{
	"id": "4e2c614f-aff9-4534-8288-ad79fdc1e719",
	"created_at": "2026-04-06T00:06:46.230819Z",
	"updated_at": "2026-04-10T13:12:34.373612Z",
	"deleted_at": null,
	"sha1_hash": "8e451f6ced373bd4baac2b49100ce126dba0c96a",
	"title": "Obfuscated APT33 C\u0026Cs Used for Narrow Targeting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82644,
	"plain_text": "Obfuscated APT33 C\u0026Cs Used for Narrow Targeting\r\nPublished: 2019-12-12 · Archived: 2026-04-02 10:34:24 UTC\r\nThis article is part of a research paper that dives into cyberattacks on the oil and gas industry. It provides a more\r\ncomprehensive look at APT33 and other critical threats. Read the full paper herenews article.\r\nThis blog was originally published on November 13, 2019. Updated on November 27, 2019 at 11:00 PM PST to add new\r\ninformation about a C\u0026C domain.\r\nThe threat group regularly referred to as APT33open on a new tab is known to target the oil and aviation industriesopen on a\r\nnew tab aggressively. This threat group has been reported onopen on a new tab consistently for yearsopen on a new tab, but\r\nour recent findings show that the group has been using about a dozen live Command and Control (C\u0026C) servers for\r\nextremely narrow targeting. The group puts up multiple layers of obfuscation to run these C\u0026C servers in extremely targeted\r\nmalware campaigns against organizations in the Middle East, the U.S., and Asia.\r\nWe believe these botnets, each comprising a small group of up to a dozen infected computers, are used to gain persistence\r\nwithin the networks of select targets. The malware is rather basic, and has limited capabilities that include downloading and\r\nrunning additional malware. Among active infections in 2019 are two separate locations of a private American company that\r\noffers services related to national security, victims connecting from a university and a college in the U.S., a victim most\r\nlikely related to the U.S. military, and several victims in the Middle East and Asia.\r\nAPT33 has also been executing more aggressive attacks over the past few years. For example, for at least two years the\r\ngroup used the private website of a high-ranking European politician (a member of her country’s defense committee) to send\r\nspear phishing emails to companies that are part of the supply chain of oil products. Targets included a water facility that is\r\nused by the U.S. army for the potable water supply of one of its military bases.\r\nThese attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed\r\ncommunications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C\u0026C server.\r\nAnother European oil company suffered from an APT33 related malware infection on one of their servers in India for at\r\nleast 3 weeks in November and December 2018. There were several other companies in oil supply chains that had been\r\ncompromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is\r\nknown to use destructive malware.\r\nDate From Address Subject\r\n12/31/16 recruitment@alsalam.aero Job Opportunity\r\n4/17/17 recruitment@alsalam.aero Vacancy Announcement\r\n7/17/17 careers@ngaaksa.com Job Openning\r\n9/11/17 jobs@ngaaksa.ga Job Opportunity\r\n11/20/17 jobs@dyn-intl.ga Job Openning\r\n11/28/17 jobs@dyn-intl.ga Job Openning\r\n3/5/18 jobs@mail.dyn-corp.ga Job Openning\r\n7/2/18 careers@sipchem.ga Job Opportunity SIPCHEM\r\n7/30/18 jobs@sipchem.ga Job Openning\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nPage 1 of 5\n\n8/14/18 jobs@sipchem.ga Job Openning\r\n8/26/18 careers@aramcojobs.ga Latest Vacancy\r\n8/28/18 careers@aramcojobs.ga Latest Vacancy\r\n9/25/18 careers@aramcojobs.ga AramCo Jobs\r\n10/22/18 jobs@samref.ga Job Openning at SAMREF\r\nTable 1. Spear phishing campaigns of APT33. Source: Trend Micro’s Smart Protection Network\r\nThe first two email addresses in the table above (ending in .com and .aero) are being spoofed by the threat group. However,\r\nthe addresses ending in .ga are from the attacker's own infrastructure. The addresses are all impersonating known aviation\r\nand oil and gas companies.