S0380: StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
Analyst context for executives and security teams
StoneDrill is a Windows wiper malware entry in ATT&CK associated with destructive campaigns against Middle Eastern and European targets and linked by ATT&CK relationships to APT33. Its business significance is availability risk: this is the kind of malware category that can turn an intrusion into system loss, service interruption, recovery pressure, and evidence preservation challenges rather than only data theft.
Executive priority
Treat StoneDrill as a resilience and incident-readiness reference case for destructive malware. Leaders should ask whether critical Windows environments have recoverable backups, tested rebuild procedures, segmented access paths, and SOC escalation criteria for wiper-like behavior. For aviation, energy, and other operationally sensitive environments, the APT33 relationship and cited sector targeting make this relevant to continuity planning and board-level risk discussions, without assuming current exposure or activity.
Technical view
ATT&CK provides no official detection text for StoneDrill, so defenders should validate coverage through its related behaviors: Windows Registry querying, WMI execution, Visual Basic execution, process injection, file deletion, ingress tool transfer, screen capture, system and time discovery, security software discovery, sandbox evasion, data destruction, and disk content or disk structure wiping. SOC and IR teams should focus on whether endpoint telemetry can connect pre-impact discovery and stealth behaviors to destructive disk or file activity on Windows hosts.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity and remote/local execution logs
- Windows Registry access or query telemetry where available
- File creation, deletion, overwrite, and abnormal write-volume events
- Disk/boot structure modification signals, including MBR or partition-related activity where monitored
Detection direction
- Because ATT&CK does not provide StoneDrill-specific detection guidance, validate analytics at the technique level rather than relying on a malware name match.
- Prioritize correlation of discovery behaviors followed by stealth behaviors and destructive file or disk operations on Windows systems.
- Tune WMI and Visual Basic detections carefully: both can be legitimate administration mechanisms, so context such as unusual parent process, user, host role, timing, and follow-on file activity is important.
- Review blind spots around low-level disk writes, boot structure changes, file overwrite patterns, and endpoint telemetry loss during destructive activity.
- Use the APT33 relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Sequence controls around impact reduction first: maintain offline or protected backups, test bare-metal or endpoint rebuild procedures, and define recovery time expectations for critical Windows systems.
- Limit destructive blast radius with least privilege, administrative access control, segmentation, and careful control of remote management paths such as WMI.
- Harden monitoring and response for suspicious tool transfer, script execution, process injection, and abnormal file or disk modification activity.
- Ensure incident response playbooks include rapid isolation, evidence preservation, backup integrity checks, and executive decision points for destructive malware events.
- Use the related ATT&CK techniques to drive tabletop exercises, detection engineering tests, and compliance evidence for resilience and recovery capabilities.
Analyst notes and limits
StoneDrill is categorized as malware/software in enterprise ATT&CK, external ID S0380, with Windows listed as the platform. The relationship set is rich enough to guide defensive validation even though the object itself has no tactics specified and no official detection section. The APT33 relationship and cited FireEye/Kaspersky references provide context for prioritization, especially where destructive malware risk is material to operations.
This take is constrained to the supplied ATT&CK fields and relationships. It does not assert current exploitation, local exposure, guaranteed detection, or confirmed attribution. Local asset criticality, endpoint logging depth, backup architecture, and incident history are required to determine actual risk and coverage.
StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497 | Virtualization/Sandbox Evasion | StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | StoneDrill has been observed deleting the temporary files once they fulfill their task.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1124 | System Time Discovery | StoneDrill can obtain the current date and time of the victim machine.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1055 | Process Injection | StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | StoneDrill can check for antivirus and antimalware programs.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1047 | Windows Management Instrumentation | StoneDrill has used the WMI command-line (WMIC) utility to run tasks.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1082 | System Information Discovery | StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | StoneDrill can wipe the master boot record of an infected computer.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1012 | Query Registry | StoneDrill has looked in the registry to find the default browser path.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | StoneDrill can wipe the accessible physical or logical drives of the infected machine.CitationSymantec Elfin Mar 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | StoneDrill has several VBS scripts used throughout the malware's lifecycle.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1113 | Screen Capture | StoneDrill can take screenshots.CitationKaspersky StoneDrill 2017 |
| Enterprise | T1485 | Data Destruction | StoneDrill has a disk wiper module that targets files other than those in the Windows directory.CitationKaspersky StoneDrill 2017 |
Groups, software, and campaigns
G0064: APT33
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 94be35b74cdd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT33 Sept 2017
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
Open source URL -
[2]
Kaspersky StoneDrill 2017
Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
Open source URL -
[3]
DROPSHOT
(Citation: FireEye APT33 Sept 2017)
-
[4]
StoneDrill
(Citation: Kaspersky StoneDrill 2017)
-
[5]
mitre-attack S0380Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.