APT33 Hunt Report

Written by Mike MacPherson and Matthew Pennington 

A technical assessment of APT33 threat group

The APT33 threat group has been active since at least 2013 and is attributed to being based in Iran. Their primary targets are Saudi Arabia and the United States across multiple sectors. However, they have also targeted several other countries in the past several years which include South Korea, Belgium, Jordan, the United Kingdom, and others. The group's arsenal includes commodity and custom malware as well as, according to some vendors, the infamous Shamoon data-wiping malware. This report summarizes the group and provides methods for heuristic detection and indicators.


Actor and Campaigns

APT33, which has also been known as Elfin, NewsBeef, and Holmium, has been attributed to being Iranian based and active since at least 2013. This group has been very active in the past 3 years with attacks occurring every few months. Their targets include a wide variety of industries such as government, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors. The majority of the attacks focus on organizations located in Saudi Arabia. Many U.S.-based organizations have also been targeted, including a large number of Fortune 500 companies.

Starting in 2016 and continuing into 2017, APT33 targeted various aerospace and aviation-related organizations.  During the same time period, the group also attempted to compromise organizations within the petrochemical sector. The primary vector for attacks was using spear phishing with a malicious file attachment. These emails usually were related to job vacancy announcements to entice the potential victim to open them. 

The likely reasoning behind the aerospace targeting is to enhance Iran's aviation capabilities. For the other targets, Iran may want to expand its own petrochemical production and improve its competitiveness within the region. Another campaign that occurred during this time targeted Saudi Arabian government organizations, where the adversary used two different attack vectors, both spear phishing and watering hole attacks. While the spear-phishing component used the traditional malicious Microsoft Office documents with macros enabled, the watering hole component required more effort. The threat group researched and compromised servers that hosted content relevant to the potential targets.

APT33 began targeting the engineering industry from the end of 2017 through the middle of 2018, using a different technique in this campaign. Leveraging stolen credentials and a publicly available tool, they were able to compromise endpoints via the victim's email client. Credentials can be obtained by an APT in a variety of ways which include third-party breaches (if the user re-uses passwords in a work account), credential harvesting scams, or poor password choices. Additionally, the threat actors took advantage of an open-source tool that exploits CVE-2017-11774 to then download and execute malware.

A more recent spate of attacks attributed to APT33 was detected in February 2019. One specific target of this activity was a Saudi Arabian chemical company. In the detected spear phishing attempt, the actor sent users a compressed file which, when opened, would exploit a known vulnerability (CVE-2018-20250). That led to additional code execution which would likely include the download of malware from an external location. Starting mid-June and going until at least October 2019, a password spray campaign was observed targeting the cloud-hosted infrastructure of various industries. The highest targeted industries included industrial control system vendors and service providers.

Two other spear phishing campaigns were observed in June 2019. The first targeted a variety of U.S. organizations which included several in the federal government. This effort included many different infection mechanisms, all of which ultimately deployed an internally developed tool. The second spear phishing campaign targeted financial institutions in the Middle East and the U.S. This campaign used malicious macros to enable deployment of commodity malware that has been used by APT33 in the past. In August of 2019, this group used spoofed U.S. defense contractor domains to distribute both public and internally developed malware via spear phishing. The infection vector appears to have been emails containing career opportunity lures. At this time, there has been no attributed APT33 activity in 2020.

Another item of note is the attribution that APT33, or a group masquerading as APT33, is responsible for the Shamoon wiper attacks. This research comes from one security vendor based on analysis of the versions of Shamoon and the APT33 malware. While the Booz Allen Adversary Pursuit cell has been unable to independently verify this, we will include detection logic for the Shamoon malware as well.


Infrastructure & Tactics, Techniques, and Procedures

Over the past few years, APT33 has continued using spear phishing. This includes emails with malicious attachments (usually Microsoft Office documents) as well as links to such files hosted on adversary infrastructure. They recently moved to using open source tools in conjunction with stolen credentials to manipulate victims' email clients in order to deploy malware. APT33 has also consistently integrated publicly available exploits into their efforts where applicable.

