APT33 is an Iranian state-sponsored cyber espionage group active since at least 2013, believed to be operating at the behest of the Iranian government, possibly the Islamic Revolutionary Guard Corps (IRGC). Also known as Elfin, HOLMIUM, Peach Sandstorm, and Cobalt Trinity, APT33 has targeted organizations in the United States, Saudi Arabia, South Korea, and the broader Middle East, with a particular focus on the aerospace, energy, petrochemical, manufacturing, and defense sectors.
Key Characteristics
• Primary Targets: Aerospace, energy, petrochemical, defense, manufacturing, and engineering firms, especially those with links to Saudi Arabia, the United States, and South Korea.
• Motivations: Cyber espionage, strategic intelligence collection, and, increasingly, destructive operations via wiper malware.
• Attack Vectors: Spear phishing (often using job/recruitment themes), exploitation of known vulnerabilities, and domain masquerading.
• Malware and Tools: APT33 uses a mix of custom malware (DropShot, TurnedUp, ShapeShift, Powerton) and publicly available tools (Nanocore, Netwire, AlfaShell, Mimikatz, PowerSploit, PoshC2, Dorkbot, Empire, Stonedril, PupyRAT, Carberp, Shamoon 3).
• Destructive Operations: Linked to the use of the Shamoon wiper malware in attacks on Middle Eastern targets, notably in 2017 and 2018.
Tactics, Techniques, and Procedures (TTPs)
• Spear Phishing: The primary initial access vector, with emails themed around job postings, recruitment, or industry events.
• Exploitation of Vulnerabilities: Use of exploits such as CVE-2017-0213 (privilege escalation), CVE-2017-11774 (Outlook), and CVE-2018-20250 (WinRAR).
• Custom and Public Tools: Deployment of both bespoke and open-source malware for persistence, lateral movement, and data exfiltration.
• Domain Masquerading: Registration of domains mimicking major aerospace and defense companies to lure targets.
Indicators of Compromise (IP Addresses)
• 95.142.38.79 — Identified as an APT33 command and control (C2) server, with activity observed in early 2025. • 178.208.92.187 — Linked to APT33 infrastructure through SSH key reuse, also active in 2025.