{ "id": "5bf26ff6-0eba-487c-92af-1a24c364afba", "created_at": "2026-04-06T00:13:14.765859Z", "updated_at": "2026-04-10T03:34:03.01564Z", "deleted_at": null, "sha1_hash": "7bb187c5587d356c118c5de5e313f85e653582d7", "title": "IoCs/APT/poshc2_apt_33.md at master · jeFF0Falltrades/IoCs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46103, "plain_text": "IoCs/APT/poshc2_apt_33.md at master · jeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-05 20:42:08 UTC\r\nPoshC2 (specifically as used by APT33)\r\nReporting\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2\r\nhttp://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets\r\nhttps://twitter.com/cti_marc/status/1194573048625729536\r\nYARA\r\nrule poshc2_apt_33_2019 {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n desc = \"Alerts on PoshC2 payloads which align with 2019 APT33 reporting (this will not fire o\r\n ref = \"http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to\r\n \r\n strings:\r\n $js_date = /\\[datetime\\]::ParseExact\\(\"[0-9]+\\/[0-9]+\\/[0-9]+\",\"dd\\/MM\\/yyyy\",\\$null/\r\n $js_crypt = \"System.Security.Cryptography\" wide ascii\r\n $js_host = \"Headers.Add(\\\"Host\" wide ascii\r\n $js_proxy = \"$proxyurl = \" wide ascii\r\n $js_arch = \"$env:PROCESSOR_ARCHITECTURE\" wide ascii\r\n $js_admin = \"[System.Security.Principal.WindowsBuiltInRole]::Administrator\" wide ascii\r\n $hta_unescape = \"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%73%63%72%69%70%74%20%74%\r\n $hta_hex = \"202f7720312049455820284e65772d4f626a656374204e65742e576562436c69656e74292e446f776\r\n $hta_powershell = \"706f7765727368656c6c2e657865\" wide ascii\r\n condition:\r\n 4 of ($js_*) or 2 of ($hta_*)\r\n}\r\nSample Hashes\r\nafb46cd7278a77cfb28903bf221e68134f55032138850d6fefe70945dc8abfcf\r\nfe94fc7b2c6b75c2b68ad75a6b7020acd9f76a22f522a80285549de2fc565e87\r\na40801441b60a3b0192e985265df655e34c94f9bee8346c0b62a8d3618ddf8cd\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md\r\nPage 1 of 2\n\n14985711a5aa14c6cded0f21db544706ba845de89866e06c59a9151e7dafe19f\r\nce0f7048903c6c2ee5357e8678247ae19666e91058060a3d38e09e49a94047b7\r\nRelated Network IoCs\r\nhttps[:]//213[.]227[.]155[.]25/babel-polyfill/6[.]3[.]14/\r\nworld-jobs[.]org\r\nglobal-careers[.]org\r\ndyn-intl[.]world-careers[.]org\r\nraytheonjobs[.]serveblog[.]net\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md" ], "report_names": [ "poshc2_apt_33.md" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434394, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7bb187c5587d356c118c5de5e313f85e653582d7.pdf", "text": "https://archive.orkl.eu/7bb187c5587d356c118c5de5e313f85e653582d7.txt", "img": "https://archive.orkl.eu/7bb187c5587d356c118c5de5e313f85e653582d7.jpg" } }