APT33 has a rather large arsenal of malware that they can leverage for their operations. This includes both custom malware as well as commodity malware, and publicly available hacking tools. Their custom toolkit includes several backdoors, droppers, and a data wiper.

  • TURNEDUP is a backdoor that is capable of downloading and uploading files, gathering information about the victim system, and creating a reverse shell.
  • SHAPESHIFT (aka STONEDRILL) is another backdoor that can download additional files and also contains a data wiper that can clear the master boot record of a victim.
  • DROPSHOT is a dropper that can drop and launch tools such as TURNEDUP and SHAPESHIFT.
  • POWERTON is a PowerShell-based implant that has been used by APT33 more recently and uses encrypted C2, multiple persistence mechanisms, and can dump password hashes.

Commodity malware makes up a fair-sized portion of APT33's toolset. Examples include PoshC2, Remcos, DarkComet, Quasar RAT, and Pupy RAT. Capabilities of these tools include password stealing, C2 command execution, data exfiltration, and installation of additional modules. In addition to those, APT33 also uses publicly available tools such as Mimikatz, Procdump, and Ruler. While the first two tools are common, Ruler is lesser known and is used for remotely interacting with Exchange servers and manipulating client-side Outlook features for malicious purposes.

On the infrastructure side, APT33 has registered its own domains as well as used Dynamic DNS providers. In both cases, domain masquerading has been used to try to blend in and appear legitimate to potential victims. Additionally, in certain circumstances, the threat actor will use compromised servers to host malicious files.

Detection heuristics and methodology for finding APT33 activities in an environment are included in Table 1. These are included for initial detection or hunt in a network for the adversary. Detection for APT33 is not limited to these analytics. The Adversary Pursuit cell recommends that further analytics are run that map to the MITRE ATT&CK Techniques used by APT33 found in Table 2.

Table 1 - APT33 Detection Logic
Expand Collapse

APT33 Group Technique

Detection Technique

Python-based backdoor

Look for Python making external network connections

At.exe used to perform task scheduling

Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.

Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. Several events will then be logged on scheduled task activity, including:

Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled

Specific files created by APT33 backdoor

Look for the presence of the following files: SmartMega.exe, DysonPart.exe, MsdUpdate.exe in the Application Data folder (%LOCALAPPDATA% or %APPDATA%)

Dumps stored credentials from lsass.exe

Sysmon can be used, look for EventCode 10, where the TargetImage is lsass.exe and GrantedAccess is 0x1010.  Sample Splunk query: EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")

Uses run keys for persistence

Analyze the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Mimikatz used to dump credentials from lsass.exe

First look for EventCode of 1 where ParentImage is cmd.exe and IntegrityLevel is high.  Followed by EventCode of 10 where GrantedAccess is 0x1010 and TargetImage is lsass.exe and SourceImage is not svchost.exe
1. EventCode=1 | where (match(ParentImage, "cmd.exe") AND match(IntegrityLevel, "high"))
2. EventCode=10 | where (match(GrantedAccess, "0x1010") AND !match(SourceImage, "svchost\.exe") AND match(TargetImage, "lsass\.exe"))

Malware uses IP addresses directly with no domains in URLs

Analyze network traffic looking for this behavior (hxxp://

Malware runs PowerShell with suspect arguments

Search for PowerShell command line execution containing suspect arguments (-nop -enc -bypass etc) 

Malware executes Powershell from non-standard locations

Search for Powershell running from unusual locations (e.g. directories under %LOCALAPPDATA%)

Normal locations:
32-bit (x86) PowerShell executable %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
64-bit (x64) Powershell executable %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
32-bit (x86) Powershell ISE executable %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
64-bit (x64) Powershell ISE executable %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell_ise.exe
32-bit (x86) PowerShell executable %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
32-bit (x86) Powershell ISE executable %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell_ise.exe

Suspect PowerShell cmdlets

Looks for suspect cmdlets that are often used for only malicious purposes

Malware uses Outlook to download additional files

Search for Outlook.exe directly requesting externally hosted files

Remcos installs to a specific location during install and deletes itself

Look for the following file being created or deleted: %AppData%\remcos\remcos.exe

Windows task scheduler used to schedule malicious code to run

Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.

Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. Several events will then be logged on scheduled task activity, including:

Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled

Delivers obfuscated JavaScript from compromised websites

Analyze all JavaScript being executed for obfuscation techniques and for code pointing to a different domain 

Office Macros launch command line/scripting processes

Look for strange children of Microsoft Office processes (winword.exe, excel.exe, powerpnt.exe, msaccess.exe, outlook.exe, visio.exe, winproj.exe, etc) such as, but not limited to:

Microsoft Office 2013 paths:
C:\Program Files\Microsoft Office\Office15\
C:\Program Files (x86)\Microsoft Office\Office15\
C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\
C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\

Microsoft Office 2016 paths:
C:\Program Files\Microsoft Office\Office16\
C:\Program Files (x86)\Microsoft Office\Office16\
C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\
C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\

Mimikatz unique strings

Look in Powershell logs for the following strings which are unique to Mimikatz:

Adversary uses domain masquerading to blend in

Analyze network traffic looking for domains that look similar to internal or trusted partner (e.g. example.com and example.com.sg)

Process hollowing used to evade detection

Investigate the user of the following API calls which are used to unmap process memory: ZwUnmapViewOfSection or NtUnmapViewOfSection.  Also, WriteProcessMemory, which can be used to modify memory in another process

Remcos creates a mutex to mark that it is installed on a system

Look for the mutex remcos_etrcewrortwiujm present on a system

WMI is used for persistence

Verify all WmiEventFilter, WmiEventconsumer and WmiEventConsumerToFilter activity.

Dumps stored credentials from lsass.exe

Use Windows event logs to determine a handle for lsass.exe being requested via either Event Codes 4656 or 4663, where Object_name contains lsass.exe and Access_Mask is 0x143A.  Sample Splunk queries:
EventCode=4656 OR EventCode=4663 | eval HandleReq=case(EventCode=4656 AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A", Process_ID) | where (HandleReq=Process_ID)
EventCode=4656 | where (Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A")

Specific URL path used by APT33 backdoor

Look in network logs for activity matching the following pattern: /update.php?c=[0-9a-fA-F]{32}

Actors include malicious links in spear phishing emails

Examine incoming emails looking for links to .hta files

Malware runs PowerShell with suspect parents

Search for PowerShell with questionable parent processes such as:

Password spray is used, trying a small set of passwords on a large amount of users

Analyze failed login attempts for where a source has a large volume of different users

Look for common name of Mimikatz cmdlet

Look in Powershell logs for "Invoke-Mimikatz" which is the common name for the Mimikatz cmdlet

Outlook client homepages are created for execution and persistence

Analyze the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\ Outlook\WebView\Inbox
“URL”= http://badsite/homepage-persist.html

Powershell used to dump credentials from lsass.exe

Use Windows event logs to determine a handle for lsass.exe being requested via either Event Codes 4656, where Object_name contains lsass.exe and Access_Mask is 0x143A or 0x1410.  With access_mask of 0x1410 needs to be anded with Process_name ending with shell.exe to reduce FPs.  Sample Splunk query:
EventCode=4656 | where ((Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A") OR (Process_Name LIKE "%shell.exe" AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x1410")

Uses hta scripts to execute malware

Analyze all instances of mshta being executed

DynamicDNS used for C2

Analyze traffic going to DynamicDNS providers

Adversary accesses Exchange remotely for collection

Search for non-standard IPs logging into Exchange accounts

Quasar creates a mutex to mark that it is installed on a system

Look for the following mutex: QSR_MUTEX_[18 alphanumber upper/lower]

