Executive Summary
Strategic Overview
This report provides an in-depth analysis of the 2025 operational patterns and Tactics, Techniques, and Procedures (TTPs) of the Advanced Persistent Threat (APT) group assessed to be Iranian state-sponsored, known in the cybersecurity community as APT33, Elfin, and by Microsoft as Peach Sandstorm. APT33 acts as a dynamic instrument of Iranian state policy, not merely a cybercrime group, and has undergone a strategic evolution in recent years. The central thesis of this report is that APT33’s 2025 threat posture is defined by a “Cloud-First” attack model, representing a paradigm shift from traditional network-based attacks to identity-centric infiltrations.
Synthesis of Key Findings
- Dominance of Identity Attacks: The primary initial access vector for 2025 is no longer spearphishing, but rather persistent, large-scale password spraying campaigns against cloud services like Microsoft 365 and Azure Active Directory (Azure AD). This method allows the group to bypass traditional perimeter defenses by directly targeting the corporate identity layer.
- Weaponization of the Cloud: APT33 systematically abuses legitimate cloud infrastructures, such as Microsoft Azure, for its Command and Control (C2) operations. This tactic makes attribution and detection nearly impossible by concealing malicious traffic within legitimate corporate cloud activity.
- Modernized Arsenal: The operational use of the new and sophisticated ‘Tickler’ backdoor in 2024 demonstrates the group’s continuous investment in custom tools designed for stealth and long-term persistence in high-value networks.
- Latent Destructive Threat: The group maintains a proven and potent destructive capability, primarily the SHAPESHIFT wiper. This capability is not passive but is actively staged; espionage activities serve as a preparatory phase for potential sabotage operations that could be triggered by geopolitical events.
Critical Defense Imperatives
This evolution constitutes an urgent call to action at the leadership level. Defense investments and focus must shift from the network perimeter to the identity and cloud security layers. Key recommendations include mandating phishing-resistant Multi-Factor Authentication (MFA), hardening cloud configurations, and integrating geopolitical intelligence into cyber risk assessment processes.
Threat Actor Profile: An Instrument of Iranian Statecraft
Attribution and State Sponsorship
There is strong and consistent evidence that APT33 conducts its operations on behalf of the Iranian state, specifically in connection with the Islamic Revolutionary Guard Corps (IRGC). This attribution is based on various technical and operational indicators. The group’s operational hours align with Iran’s Saturday-to-Wednesday work week. Furthermore, traces of the Farsi language have been found in malware code, and Iranian-origin hosting services have been used for infrastructure.
One of the most concrete pieces of evidence is the developer handle “xman_1365_x” found in the PDB (Program Database) path of the group’s custom-developed TURNEDUP backdoor. This handle has been linked to the “Nasr Institute,” which is considered Iran’s “cyber army” and an extension of the IRGC. This connection draws a direct line from a piece of custom malware to the state apparatus, indicating that APT33 is not an ordinary cybercrime group but an organized unit serving Iran’s strategic objectives.
Aliases and Industry Tracking
APT33 is tracked by numerous security organizations under different names. This can create challenges in correlating intelligence from different sources. The following table is prepared to clarify these naming conventions and allow a SOC analyst to associate a “Peach Sandstorm” alert from Microsoft Defender with a “Refined Kitten” report from CrowdStrike.
| Alias | Tracking Organization |
| APT33 | Mandiant (Google) |
| Elfin | Symantec (Broadcom) |
| Peach Sandstorm | Microsoft |
| HOLMIUM | Microsoft (former name) |
| Refined Kitten | CrowdStrike |
| MAGNALLIUM | Dragos |
| COBALT TRINITY | SecureWorks |
| G0064 | MITRE ATT&CK |
| TA451 | Proofpoint |
| ATK 35 | Thales |
Table 1: APT33 Alias Correlation Matrix
Dual Mission: Espionage and Sabotage
APT33’s activities are shaped around two main strategic objectives: industrial espionage and destructive sabotage. This dual nature reveals that the group is not a monolithic entity serving a single purpose, but a strategic asset that can be flexibly used according to Iran’s geopolitical needs.
