (5)(10). This approach conceals malicious traffic within legitimate corporate cloud activity, making attribution and detection difficult (4). Historically, the group has also used Iranian hosting providers and commodity RATs for lower-priority operations (1)(2).

MITRE ATT&CK TTP Table

PhaseTechniqueATT&CK ID
Initial AccessSpearphishing Attachment (HTA, archives)T1566.001
Initial AccessSpearphishing LinkT1566.002
Initial AccessPassword Spraying (user-agent: go-http-client)T1110.003
Initial AccessSocial Engineering via LinkedIn (fake profiles)T1566.003
ExecutionUser Execution — malicious HTA / archiveT1204.002
ExecutionExploitation CVE-2017-11774 (Outlook Home Page)T1203
ExecutionExploitation CVE-2018-20250 (WinRAR)T1203
PersistenceRegistry Run Keys (SharePoint.exe / Tickler)T1547.001
PersistenceScheduled TasksT1053.005
Defense EvasionDLL Sideloading (legitimate signed binaries)T1574.001
Defense EvasionPEB Traversal (API hook bypass)T1027
Defense EvasionMasquerading (.pdf.exe, ZIP lure archives)T1036
Credential AccessPassword Spraying (massive scale)T1110.003
Credential AccessCredential Dumping (LSASS, Mimikatz, procdump)T1003.001
Credential AccessGolden SAML (AD FS private key theft)T1606.002
DiscoveryAD Explorer (Active Directory snapshots)T1087.002
DiscoveryAzureHound / Roadtools (Entra ID cloud enumeration)T1538
Lateral MovementSMB (Server Message Block)T1021.002
CollectionData from Cloud StorageT1530
Command & ControlFraudulent Azure infrastructureT1583.006
Command & ControlLegitimate RMM tools (AnyDesk)T1219
Command & ControlHTTP C2 over non-standard ports (808, 880)T1071.001
ImpactDisk Wipe (ShapeShift — latent capability)T1561.001

Sources: (1)(2)(3)(4)(5)(6)(9)(10)

3. MALWARE & TOOLING

Tickler

  • Name: Tickler
  • Type: Custom multi-stage backdoor
  • Function: First sample — collects network information from the host and sends it to the C2 server via an HTTP POST request while launching a decoy PDF document. Second sample — Trojan dropper functionality to download payloads from the C2 server, including a backdoor, a batch script for persistence, and legitimate files used for DLL sideloading (5).
  • C2 channel / technical specifics: Fraudulent Azure infrastructure, non-standard HTTP ports (808, 880). PEB traversal technique to bypass API hooks. Distributed in ZIP archives disguised as PDF documents (5)(10).
  • Identifying campaign: Peach Sandstorm campaign, April–July 2024 (5)(6).

FalseFont

  • Name: FalseFont
  • Type: Custom backdoor
  • Function: Provides operators with remote access to compromised systems, file execution, and file transfer to C2 servers. First observed in the wild around early November 2023 (13).
  • C2 channel: HTTPS.
  • Identifying campaign: Campaigns targeting the Defense Industrial Base (DIB), November 2023 (6)(13).

TurnedUp (TURNEDUP)

  • Name: TurnedUp
  • Type: Custom backdoor
  • Function: Backdoor for data exfiltration and surveillance. Key attribution artifact: handle xman_1365_x found in PDB paths of samples (8).
  • C2 channel: HTTP/HTTPS.
  • Identifying campaign: 2013–2019 campaigns (1)(8).

DropShot (DROPSHOT)

  • Name: DropShot
  • Type: Dropper
  • Function: Signature dropper of the group, linked to the ShapeShift wiper. Contains Farsi language artifacts. The only documented group observed using DropShot (1)(3).
  • C2 channel: HTTP.
  • Identifying campaign: Documented from 2017 onward (1)(4).

ShapeShift (SHAPESHIFT)

  • Name: ShapeShift
  • Type: Destructive wiper
  • Function: Wiper linked to the Shamoon 2016 attacks. Contains Farsi artifacts. Capability for data and critical infrastructure destruction. Assessed as latent and pre-positioned (3)(4).
  • C2 channel: None (autonomous destructive payload).
  • Identifying campaign: Linked to 2016–2018 campaigns (1)(4).

ALMA Backdoor

  • Name: ALMA
  • Type: PowerShell-based implant
  • Function: Implant introduced in 2024, targeting defense contractors and logistics firms. Oriented toward espionage and credential exfiltration (2).
  • Identifying campaign: 2024, North America and Gulf region (2).