Table 2 - MITRE ATT&CK Mapping of APT33 Activity
Expand Collapse

MITRE ATT&CK Techniques 

T1002:Data Compressed

T1003:Credential Dumping

T1003:OS Credential Dumping

T1003.001:OS Credential Dumping: LSASS Memory

T1012:Query Registry

T1016:System Network Configuration Discovery

T1022:Data Encrypted

T1027:Obfuscated Files or Information

T1032:Standard Cryptographic Protocol

T1033:System Owner/User Discovery

T1035:Service Execution


T1037:Logon Scripts

T1040:Network Sniffing

T1041:Exfiltration Over C2 Channel

T1041:Exfiltration Over Command and Control Channel

T1043:Commonly Used Port

T1046:Network Service Scanning

T1047:Windows Management Instrumentation

T1048:Exfiltration Over Alternative Protocol

T1049:System Network Connections Discovery

T1053:Scheduled Task

T1053.002:Scheduled Task/Job: At (Windows)

T1053.005:Scheduled Task/Job: Scheduled Task

T1055:Process Injection

T1055.012:Process Injection: Process Hollowing

T1056:Input Capture

T1057:Process Discovery

T1059:Command-Line Interface


T1059.006:Command and Scripting Interpreter: Python

T1060:Registry Run Keys / Startup Folder

T1063:Security Software Discovery


T1065:Uncommonly Used Port

T1068:Exploitation for Privilege Escalation

T1070:Indicator Removal on Host

T1071:Standard Application Layer Protocol

T1072:Third-party Software

T1074:Data Staged

T1074.001:Data Staged: Local Data Staging

T1075:Pass the Hash

T1076:Remote Desktop Protocol

T1077:Windows Admin Shares

T1078:Valid Accounts

T1079:Multilayer Encryption

T1081:Credentials in Files

T1082:System Information Discovery

T1083:File and Directory Discovery

T1084:Windows Management Instrumentation Event Subscription


T1087:Account Discovery

T1088:Bypass User Account Control

T1091:Replication Through Removable Media

T1097:Pass the Ticket

T1098:Account Manipulation

T1100:Web Shell

T1101:Security Support Provider

T1105:Remote File Copy

T1107:File Deletion

T1110:Brute Force

T1110.003:Brute Force: Password Spraying

T1112:Modify Registry

T1113:Screen Capture

T1114:Email Collection

T1114.002:Email Collection: Remote Email Collection

T1123:Audio Capture

T1125:Video Capture

T1132:Data Encoding

T1133:External Remote Services

T1134:Access Token Manipulation

T1135:Network Share Discovery

T1136:Create Account

T1137:Office Application Startup

T1140:Deobfuscate/Decode Files or Information

T1145:Private Keys

T1171:LLMNR/NBT-NS Poisoning and Relay

T1178:SID-History Injection

T1189:Drive-by Compromise

T1192:Spearphishing Link

T1193:Spearphishing Attachment

T1203:Exploitation for Client Execution

T1204:User Execution


T1210:Exploitation of Remote Services

T1217:Browser Bookmark Discovery

T1218.005:Signed Binary Proxy Execution: Mshta

T1480:Execution Guardrails

T1485:Data Destruction

T1487:Disk Structure Wipe

T1488:Disk Content Wipe

T1497:Virtualization/Sandbox Evasion

T1501:Systemd Service

T1547.001:Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1566.001:Spearphishing Attachment

T1566.002:Spearphishing Link

T1568:Dynamic Resolution

T1571:Non-Standard Port

The tables below reflect additional context on APT33 including the MITRE ATT&CK log sources, geographical regions and industry sectors targeted, CVEs used, and MITRE D3FEND.