- Industrial Espionage: The group’s primary day-to-day activity is intelligence gathering to support Iran’s economic and military goals. This is evidenced by the continuous targeting of the aerospace, defense, and petrochemical sectors. The aim is to steal intellectual property, gather strategic information on rival countries (especially Saudi Arabia), and advance Iran’s domestic industry and military capabilities.
- Destructive Sabotage: Alongside espionage, the group possesses a proven and potent destructive capability. This is demonstrated through their development of the SHAPESHIFT disk wiper malware and their strong links to the devastating Shamoon attacks.
The structure of this group reflects a doctrine of “Operational Duality,” which can be described not as espionage or sabotage, but as espionage for sabotage. The intelligence-gathering phase is critical for mapping networks, identifying high-value targets (like Industrial Control Systems), and pre-positioning access for a future destructive attack. The DROPSHOT dropper, capable of delivering both the TURNEDUP espionage backdoor and the SHAPESHIFT wiper, is tactical proof of this doctrine. This means that detecting an APT33 espionage tool on a network should not be treated merely as a data breach, but as the first stage of a potential sabotage operation. This reframes the incident response priority from data containment to preventing physical disruption.
The Evolving Attack Chain: From Spearphishing to Cloud-Centric Infiltration
Historical Campaign Analysis (2013-2022)
APT33‘s early operations focused on developing basic infiltration and espionage capabilities. During this period, the main initial access vector was spearphishing emails prepared with recruitment-themed lures. These emails directed victims to click on malicious HTML Application (.hta) files and used domain names impersonating legitimate companies like Boeing to increase credibility. In later years, the group diversified its TTPs, beginning to systematically exploit known vulnerabilities such as CVE-2017-11774 in Microsoft Outlook and CVE-2018-20250 in WinRAR.
Paradigm Shift (2023-2025): The “Cloud-Focused” Attack Lifecycle
This is the most critical evolution, forming the basis of the group’s projected activities for 2025.
- Initial Access (T1078.004): Password spraying has definitively replaced phishing as the primary initial access vector. The attacks are large-scale, persistent, and anonymized using TOR exit nodes to hide their origin. A distinctive feature of these attacks is the consistent use of the “go-http-client” user agent, which can be detected in network logs.
- Cloud Discovery and Lateral Movement: After compromising an account, the group uses cloud-specific discovery tools like AzureHound and Roadtools to map the victim’s Azure AD environment and identify privilege escalation paths.
This operational model reveals a sophisticated “Cloud Supply Chain” attack model. APT33 has established a supply chain for its C2 infrastructure. They attack “soft targets” like universities with low-cost, high-volume password spray attacks to compromise accounts. They then use these compromised education sector accounts to create new, fraudulent Azure subscriptions (e.g., “Azure for Students”). This “clean” infrastructure, hosted on Microsoft’s trusted platform, is then used to launch stealthy attacks against their actual high-value targets in the defense and energy sectors. This shows that an attack on a university is not the final goal but a logistical step for a larger operation. This proves that organizations in non-target sectors are also at risk of being abused as infrastructure.
Targeting Analysis: Aerospace, Energy, and Critical Infrastructure
APT33’s target selection directly aligns with Iran’s national interests: aerospace, defense, energy (oil, gas, and petrochemicals), and government. This targeting is directly linked to Iran’s geopolitical objectives. For example, targeting Saudi petrochemical companies serves the purpose of gaining a competitive advantage, while attacks on aerospace companies reflect a desire to understand Saudi military capabilities.
The most alarming trend for 2025 is the group’s clear shift in focus to Operational Technology (OT) and Industrial Control Systems (ICS) environments. This forms the basis of the “Cloud-to-OT” attack scenario, indicating the group is no longer just stealing data but has the potential to sabotage physical processes.
Modern Arsenal: A Hybrid Blend of Custom and Commercial Tools
Custom Arsenal
APT33 dedicates significant resources to developing its own tools for the most critical phases of its operations.
- Destructive Component: SHAPESHIFT (aka STONEDRILL) is the group’s most powerful destructive tool. Compared to the older Shamoon wiper, it uses more sophisticated methods like in-memory injection and advanced anti-emulation techniques. This tool is deployed via the custom DROPSHOT dropper.
