{ "id": "18d5c35a-ca50-447e-9688-ba2bcba26957", "created_at": "2026-04-06T00:21:06.740022Z", "updated_at": "2026-04-10T13:12:30.661918Z", "deleted_at": null, "sha1_hash": "c6dbfb6ed8117fbff14d6193e728380d97958f4d", "title": "APT33 PowerShell Malware – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262178, "plain_text": "APT33 PowerShell Malware – One Night in Norfolk\r\nPublished: 2019-07-22 · Archived: 2026-04-05 22:32:15 UTC\r\nIn late June, multiple researchers and security entities (including researchers from ClearSky, FireEye, and U.S.\r\nCybercom) highlighted APT33 activity in public outlets. Several of these files have already been identified and\r\nanalyzed as part of ongoing discussions on Twitter regarding this activity.\r\nThis blog post examines a file identified through public resources with infrastructure links to these attacks that has\r\nnot been widely examined.\r\nAs part of this activity, researchers identified the C2 domain “backupaccount[.]net” as a C2 used within a\r\nmalicious HTA file hosted on attacker infrastructure. A PassiveTotal pivot at the time of this writing highlights 11\r\nhashes associated with this domain. PassiveTotal accounts are free, but also do not offer the context behind these\r\nhash associations.\r\nOf these 11 hashes:\r\n– Eight are on VirusTotal.\r\n– Two appear to be malicious documents related to this threat.\r\n– One appears to be an AutoIt file documented in open source.\r\n– Three appear to be malicious HTML/HTA files.\r\n– Two appear to be malicious PowerShell scripts.\r\nOne of these scripts appears to be fairly unique, and work additional analysis:\r\nMD5: 985797eb1a75f297359bf52aa7c27715\r\nSHA1: 2c2cc6c42c6ccf74d96e5913277537679ec20fba\r\nSHA256: 6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 1 of 7\n\nImmediately, the connection between this hash and the C2 server is clear. The malware contains a variable on the\r\nfirst line, $SRVURL, containing this domain.\r\nConfiguration for PowerShell file\r\nInitial Analysis\r\nThe malware defines the following 14 functions:\r\n– Privilege\r\n– Join\r\n– Http-request\r\n– Decrypt\r\n– Encrypt\r\n– upload\r\n– download\r\n– capture\r\n– Poster\r\n– Receiver\r\n– Timer-post\r\n– Functioner\r\n– Functioner\r\n– Loop\r\nThe malware enters a “while loop” (with a switch statement for “active” and “silent” mode, explained later) first\r\ncalling the “Poster” function alongside a notification message for the C2. The “Encrypt” function is used to\r\nencrypt this message, and “Poster” will create a new WebClient object, using this to send a web request to the\r\npreviously specified server.\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 2 of 7\n\nWhile Loop, which first calls the “Poster” function (and subsequently calls the “Loop”\r\nfunction)\r\nPoster Function, which sends a message to the C2 server\r\nAfter the “Poster” function, the malware calls the “Loop” function. This function serves as the primary C2\r\nworkflow for the malware. The malware will use the Receiver function (which in turn calls the Http-request\r\nfunction) to send a message to the C2 server (masked as a JSON). The response from this function will be parsed,\r\nwith a string check to see if the beginning of the response matches the string of a command.\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 3 of 7\n\nStart of the command loop\r\nCommand Structure\r\nThe following values are checked against the command string:\r\n– interactive\r\n– sleep\r\n– cmd\r\n– exit\r\n– left\r\n– Join\r\n– upload\r\n– download\r\n– pass\r\n– ldap\r\n– sam\r\n– capture\r\nEach successful parsing will typically send a message to the C2 to confirm that the command has been received. A\r\nhandful of commands only require short explanations. The “interactive” command expects a second numerical\r\nvalue to be part of the C2 response. If this value is 0, the malware sets itself to silent mode. If the value is greater\r\nthan 299, it sets itself to active mode. If neither is true, it informs the operator that a valid value needs to be\r\nspecified. These modes appear to modify the interval between requests, with active choosing a value between five\r\nand ten seconds and passive choosing a value between 45 minutes and 70 minutes.\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 4 of 7\n\nDifference in request interval depending on the mode\r\nThe “sleep” command simply sets the mode to silent and breaks the C2 loop. The “cmd” command will inform the\r\noperator that they need to do “cmd /c” (to run the command silently), and the “exit” command will inform the user\r\nthat they need to use the “close” command” to terminate the malware.\r\nThe next two commands (“Join” and “left”) can be thought of as a pair. The “join” command will call the “join”\r\nfunction, and it expects the parsed C2 command to contain two additional values passed to this function: a\r\n“method” and a “command.” Looking at the function, there are two valid methods: “wmi” and “reg”\r\nThe “wmi” method accepts the commands “check” and “remove.” If neither is specified, the malware will create a\r\nWMI event filter as a persistence method. If “check” is specified, the malware will use the “Privilege” function to\r\ndetermine if it has sufficient privileges to perform such an action (and will inform the operator if it does not).\r\n“Remove” will remove any event filter created.\r\nWMI workflow within the “join” function\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 5 of 7\n\nThe “reg” method provides an alternative persistence mechanism. The malware will check to see if there is an\r\nentry for a file named smrsservice.exe within the HKCU CurrentVersion\\Run key. If the “add” command has been\r\npassed, it will create this key if it does not already exist (and inform the operator if the key has already been\r\nwritten). It will then download a file with this name to the users $env:APPDATA folder. The nature of this file is\r\nunknown, but it may serve as an additional payload or a mechanism for executing this PowerShell script.\r\nThe “reg” method also supports a “check” command (which reports if this registry value already exists) and a\r\n“remove” command (which removes the registry entry).\r\nAs previously mentioned, this overall “join” command is paired with the “left” command. If the C2 server\r\nspecifies the “left” command, the malware will run the “remove” commands within the “join” function to perform\r\nthe removal tasks described above. It will do this for both methods.\r\nThe next two commands are “download” and “upload.” Download will transfer a file from the victim to the\r\nattacker, whereas “upload” will push a file from the attacker to the victim device. The download command\r\nactually recursively traverses a directory specified by the attacker, uploading each file within this directory:\r\nDownload function\r\nThe next three commands appear to have external dependencies. “Pass” appears to expect an external PowerShell\r\nmodule named “invoke-pass” to be transmitted by the C2, although it is unclear what this would be/ Similarly,\r\n“ldap” expects to execute an “ldapCommand” parsed from the C2 response, and “sam” also appears to attempt to\r\nexecute an additional script. As these were unavailable at the time of this analysis, this blog can only speculate\r\nfrom the command names that these might be intended for additional reconnaissance.\r\nThe “capture” command simply takes a screenshot, using a mechanism relatively common for malicious scripts of\r\nthis nature:\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 6 of 7\n\nScreenshot routine\r\nFinally, if no “official” command is specified, the malware will attempt to run the C2 response as a PowerShell\r\ncommand via “iex” (invoke-expression). It will send the results of this command to the C2 server via the same\r\nPoster function.\r\nAt this point, the command loop will continue.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/apt33-powershell-malware/\r\nhttps://norfolkinfosec.com/apt33-powershell-malware/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://norfolkinfosec.com/apt33-powershell-malware/" ], "report_names": [ "apt33-powershell-malware" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434866, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6dbfb6ed8117fbff14d6193e728380d97958f4d.pdf", "text": "https://archive.orkl.eu/c6dbfb6ed8117fbff14d6193e728380d97958f4d.txt", "img": "https://archive.orkl.eu/c6dbfb6ed8117fbff14d6193e728380d97958f4d.jpg" } }