G0064: APT33
Analyst context for executives and security teams
APT33 matters because MITRE describes it as a suspected Iranian group active since at least 2013 with reported targeting across the United States, Saudi Arabia, and South Korea, especially aviation and energy. The relationship set is operationally important: it links the group to credential-dumping, PowerShell/post-exploitation frameworks, remote access tools, FTP transfer, Exchange/Office abuse tooling, and wiper malware. For leaders, the decision value is not the name alone; it is whether identity controls, Windows endpoint visibility, email security, remote access monitoring, and recovery plans can withstand the behaviors represented by these relationships.
Executive priority
Prioritize APT33 as a threat-intelligence-informed readiness driver if the organization operates in aviation, energy, Saudi/U.S./South Korea exposure, or environments where IT compromise could affect operational technology. Executive questions should focus on: can the SOC prove visibility over credential theft and PowerShell activity; can IR contain compromised Windows credentials quickly; are destructive-malware recovery assumptions tested; and do audit/compliance records show controls over email attachments, privileged accounts, logging, segmentation, and backups?
Technical view
MITRE provides no official detection text for the group, so defenders should build coverage from the related software and techniques. Validate detections for Windows credential access involving LSASS memory, LSA Secrets, and cached domain credentials; command-line use of Net and ftp; PowerShell-heavy frameworks such as PowerSploit, Empire, PoshC2, and POWERTON; RAT/backdoor families including NETWIRE, NanoCore, Pupy, TURNEDUP, and AutoIt backdoor; Exchange/Office abuse associated with Ruler; obfuscated or encoded files; and network sniffing behavior where relevant. The ICS relationships for screen capture, scripting, and spearphishing attachment make OT-facing monitoring and phishing controls relevant where control-system environments exist.
Likely telemetry
- Endpoint process creation, command-line, parent/child process, module load, and script execution logs, especially on Windows systems
- PowerShell logging and administrative shell telemetry
- Windows security events and EDR signals related to LSASS access, registry access to LSA Secrets, and credential-dumping tools such as Mimikatz and LaZagne
- Email gateway, attachment detonation, and user-reporting telemetry for spearphishing attachments
- Office Suite and Exchange service logs relevant to Ruler-like abuse
Detection direction
- Correlate across aliases APT33, HOLMIUM, Elfin, and Peach Sandstorm so intelligence, case management, and SIEM content do not fragment the same ATT&CK group reference.
- Do not rely only on malware names. Several related tools are public or legitimate administrative utilities, so detection should combine behavior, execution context, privilege level, destination, and sequence.
- Tune for credential-access chains: suspicious LSASS access, LSA Secrets access, cached credential access, followed by lateral movement or remote administration activity should receive higher priority.
- Validate PowerShell and scripting coverage because multiple related tools and backdoors use scripting or PowerShell-style post-exploitation.
- Review false positives for Net, ftp, PowerSploit, Empire, PoshC2, Pupy, and other dual-use tools by comparing expected administrative baselines with unusual hosts, users, timing, and network destinations.
Mitigation priorities
- Start with identity hardening: restrict privileged access, reduce credential exposure, monitor administrative accounts, and limit cached or reusable credentials where operationally feasible.
- Harden Windows endpoints against credential dumping and unauthorized access to LSASS and sensitive registry secrets.
- Constrain and log PowerShell, scripting interpreters, and command-line administrative utilities without blocking legitimate operations blindly.
- Strengthen email attachment defenses, user reporting, and investigation workflows for targeted phishing scenarios.
- Control outbound transfer paths such as FTP and monitor unusual remote administration traffic.
Analyst notes and limits
This take is based on MITRE ATT&CK group G0064, its aliases, official description, external references, and supplied relationship context. The most useful defensive interpretation comes from the related software and techniques rather than from a group-level detection field, which is not provided. APT33 should be used as a threat-informed planning scenario, especially for aviation, energy, identity, endpoint, email, and recovery readiness.
MITRE does not specify group-level platforms, tactics, or official detection guidance for this object. Relationship descriptions include multiple public, dual-use, and cross-platform tools, so local baselines are required before treating activity as malicious. The supplied data supports historical targeting and relationships, not current exploitation, confirmed attribution in a local incident, or guaranteed detection coverage.
APT33
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT33 has used WinRAR to compress data prior to exfil.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.CitationSymantec Elfin Mar 2019CitationFireEye APT33 Guardrail |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT33 has used base64 to encode payloads.CitationFireEye APT33 Guardrail |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT33 has sent spearphishing e-mails with archive attachments.CitationMicrosoft Holmium June 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT33 has sent spearphishing emails containing links to .hta files.CitationFireEye APT33 Sept 2017CitationSymantec Elfin Mar 2019 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | APT33 has used password spraying to gain access to target systems.CitationFireEye APT33 GuardrailCitationMicrosoft Holmium June 2020 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT33 has created a scheduled task to execute a .vbe file multiple times a day.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1555 | Credentials from Password Stores | |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.CitationMicrosoft Holmium June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | APT33 has downloaded additional files and programs from its C2 server.CitationSymantec Elfin Mar 2019CitationMicrosoft Holmium June 2020 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | APT33 has used FTP to exfiltrate files (separately from the C2 channel).CitationSymantec Elfin Mar 2019 |
| Enterprise | T1588.002 | Tool Sub-technique | APT33 has obtained and leveraged publicly-available tools for early intrusion activities.CitationFireEye APT33 GuardrailCitationSymantec Elfin Mar 2019 |
| Enterprise | T1040 | Network Sniffing | APT33 has used SniffPass to collect credentials by sniffing network traffic.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT33 has used HTTP for command and control.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT33 has utilized PowerShell to download files from the C2 server and run various scripts. CitationSymantec Elfin Mar 2019CitationMicrosoft Holmium June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1078 | Valid Accounts | APT33 has used valid accounts for initial access and privilege escalation.CitationFireEye APT33 Webinar Sept 2017CitationFireEye APT33 Guardrail |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | APT33 has used AES for encryption of command and control traffic.CitationFireEye APT33 Guardrail |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT33 has used VBScript to initiate the delivery of payloads.CitationMicrosoft Holmium June 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | APT33 has used base64 to encode command and control traffic.CitationFireEye APT33 Guardrail |
| Enterprise | T1571 | Non-Standard Port | APT33 has used HTTP over TCP ports 808 and 880 for command and control.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | |
| Enterprise | T1203 | Exploitation for Client Execution | APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).CitationSymantec Elfin Mar 2019CitationMicrosoft Holmium June 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | APT33 has used malicious e-mail attachments to lure victims into executing malware.CitationMicrosoft Holmium June 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.CitationFireEye APT33 Sept 2017CitationSymantec Elfin Mar 2019 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.CitationFireEye APT33 Guardrail |
Groups, software, and campaigns
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0129: AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
S0378: PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
S0358: Ruler
S0002: Mimikatz
S0336: NanoCore
S1134: DEADWOOD
S0380: StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
S0371: POWERTON
S0349: LaZagne
S0199: TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]
S0198: NETWIRE
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 8bce83bff7b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT33 Sept 2017
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
Open source URL -
[2]
FireEye APT33 Webinar Sept 2017
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
Open source URL -
[3]
APT33
(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)
-
[4]
Elfin
(Citation: Symantec Elfin Mar 2019)
-
[5]
HOLMIUM
(Citation: Microsoft Holmium June 2020)
-
[6]
Microsoft Holmium June 2020
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
Open source URL -
[7]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[8]
Peach Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Symantec Elfin Mar 2019
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
Open source URL -
[10]
mitre-attack G0064Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.