- Espionage Tools: The group’s long-standing flagship backdoor is TURNEDUP, associated with “xman_1365_x”. In more recent operations, the PowerShell-based POWERTON implant has been observed.
- 2024 Innovation: The ‘Tickler’ Backdoor: This is the group’s most current and sophisticated tool.
- Deployment: Distributed within ZIP archives like Network Security.zip, as a file with a .pdf.exe extension appearing to be a security document.
- Anti-Analysis: Uses the Process Environment Block (PEB) traversal technique to bypass common API hooks used by security solutions.
- Persistence: Employs a sophisticated DLL Sideloading (T1574.001) technique, using legitimate, signed Windows executables like SharePoint.exe to load malicious DLLs (msvcp140.dll, etc.). Persistence is achieved via a Registry Run key to survive system reboots.
Use of Publicly Available Tools
APT33 heavily leverages existing tools to maximize operational efficiency.
- Commercial RATs: Tools like Remcos, DarkComet, QuasarRAT, and PupyRAT are used in broader-scale or less critical operations, which also makes attribution more difficult.
- Credential Dumping Tools: The use of tools like Mimikatz, LaZagne, ProcDump, and SniffPass is a standard procedure in the post-exploitation phase.
- Post-Exploitation Frameworks: PowerShell Empire and PoshC2 are used to manage lateral movement and C2 activities.
Comprehensive Toolset Inventory Table
| Tool Name | Category | Origin | Key Operational Notes / Associated TTPs |
| Tickler | Multi-stage Backdoor | Custom | Next-gen backdoor discovered in 2024. Uses DLL sideloading and PEB traversal. Targets Azure infrastructure for C2. |
| SHAPESHIFT | Disk Wiper | Custom | Capable of destroying disks and files. Shows strong similarities to Shamoon. |
| DROPSHOT | Dropper | Custom | A tool that drops other malware, such as TURNEDUP or SHAPESHIFT, onto the target system. |
| TURNEDUP | Backdoor | Custom | Capabilities for file upload/download, system info collection, and reverse shell. Associated with “xman_1365_x”. |
| POWERTON | PowerShell Implant | Custom | PowerShell-based implant with encrypted C2, multiple persistence mechanisms, and ability to dump password hashes. |
| Remcos RAT | Remote Access Tool | Commercial | A commonly used Remote Access Trojan (RAT). Preferred for its broad functionality. |
| DarkComet RAT | Remote Access Tool | Commercial | Placed in the Startup folder for persistence. |
| Quasar RAT | Remote Access Tool | Open Source | An open-source and widely used RAT. |
| Mimikatz | Credential Dumping | Open Source | Used to extract plaintext passwords and hashes from memory (LSASS) on Windows systems. |
| LaZagne | Credential Dumping | Open Source | Collects passwords stored in browsers, email clients, and other applications. |
| PowerShell Empire | C2 Framework | Open Source | A PowerShell-based framework used for post-exploitation tasks, lateral movement, and C2 communication. |
Table 2: APT33 Tool and Malware Arsenal
C2 and Data Exfiltration: Mastering Evasion in the Cloud
Command and Control Infrastructure
APT33‘s C2 infrastructure adopts an infrastructure-level camouflage strategy to avoid detection. Defense models based on blocking traditionally known malicious IP addresses or domains are rendered ineffective by the group’s hosting of its C2 infrastructure on legitimate, high-reputation cloud platforms. This approach is a fundamental attack on the trust model of corporate IT, as organizations cannot block entire cloud services like azurewebsites.net without disrupting critical business functions. This forces defenders to move away from simple blocklists and toward more complex, behavioral analytics capable of detecting anomalous behavior within trusted channels. Observed C2 domains include examples like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net.
C2 Communication Protocols
The group typically uses HTTP/S for C2 communication, favoring non-standard ports like TCP 808 and 880 to bypass simple firewall rules. The content of the C2 traffic is encrypted with AES and Base64 encoded to hide it from network-based inspection systems.