Table 3 - MITRE ATT&CK Log Sources
Expand Collapse

MITRE ATT&CK Log Sources  

AWS CloudTrail logs

Access tokens


API Monitoring

Application logs

Authentication logs

Azure activity logs

Binary file metadata

Data loss prevention

Detonation chamber

DLL monitoring

DNS records

Email gateway

File monitoring

Host network interface

Kernel drivers

Loaded DLLs

Mail server

Named Pipes

Netflow/Enclave netflow

Network device logs

Network intrusion detection system

Network protocol analysis

Office 365 audit logs

Office 365 trace logs

Packet capture

PowerShell Logs

Process command-line parameters

Process monitoring

Process use of network

SSL/TLS inspection

Stackdriver logs

System calls

User interface

Web logs

Web proxy

Windows Error Reporting

Windows event logs

Windows Registry

Tables 4 & 5 - Countries/Regions and Sectors Targeted by APT33
Expand Collapse

Table 4: Targeted Countries/Regions



Czech Republic



Saudi Arabia

South Korea



United Kingdom

United States

Table 5: Targeted Sectors










Information Technology



Research institutions




Table 6 - CVEs used by APT33
Expand Collapse




Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."


In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.


Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

Table 7 - MITRE D3FEND
Expand Collapse


D3-FCR:File Content Rules

D3-EDL:Executable Denylisting

D3-DA:Dynamic Analysis

D3-FH:File Hashing

D3-EFA:Emulated File Analysis

D3-DF:Decoy File

D3-PLA:Process Lineage Analysis

D3-HBPI:Hardware-based Process Isolation

D3-PSA:Process Spawn Analysis

D3-SJA:Scheduled Job Analysis

D3-PSMD:Process Self-Modification Detection

D3-SCA:System Call Analysis

D3-PT:Process Termination

D3-MAC:Mandatory Access Control

D3-ANCI:Authentication Cache Invalidation

D3-SU:Software Update

D3-DUC:Decoy User Credential

D3-SBV:Service Binary Verification

D3-RPA:Relay Pattern Analysis

D3-NTCD:Network Traffic Community Deviation

D3-OTF:Outbound Traffic Filtering

D3-PHDURA:Per Host Download-Upload Ratio Analysis

D3-PMAD:Protocol Metadata Anomaly Detection

D3-ITF:Inbound Traffic Filtering

D3-CSPP:Client-server Payload Profiling

D3-UGLPA:User Geolocation Logon Pattern Analysis

D3-RTSD:Remote Terminal Session Detection

D3-UA:URL Analysis

D3-SAOR:Segment Address Offset Randomization

D3-HD:Homoglyph Detection

D3-PSEP:Process Segment Execution Prevention

D3-ISVA:Inbound Session Volume Analysis

D3-SRA:Sender Reputation Analysis

D3-SMRA:Sender MTA Reputation Analysis

D3-PCSV:Process Code Segment Verification

D3-MBT:Memory Boundary Tracking

D3-ANAA:Administrative Network Activity Analysis

D3-CAA:Connection Attempt Analysis

D3-ANET:Authentication Event Thresholding

D3-RAPA:Resource Access Pattern Analysis

D3-SDA:Session Duration Analysis

D3-HDL:Homoglyph Denylisting

D3-DNSAL:DNS Allowlisting

D3-FRDDL:Forward Resolution Domain Denylisting

D3-RRID:Reverse Resolution IP Denylisting

D3-DNSDL:DNS Denylisting

D3-RRDD:Reverse Resolution Domain Denylisting

D3-HDDL:Hierarchical Domain Denylisting

D3-DNSTA:DNS Traffic Analysis

D3-FRIDL:Forward Resolution IP Denylisting

D3-DNR:Decoy Network Resource

To sign up for more technical content like this blog post


This blog series is brought to you by Booz Allen DarkLabs. Our DarkLabs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.

This article is for informational purposes only; its content may be based on employees’ independent research and does not represent the position or opinion of Booz Allen. Furthermore, Booz Allen disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader’s sole discretion and risk.

1 - 4 of 8