{ "id": "1f4704bc-b187-41bf-a2c2-6fdda2cbbcb9", "created_at": "2026-04-06T00:13:09.725278Z", "updated_at": "2026-04-10T13:12:33.019489Z", "deleted_at": null, "sha1_hash": "a047a0c84fd3aaebfb3494290136f6a3d22bab39", "title": "Elfin Team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85771, "plain_text": "Elfin Team\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-09-20 · Archived: 2026-04-05 22:49:14 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nAdvanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the\r\ngovernment of Iran.\r\n[1][2]\r\n The group has also been called Elfin Team, Refined Kitten (by Crowdstrike),\r\nMagnallium (by Dragos), Peach Sandstorm,\r\n[3]\r\n and Holmium (by Microsoft).[4][5][6] It is categorized as an\r\nadvanced persistent threat.\r\nFireEye believes that the group was formed no later than 2013.[1]\r\nAPT33 has reportedly targeted aerospace, defense and petrochemical industry targets in the United States, South\r\nKorea, and Saudi Arabia.\r\n[1][2]\r\nAPT33 reportedly uses a dropper program designated DropShot, which can deploy a wiper called ShapeShift, or\r\ninstall a backdoor called TurnedUp.[1] The group is reported to use the ALFASHELL tool to send spear-phishing\r\nemails loaded with malicious HTML Application files to its targets.[1][2]\r\nAPT33 registered domains impersonating many commercial entities, including Boeing, Alsalam Aircraft\r\nCompany, Northrop Grumman and Vinnell.\r\n[2]\r\nFireEye and Kaspersky Lab noted similarities between the ShapeShift and Shamoon, another virus linked to Iran.\r\n[1]\r\n APT33 also used Farsi in ShapeShift and DropShot, and was most active during Iran Standard Time business\r\nhours, remaining inactive on the Iranian weekend.[1][2]\r\nOne hacker known by the pseudonym of xman_1365_x was linked to both the TurnedUp tool code and the Iranian\r\nNasr Institute, which has been connected to the Iranian Cyber Army.\r\n[7][1][2][8]\r\n xman_1365_x has accounts on\r\nIranian hacker forums, including Shabgard and Ashiyane.[7]\r\nCharming Kitten\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n Greenberg, Andy (September 20, 2017). \"New Group of Iranian Hackers Linked\r\nto Destructive Malware\". Wired.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n O'Leary, Jacqueline; Kimble, Josiah; Vanderlee, Kelli; Fraser, Nalani (September\r\n20, 2017). \"Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has\r\nTies to Destructive Malware\". FireEye.\r\n3. ^ \"Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets\".\r\nMicrosoft. 14 September 2023.\r\n4. ^ \"Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\"\r\nhttps://en.wikipedia.org/wiki/Elfin_Team\r\nPage 1 of 2\n\n5. ^ \"MAGNALLIUM | Dragos\". 30 May 2020.\r\n6. ^ \"Microsoft says Iran-linked hackers targeted businesses\". Associated Press. 6 March 2019.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n Cox, Joseph (20 September 2017). \"Suspected Iranian Hackers Targeted U.S. Aerospace\r\nSector\". The Daily Beast. Archived from the original on September 21, 2017. “Included in a piece of non-public malware APT33 uses called TURNEDUP is the username \"xman_1365_x.\" xman has accounts on a\r\nselection of Iranian hacking forums, such as Shabgard and Ashiyane, although FireEye says it did not find\r\nany evidence to suggest xman was formally part of those site's hacktivist groups. In its report, FireEye links\r\nxman to the \"Nasr Institute,\" a hacking group allegedly controlled by the Iranian government.”\r\n8. ^ Auchard, Eric; Wagstaff, Jeremy; Sharafedin, Bozorgmehr (September 20, 2017). Heinrich, Mark (ed.).\r\n\"Once 'kittens' in cyber spy world, Iran gaining hacking prowess: security experts\". Reuters. “FireEye\r\nfound some ties between APT33 and the Nasr Institute - which other experts have connected to the Iranian\r\nCyber Army, an offshoot of the Revolutionary Guards - but it has yet to find any links to a specific\r\ngovernment agency, Hultquist said.”\r\nSource: https://en.wikipedia.org/wiki/Elfin_Team\r\nhttps://en.wikipedia.org/wiki/Elfin_Team\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/Elfin_Team" ], "report_names": [ "Elfin_Team" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434389, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a047a0c84fd3aaebfb3494290136f6a3d22bab39.pdf", "text": "https://archive.orkl.eu/a047a0c84fd3aaebfb3494290136f6a3d22bab39.txt", "img": "https://archive.orkl.eu/a047a0c84fd3aaebfb3494290136f6a3d22bab39.jpg" } }