The Data Exfiltration Dilemma
APT33’s data exfiltration strategy demonstrates a conscious compartmentalization of operational risk. The group often uses a separate protocol, such as unencrypted FTP (T1048.003), for large data transfers. This may seem illogical for a sophisticated actor at first glance. However, it is a deliberate tactical choice. The C2 channel is the most valuable asset for maintaining persistence and must remain “low and slow.” Exfiltrating gigabytes of data through this channel would create a large traffic anomaly, which could be easily detected. By using a separate and expendable FTP server, they isolate the risk of the “noisy” data transfer from the C2 channel. If the FTP traffic is detected, the attackers only lose the stolen data and the FTP server, but their primary, stealthy C2 channels remain intact. This is a calculated risk where data security (encryption) is sacrificed for operational security (stealth).
Comprehensive TTP Breakdown: A MITRE ATT&CK® Analysis
Consolidated MITRE ATT&CK TTP Matrix
The following matrix maps APT33’s observed TTPs to the industry-standard framework, providing an actionable basis for defenders to understand the group’s behavioral patterns and develop specific detection strategies against them.
| Tactic | Technique ID and Name | APT33 Implementation Details |
| Initial Access | T1110.003: Brute Force: Password Spraying | Conducts slow and low password spray attacks against Microsoft 365 and Azure AD tenants. Known to use the ‘go-http-client’ user agent in attacks. |
| T1566: Phishing | Uses spearphishing emails. These contain either archive attachments like .rar (CVE-2018-20250) or links directing to .hta files. | |
| T1078.004: Valid Accounts: Cloud Accounts | Gains initial access using cloud accounts compromised through password spray attacks. | |
| Execution | T1059.001: Command and Scripting Interpreter: PowerShell | Heavily uses PowerShell to download files from the C2 server, run various scripts, and initiate reverse shell sessions. |
| Persistence | T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Places RATs like DarkComet in the Startup folder. Uses Registry Run keys for persistence, including for new software like Tickler. |
| T1053.005: Scheduled Task/Job: Scheduled Task | Creates scheduled tasks to run a malicious .vbe file multiple times a day. | |
| Credential Access | T1003: OS Credential Dumping | Uses various tools like LaZagne, Mimikatz, and ProcDump to dump passwords and hashes from LSASS memory, LSA Secrets, and cached domain credentials. |
| Command and Control | T1071.001: Application Layer Protocol: Web Protocols | Uses HTTP for C2 communication. Often prefers non-standard ports like 808 and 880. |
| Impact | T1485: Data Destruction | Forms the basis of the group’s destructive capability. The SHAPESHIFT wiper and links to Shamoon attacks are proof of this tactic. |
Table 3: Mapping APT33 TTPs to MITRE ATT&CK®
Analysis of the “Living off the Land and Clouds” Philosophy
APT33‘s TTPs demonstrate an adoption of a philosophy that can be called “Living off the Land and Clouds.” This approach relies on the attacker abusing legitimate tools and services already present in the target environment to conceal their activities.
- Living off the Land (LOTL): The group makes extensive use of legitimate Windows components like PowerShell, WMI, and Scheduled Tasks to execute malicious code, maintain persistence, and navigate the network. This creates a serious detection challenge for traditional endpoint security solutions that only look for anomalous or malicious software signatures.
- Living off the Clouds: The group’s recent evolution shows it has extended this philosophy to cloud environments. Attackers use compromised, legitimate Azure subscriptions to host their C2 infrastructure. This makes the attack traffic appear as if it is the target organization’s own cloud traffic or traffic from other legitimate Azure services, rendering blocking based on known-bad IPs ineffective.
Actionable Intelligence and Indicators of Compromise (IoCs)
This section provides the most actionable part of the report, giving security teams the specific data needed for detection and blocking. The following indicators are the most current and actionable collection compiled from the provided research materials.