Third-party tools used

  • PoshC2, PowerShell Empire: open-source C2 frameworks (1)
  • Remcos, DarkComet, QuasarRAT, PupyRAT: commodity RATs for non-critical operations (4)(10)
  • AzureHound, Roadtools: Entra ID / Azure Resource Manager cloud enumeration (5)
  • AnyDesk: legitimate RMM tool for persistence (5)
  • AD Explorer (Sysinternals): Active Directory snapshots (5)
  • Mimikatz, procdump: credential dumping (4)(10)
  • Ruler: Outlook Home Page exploitation (1)

4. CAMPAIGN HISTORY

PeriodCampaignTargetsVectorTooling
2013–2016Initial espionage operationsAerospace, defense, energy — USA, Saudi Arabia, South KoreaSpearphishing HTA, job-luresTurnedUp, DropShot, commodity RATs (1)
2016–2018Presumed destructive campaignsEnergy infrastructure, Saudi oil sectorSpearphishingDropShot, ShapeShift (presumed Shamoon link) (1)(4)
2018–2019WinRAR / Outlook exploitationOrganizations in USA, Middle East, EuropeCVE-2018-20250, CVE-2017-11774 exploitationDropShot, commodity RATs (7)
Feb. 2023 – 2024Massive global password sprayDefense, satellite, pharmaceutical, government, educationPassword spraying (go-http-client)Valid credentials, RMM tools (3)(5)
Nov. 2023FalseFont — DIB campaignGlobal Defense Industrial BaseSpearphishing, password sprayFalseFont backdoor (6)(13)
Apr.–Jul. 2024Tickler — Azure C2 campaignGovernment, defense, space, oil/gas — USA, UAEPassword spray + LinkedIn social engineeringTickler, fraudulent Azure, AzureHound, AD Explorer, SMB (5)(10)
2024ALMA deploymentDefense contractors, logistics — North America, GulfPhishing, credential harvestingALMA PowerShell implant (2)
2025Energy sector reconnaissanceEnergy companies, oilfield servicesPhishing, credential harvestingICS/SCADA reconnaissance (2)

5. INDICATORS OF COMPROMISE (IOCs)

⚠️ Expiration warning: The IOCs listed below are sourced from public reporting dated 2017–2025. They have a limited validity period. Any use in a blocking or detection context must be preceded by a freshness verification against real-time CTI platforms. Do not use as a blocking basis without prior validation.

Characteristic network patterns

  • Distinctive user-agent in password spraying campaigns: go-http-client (3)(5)
  • HTTP C2 traffic over non-standard ports: 808 and 880 (4)(10)
  • Connections toward Microsoft Azure infrastructure from unusual or recently created tenants (5)
  • High-volume FTP traffic (historical exfiltration indicator) (4)
  • HTTP POST requests toward Azure URIs hosting Tickler payloads (5)

Historical domains (public sources)

Domains impersonating legitimate aerospace entities registered during 2016–2019 campaigns: Boeing, Alsalam Aircraft Company, Northrop Grumman, Vinnell. Infrastructure is regularly rotated (8). Refer to real-time IOC feeds listed below.

Documented public hashes

Hashes associated with Tickler (July 2024), FalseFont (November 2023), TurnedUp, and DropShot are available in sources (1)(5)(6)(13). Not reproduced in this report due to rapid expiration.

Abnormal User-Agents observed

  • go-http-client — identifying marker for password spraying campaigns since February 2023 (3)(5)

Recommended real-time IOC sources

  • MITRE ATT&CK — APT33 (G0064) (9)
  • Malpedia — APT33 actor card (1)
  • Microsoft Security Blog — Peach Sandstorm (5)(13)
  • Mandiant / Google Cloud Threat Intelligence (1)
  • Anvilogic Threat Reports (10)

6. DETECTION & COUNTERMEASURES

Priority technique 1 — Password Spraying (T1110.003)

Detection logic (SIEM/IdP):

ALERT IF :
  auth.failed_attempts > 5
  AND auth.target_accounts > 50
  AND auth.timeframe < 3600s
  AND auth.user_agent == "go-http-client"
  AND auth.source_ip NOT IN known_corp_ranges

Recommended tools: Azure AD / Entra ID authentication log monitoring, alerting on go-http-client user-agent, Microsoft Entra ID Protection, mandatory phishing-resistant MFA (3)(5).

Priority technique 2 — Azure infrastructure abuse / Cloud Supply Chain (T1583.006)

Detection logic (CASB / Cloud Security):

ALERT IF :
  azure.subscription.created_by IN [education_sector_accounts]
  AND azure.tenant.age < 30d
  AND azure.resource.outbound_connections > threshold
  AND azure.subscription.type == "Azure for Students"

Recommended tools: Microsoft Defender for Cloud Apps, audit of Azure tenants created from education sector accounts, monitoring of Azure for Students subscriptions with high network activity (4)(5)(10).