\r\nAside from the relatively noisy attacks of APT33 against oil product supply chains, we found that APT33 has been using\r\nseveral C\u0026C domains for small botnets comprised of about a dozen bots each.\r\nIt appears that APT33 took special care to make tracking more difficult. The C\u0026C domains are usually hosted on cloud\r\nhosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host\r\nthousands of legitimate domains. The backends report bot data back to a data aggregator and bot control server that is on a\r\ndedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are\r\nchanged frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN\r\nconnections.\r\nIn the fall of 2019 we counted 10 live bot data aggregating and bot controlling servers and tracked a couple of them for\r\nmonths. These aggregators get data from very few C\u0026C servers (only 1 or 2), with only up to a dozen victims per unique\r\nC\u0026C domain. The table below lists some of the older C\u0026C domains that are still live today.\r\nDomain Created\r\noorgans.com 5/28/16\r\nsuncocity.com 5/31/16\r\nzandelshop.com 6/1/16\r\nsimsoshop.com 6/2/16\r\nzeverco.com 6/5/16\r\nqualitweb.com 6/6/16\r\nservice-explorer.com 3/3/17\r\nservice-norton.com 3/6/17\r\nservice-eset.com 3/6/17\r\nservice-essential.com 3/7/17\r\nupdate-symantec.com 3/12/17\r\nTable 2. APT33 C\u0026C domains for extreme narrow targeting\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nPage 2 of 5\n\nFigure 1. Schema showing the multiple obfuscation layers that APT33 uses\r\nThreat actors often use commercial VPN services to hide their whereabouts when administering C\u0026C servers and doing\r\nreconnaissance. But besides using VPN services that are available for any user, we also regularly see actors using private\r\nVPN networks that they set up for themselves.\r\nSetting up a private VPN can be easily done by renting a couple of servers from datacenters around the world and using\r\nopen source software like OpenVPN. Though the connections from private VPN networks still come from seemingly\r\nunrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is\r\nmainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections\r\nthat are made from the IP addresses of the exit node. For example, besides administering C\u0026C servers from a private VPN\r\nexit node, an actor might also be doing reconnaissance of targets’ networks.\r\nAPT33 likely uses its VPN exit nodes exclusively. We have been tracking some of the group’s private VPN exit nodes for\r\nmore than a year and we have listed known associated IP addresses in the table below. The indicated timeframes are\r\nconservative; it is likely that the IP addresses have been used for a longer time.\r\nIP address First seen Last seen\r\n5.135.120.57 12/4/18 1/24/19\r\n5.135.199.25 3/3/19 3/3/19\r\n31.7.62.48 9/26/18 9/29/18\r\n51.77.11.46 7/1/19 7/2/19\r\n54.36.73.108 7/22/19 10/05/19\r\n54.37.48.172 10/22/19 11/05/19\r\n54.38.124.150 10/28/18 11/17/18\r\n88.150.221.107 9/26/19 11/07/19\r\n91.134.203.59 9/26/18 12/4/18\r\n109.169.89.103 12/2/18 12/14/18\r\n109.200.24.114 11/19/18 12/25/18\r\n137.74.80.220 9/29/18 10/23/18\r\n137.74.157.84 12/18/18 10/21/19\r\n185.122.56.232 9/29/18 11/4/18\r\n185.125.204.57 10/25/18 1/14/19\r\n185.175.138.173 1/19/19 1/22/19\r\n188.165.119.138 10/8/18 11/19/18\r\n193.70.71.112 3/7/19 3/17/19\r\n195.154.41.72 1/13/19 1/20/19\r\n213.32.113.159 6/30/19 9/16/19\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nPage 3 of 5\n\n216.244.93.137 12/10/18 12/21/18\r\nTable 3. IP addresses associated with a few private VPN exit nodes connected to APT33\r\nIt appears that these private VPN exit nodes are also used for reconnaissance of networks that are relevant to the supply\r\nchain of the oil industry. More concretely, we have witnessed some of the IP addresses in Table 3 doing reconnaissance on\r\nthe network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S..