{ "id": "f50591c1-c733-4038-9a81-7837b5f0e4b5", "created_at": "2026-04-06T00:18:02.173007Z", "updated_at": "2026-04-10T03:37:37.160808Z", "deleted_at": null, "sha1_hash": "79b409ff89cac3c2a42c0cfc025bf4233ea870f1", "title": "APT 33, Elfin, Magnallium - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83987, "plain_text": "APT 33, Elfin, Magnallium - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 12:46:58 UTC\r\nHome \u003e List all groups \u003e APT 33, Elfin, Magnallium\r\n APT group: APT 33, Elfin, Magnallium\r\nNames\r\nAPT 33 (Mandiant)\r\nElfin (Symantec)\r\nMagnallium (Dragos)\r\nHolmium (Microsoft)\r\nATK 35 (Thales)\r\nRefined Kitten (CrowdStrike)\r\nTA451 (Proofpoint)\r\nCobalt Trinity (SecureWorks)\r\nPeach Sandstorm (Microsoft)\r\nYellow Orc (PWC)\r\nCurious Serpens (Palo Alto)\r\nG0064 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, Iranian Islamic Revolutionary Guard Corps (IRGC)\r\nMotivation Information theft and espionage, Sabotage and destruction\r\nFirst seen 2013\r\nDescription (FireEye) When discussing suspected Middle Eastern hacker groups with destructive\r\ncapabilities, many automatically think of the suspected Iranian group that previously\r\nused SHAMOON – aka Disttrack – to target organizations in the Persian Gulf.\r\nHowever, over the past few years, we have been tracking a separate, less widely\r\nknown suspected Iranian group with potential destructive capabilities, whom we call\r\nAPT33. Our analysis reveals that APT33 is a capable group that has carried out\r\ncyber espionage operations since at least 2013. We assess APT33 works at the behest\r\nof the Iranian government.\r\nAPT33 has targeted organizations – spanning multiple industries – headquartered in\r\nthe United States, Saudi Arabia and South Korea. APT33 has shown particular\r\ninterest in organizations in the aviation sector involved in both military and\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e\r\nPage 1 of 3\n\ncommercial capacities, as well as organizations in the energy sector with ties to\npetrochemical production.\nAPT 33 seems to be closely related to OilRig, APT 34, Helix Kitten, Chrysene since\nat least 2017.\nObserved\nSectors: Aviation, Defense, Education, Energy, Financial, Government, Healthcare,\nHigh-Tech, Manufacturing, Media, Oil and gas, Petrochemical, Telecommunications\nand others.\nCountries: Iran, Iraq, Israel, Saudi Arabia, South Korea, UAE, UK, USA.\nTools used\nAutoIt backdoor, DarkComet, DistTrack, EmpireProject, FalseFont, Filerase,\nJuicyPotato, LaZagne, Mimikatz, NanoCore RAT, NetWire RC, PoshC2,\nPowerBand, PowerSploit, POWERTON, PsList, PupyRAT, QuasarRAT,\nRemcosRAT, Ruler, SHAPESHIFT, StoneDrill, Tickler, TURNEDUP, Living off the\nLand.\nOperations performed\nMar 2019\nAttacks on Multiple Organizations in Saudi Arabia and U.S.\nThe Elfin espionage group (aka APT33) has remained highly active\nover the past three years, attacking at least 50 organizations in Saudi\nArabia, the United States, and a range of other countries.\nJul 2019\nUS Cyber Command has issued an alert via Twitter today about threat\nactors abusing an Outlook vulnerability to plant malware on\ngovernment networks.\nThe vulnerability is CVE-2017-11774, a security bug that Microsoft\npatched in Outlook in the October 2017 Patch Tuesday.\nNov 2019\nMore than a Dozen Obfuscated APT33 Botnets Used for Extreme\nNarrow Targeting\nFeb 2023\nPeach Sandstorm password spray campaigns enable intelligence\ncollection at high-value targets\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e\nPage 2 of 3\n\nNov 2023\nMicrosoft: Hackers target defense firms with new FalseFont malware\nApr 2024\nPeach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e" ], "report_names": [ "showcard.cgi?u=958e1f46-a2b6-4beb-8cb0-ddc90c08368e" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434682, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79b409ff89cac3c2a42c0cfc025bf4233ea870f1.pdf", "text": "https://archive.orkl.eu/79b409ff89cac3c2a42c0cfc025bf4233ea870f1.txt", "img": "https://archive.orkl.eu/79b409ff89cac3c2a42c0cfc025bf4233ea870f1.jpg" } }