Priority technique 3 — DLL Sideloading via signed binaries (T1574.001)

Detection logic (EDR):

ALERT IF :
  process.name IN ["SharePoint.exe", "known_signed_binary"]
  AND dll.loaded NOT IN [expected_dll_whitelist]
  AND dll.path NOT IN [system_directories]
  AND process.parent IS NOT [legitimate_installer]

Recommended tools: EDR with DLL integrity monitoring, audit of Registry Run key entries associated with signed Microsoft binaries (4)(10).

Priority technique 4 — Golden SAML / AD FS compromise (T1606.002)

Detection logic (SIEM / IdP):

ALERT IF :
  saml.token.issuer NOT IN [known_adfs_servers]
  OR saml.token.signing_key != [registered_key_fingerprint]
  OR saml.token.attributes CONTAIN [unusual_privilege_claims]
  AND saml.token.source_ip NOT IN [corp_ranges]

Recommended tools: AD FS event monitoring (Event ID 307, 510), detection of access to AD FS private keys, Microsoft Entra ID sign-in anomaly detection (4)(5).

Organizational countermeasures

  • Mandatory deployment of phishing-resistant MFA (FIDO2/passkey) on all cloud access, VPN, and privileged accounts — most effective countermeasure against password spraying (3)(5)(6)
  • Continuous monitoring and audit of Azure tenants created from education sector accounts (4)(5)
  • Review of AD FS server access rights; access controls on SAML signing private keys (5)
  • Detection of LSASS access and credential dumping tool execution via EDR (4)(10)
  • Block or strictly monitor non-standard outbound HTTP ports (808, 880) from endpoints (4)(10)
  • Integration of go-http-client user-agent detection into SIEM/proxy rules (3)(5)
  • Hunting for Tickler artifacts: DLL sideloading from signed binaries, unusual Registry Run key entries (4)(10)
  • Awareness training on fraudulent LinkedIn profiles (fake students, recruiters, developers) used for target collection (3)(5)
  • Wiper-oriented resilience: ShapeShift/Shamoon destructive capability assessed as latent; tested offline backups and system rebuild procedures in place (4)(6)
  • OT/ICS network segmentation from IT network to limit potential propagation to industrial systems (4)(6)

SOURCES

  1. Malpedia — APT33 (Threat Actor) : https://malpedia.caad.fkie.fraunhofer.de/actor/apt33
  2. Brandefense — APT33 (Elfin / Refined Kitten): Iran’s Longstanding Cyber-Espionage Arm (Nov. 2025) : https://brandefense.io/blog/apt33-apt-2025/
  3. TerraZone — APT33: A Complete Guide to Iran’s ‘Elfin’ Cyber Espionage Group (Nov. 2025) : https://terrazone.io/apt-3/
  4. Brandefense — APT33/Peach Sandstorm: 2025 Threat Forecast And Analysis (Nov. 2025) : https://brandefense.io/blog/apt33-2025-threat-forecast-and-analysis/
  5. Microsoft Security Blog — Peach Sandstorm deploys new custom Tickler malware (Aug. 2024) : https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/
  6. BleepingComputer — New Tickler malware used to backdoor US govt, defense orgs (Aug. 2024) : https://www.bleepingcomputer.com/news/security/APT33-Iranian-hacking-group-uses-new-tickler-malware-to-backdoor-us-govt-defense-orgs/
  7. Broadcom/Symantec — Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. : https://symantec-enterprise-blogs.security.com/threat-intelligence/elfin-apt33-espionage
  8. Wikipedia — Elfin Team : https://en.wikipedia.org/wiki/Elfin_Team
  9. MITRE ATT&CK — APT33, G0064 : https://attack.mitre.org/groups/G0064/
  10. Anvilogic — APT33 Targets Aerospace to Oil with Password Spraying Attacks : https://www.anvilogic.com/threat-reports/apt33-attacks-and-azure
  11. ThreatIntelReport — Threat Actor Profile: APT33 (Feb. 2026) : https://www.threatintelreport.com/2026/02/21/threat_actor_profiles/threat-actor-profile-apt33/
  12. Hedgehog Security — APT33: The Aerospace Stalker — Cyber Threat Profile : https://www.hedgehogsecurity.co.uk/blog/apt33-the-aerospace-stalker
  13. BleepingComputer — Microsoft: Hackers target defense firms with new FalseFont malware (Dec. 2023) : https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/
  14. CrowdStrike — Who is Refined Kitten (APT33)? : https://www.crowdstrike.com/en-us/blog/who-is-refined-kitten/
  15. MITRE ATT&CK — Tactics and Techniques Reference : https://attack.mitre.org/

This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers) consolidated as of March 16, 2026. It does not rely on any classified source. Attribution to the Iranian IRGC is assessed at high confidence based on multi-vendor convergence (Mandiant, Microsoft, CrowdStrike, Symantec, Dragos) and technical artifacts (Farsi language, operational timing, infrastructure). IOCs have a limited lifespan and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).