| Indicator | Type | Associated Malware/TTP | Notes |
| subreviews.azurewebsites[.]net | Domain Name | Tickler | Hosted on a fraudulent Azure subscription |
| satellite2.azurewebsites[.]net | Domain Name | Tickler | Hosted on a fraudulent Azure subscription |
| nodetestservers.azurewebsites[.]net | Domain Name | Tickler | Hosted on a fraudulent Azure subscription |
| satellitegardens.azurewebsites[.]net | Domain Name | Tickler | Hosted on a fraudulent Azure subscription |
| softwareservicesupport.azurewebsites[.]net | Domain Name | Tickler | Hosted on a fraudulent Azure subscription |
| boeing.servehttp[.]com | Domain Name | Spearphishing | Domain Masking |
| “go-http-client” | User Agent | Password Spraying (T1110.003) | Should be monitored in authentication logs |
Table 4: Network-Based Indicators of Compromise
| Indicator | Type | Associated Malware/TTP | Notes |
| 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198 | SHA-256 | Tickler | YAHSAT NETWORK_…GUIDE_20240421.pdf.exe |
| ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4 | SHA-256 | Tickler | Sold.dll |
| 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b | SHA-256 | Tickler | .batch file (persistence) |
| fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f | SHA-256 | Tickler | .dll file (backdoor) |
| HKCU\Software\Microsoft\Office<Version>\Outlook\WebView\Inbox “URL” = http://… | Registry Key | Ruler / Outlook Persistence | Persistence targeting the Exchange client |
| %LOCALAPPDATA%\SmartMega.exe | File Path | APT33 Backdoor | Known malware location |
| %APPDATA%\MsdUpdate.exe | File Path | APT33 Backdoor | Known malware location |
Table 5: Host-Based Indicators of Compromise
Practical Guide for Defenders: A Multi-Layered Defense Strategy
The “Cloud-to-OT” Threat Scenario
APT33‘s most dangerous attack path for 2025 is a hybrid scenario involving the following steps: 1) Compromising an engineer’s cloud-based Microsoft 365 account via password spraying. 2) Using this identity to infiltrate the corporate IT network. 3) Moving laterally from the IT network to the sensitive OT/ICS network. This scenario represents a paradigm shift in the threat model for critical infrastructure, where a simple password weakness in the cloud can lead to the disruption of physical industrial processes. The following recommendations are designed to prevent this scenario.
Strategic Recommendations (For Leadership/CISOs)
- Prioritize Identity as the Perimeter: The single most effective countermeasure against password spray attacks is the implementation of phishing-resistant Multi-Factor Authentication (MFA). Mandate MFA on all critical systems, especially cloud services, remote access (VPN), and administrator accounts.
- Bridge the IT/OT Security Gap: Break down the silos between IT and OT security teams. Invest in tools that provide visibility into OT networks and implement strict network segmentation to prevent lateral movement from IT environments to OT environments.
- Integrate Geopolitical Intelligence: Develop a process to integrate geopolitical threat intelligence into the organization’s risk management framework. Establish pre-defined protocols to elevate the cyber defense posture during a geopolitical crisis.
- Plan for Destructive Resiliency: Prepare not just for a data breach, but for a wiper attack. Ensure that critical systems and data have offline, immutable, and tested backups. Update and drill disaster recovery plans to include a scenario where entire systems are destroyed.
Tactical Recommendations (For Practitioners/SOCs)
- Harden the Cloud Environment: Actively monitor Azure AD and Microsoft 365 logs for signs of password spraying. These signs include “impossible travel” alerts and numerous failed login attempts from unusual user agents like ‘go-http-client’. Scrutinize and restrict the creation of new Azure tenants or, specifically, “Azure for Students” subscriptions in your environment.
- Threat Hunting Hypotheses:
- Hunt for PowerShell processes launched by unusual parent processes (e.g., an Office application).
- Regularly audit persistence mechanisms used by Tickler: Look for DLL sideloading from signed binaries (like SharePoint.exe) and unauthorized entries in the associated Registry Run keys.
- Monitor for processes accessing LSASS memory (e.g., the command procdump.exe -ma lsass.exe) or the execution of known credential dumping tools like Mimikatz.
- Network and Endpoint Monitoring: Monitor for C2 traffic over non-standard HTTP ports like 808 and 880. Monitor for high-volume FTP traffic. Create EDR rules for known file names, paths, and hashes associated with Tickler.
- Incident Response Planning: Develop and drill incident response playbooks, specifically for a hybrid “Cloud-to-OT” infiltration scenario and a destructive wiper attack. These plans should include processes to rapidly increase network segmentation, isolate affected systems, and recover from backups.