\r\nintel\r\nFigure 2. APT33’s usage of a private VPN network\r\nAPT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on\r\nvulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. APT33 also has a clear\r\ninterest in websites that specialize in the recruitment of employees in the oil and gas industry. We recommend companies in\r\nthe oil and gas industry to cross-relate their security log files with the IP addresses listed above.\r\nSecurity recommendations\r\nThe continued modernization of facilities for oil, gas, water, and power is making it more difficult to secure themopen on a\r\nnew tab. Outright attacks, readily exploitable vulnerabilities, as well as exposed SCADA/HMI are serious issues. Here are\r\nsome of the best practices that these organizations can adopt:\r\nEstablish a regular patching and update policy for all systems. Download patches as soon as possible to prevent\r\ncybercriminals from exploiting these security flaws.\r\nImprove employee awareness on the latest attack techniques that cybercriminals use.\r\nIT administrators should apply the principle of least privilege to make monitoring of inbound and outbound traffic\r\neasier.\r\nInstall a multilayered protection systemopen on a new tab that can detect and block malicious intrusions from the\r\ngateway to the endpoint.\r\nSecuring supply chains to these complex and often multinational systems is also difficult, as they usually have necessary\r\nthird-party suppliers that are embedded in their core operations. These parties may be overlooked in terms of security, and\r\nvulnerabilities in the communication or connections with them are often targeted by cybercriminalsopen on a new tab. Read\r\nour supply chain attack research and our security recommendations hereopen on a new tab.\r\nAs mentioned above, APT33 is known to use spear phishing emails to gain entry into a target’s network, and given their\r\nmalicious activity the threat is definitively serious. To defend against spamopen on a new tab and email threats, businesses\r\ncan consider Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suitesopen on a new tab and Worry-Free™ Business Securityopen on a new tab. Trend Micro Deep Discovery™open on a new tab has an email inspection layer\r\nthat can protect enterprises by detecting malicious attachments and URLs. Trend Micro™ Hosted Email Securityopen on a\r\nnew tab is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear\r\nphishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange,\r\nMicrosoft Office 365, Google Apps, and other hosted and on-premises email solutions.\r\nIndicators of Compromise\r\nFile name SHA256 Detection Name\r\nMsdUpdate.exe e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd Trojan.Win32.NYMERIA.ML\r\nMsdUpdate.exe b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e Trojan.Win32.SCAR.AB\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nPage 4 of 5\n\nMsdUpdate.exe a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 Trojan.Win32.SCAR.AC\r\nMsdUpdate.exe c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2 Trojan.Win32.NYMERIA.ML\r\nMsdUpdate.exe 75e6bafc4fa496b418df0208f12e688b16e7afdb94a7b30e3eca532717beb9ba Trojan.Win32.SCAR.AD\r\nMsdUpdate.exe 8fb6cbf6f6b6a897bf0ee1217dbf738bce7a3000507b89ea30049fd670018b46 Trojan.Win32.SCAR.AD\r\nDysonPart.exe ba9d76cca6b5c7308961cfe3739dc1328f3dad9a824417fad73b842b043daa1a Trojan.Win32.SCAR.AD\r\nUnknown 07e1baf1d0207a139bcf39c60354666496e4331381d36eef9359120b1d8497f1 Trojan.Win32.SCAR.AD\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/"
	],
	"report_names": [
		"more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434006,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e451f6ced373bd4baac2b49100ce126dba0c96a.pdf",
		"text": "https://archive.orkl.eu/8e451f6ced373bd4baac2b49100ce126dba0c96a.txt",
		"img": "https://archive.orkl.eu/8e451f6ced373bd4baac2b49100ce126dba0c96a.jpg"
	}
}