For over a decade, APT33 has operated in the background of Iran's cyber warfare apparatus — methodically, quietly, and with a discipline that most threat actors never develop. Now, with cloud-native attack infrastructure, a new generation of custom backdoors, and a documented pivot toward operational technology environments, the group once known for job-lure phishing emails has become something far more serious.
APT33 — also tracked as Peach Sandstorm (Microsoft), Elfin (Symantec), Refined Kitten (CrowdStrike), Magnallium (Dragos), Cobalt Trinity, and HOLMIUM — first surfaced in public reporting in September 2017, when Mandiant (then FireEye) published its foundational analysis of the group's targeting of aerospace, energy, and petrochemical organizations. That report described a threat actor that had been operating since at least 2013, using spear-phishing emailsT1566.001 disguised as aviation job listings to deliver a custom backdoor called TURNEDUP. The group left behind Farsi-language artifacts in its code, operated during Iran Standard Time business hours, and went quiet on Thursdays — consistent with Iran's Saturday-to-Wednesday government workweek. The attribution was confident then. It has only become more so since.
Who Is APT33 — and Who Controls It
APT33 is assessed with high confidence to operate on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). Microsoft, which tracks the group as Peach Sandstorm, has stated that the group's "operations are designed to facilitate intelligence collection in support of Iranian state interests." The IRGC connection is reinforced by a specific technical artifact: the developer handle xman_1365_x, which appears in the PDB (Program Database) path of APT33's custom TURNEDUP backdoor. Open-source research has linked this handle to the Nasr Institute — widely described as Iran's cyber army and considered an operational extension of the IRGC. Mandiant's original 2017 reporting noted that the Nasr Institute has also been connected to the 2011–2013 distributed denial-of-service campaign known as Operation Ababil, which targeted U.S. financial institutions. In March 2016, the U.S. Department of Justice unsealed indictments naming Iranian nationals allegedly hired by the government to build attack infrastructure in support of that campaign — providing further evidence that the Nasr Institute serves as a conduit between Iranian government direction and technical cyber operations.
The group's target selection reflects this state mandate with precision. APT33 has systematically hit aerospace and defense companies in the United States, petrochemical conglomerates in Saudi Arabia, oil refineries in South Korea, satellite operators in the UAE, and defense contractors across Western Europe. Every sector, every geography maps to a specific Iranian strategic interest — closing the technology gap created by international sanctions, monitoring regional adversaries, and pre-positioning for potential disruption of energy infrastructure that competes with Iran's own exports.
Microsoft Threat Intelligence (August 2024) confirmed that APT33's documented targeting spans government, defense, satellite, and oil and gas organizations in the United States and the United Arab Emirates.
How APT33 Differs From Iran's Other APT Groups
Iran fields several distinct APT clusters, and conflating them produces a distorted threat picture. APT33 is frequently mentioned alongside APT34 (OilRig/Hazel Sandstorm), APT35 (Charming Kitten/Mint Sandstorm), and MuddyWater (Mercury/Mango Sandstorm) — but the groups operate with meaningfully different mandates, tooling philosophies, and target sets.
APT34 is the closest peer, and the overlap is deliberate: intelligence analysts have documented infrastructure and tooling sharing between APT33 and APT34, which itself is assessed to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS) rather than the IRGC. Where APT33 prioritizes aerospace, energy, and petrochemical targets with an eye toward both intelligence collection and potential sabotage, APT34 concentrates more heavily on financial sector and government entities in the Middle East, using DNS tunnelingT1071.004 and web shellsT1505.003 as signature techniques. The two groups are assessed to receive coordinated tasking at the strategic level despite operating separate infrastructure.
APT35 — tracked by Microsoft as Mint Sandstorm — occupies a different lane entirely. Where APT33 is operationally disciplined and avoids public attribution, APT35 has become associated with influence operations and the targeting of journalists, academics, and political dissidents. Its social engineering is more elaborate: the group has impersonated conference organizers, think tank researchers, and academic institutions to build trust before delivering credential-harvesting payloads. APT35 pursues human intelligence targets; APT33 pursues strategic infrastructure targets. The distinction matters for defenders because the initial access methodology — elaborate persona-building versus high-volume password spraying — requires different detection strategies.
MuddyWater, assessed to be directed by Iran's MOIS, is the most geographically promiscuous of the Iranian clusters, running campaigns across Central Asia, South Asia, the Middle East, and Europe simultaneously. Its tooling is predominantly commodity and open-source — a deliberate choice that reduces attribution confidence — and its operations trend toward shorter dwell times and faster exfiltration compared to APT33's characteristically patient, long-term presence. Where APT33 invests in bespoke implants specifically to avoid signature detection over months-long operations, MuddyWater trades that durability for operational speed and geographic breadth.
What separates APT33 most sharply from all of them is the combination of two things that rarely coexist in the same threat actor: genuine long-term patience and a credible destructive payload. The DROPSHOT/SHAPESHIFT combination gives APT33 a capability that neither APT35 nor MuddyWater have demonstrated at scale. APT34 is the only peer group assessed to operate at comparable strategic depth, and even there, the OT-targeting dimension of APT33's recent campaigns represents a level of consequence that places it in a separate risk tier for energy and defense sector organizations.
The Tactical Shift: From Spear-Phishing to Cloud Infrastructure Abuse
The APT33 of 2026 bears little tactical resemblance to the group documented in 2017. The evolution is not subtle. What began as spear-phishing campaigns using malicious HTML Application (.hta) files embedded in aerospace job listings has transformed into a cloud-native attack model that is significantly harder to detect, attribute, and block. During the intermediate period (2017–2022), the group also exploited documented CVEs: CVE-2017-11774 (Microsoft Outlook Security Feature Bypass, used in Outlook Home Page-style execution chains), CVE-2018-20250 (WinRAR ACE path traversal, used in spear-phishing archive delivery), and CVE-2017-0213 (Windows COM elevation of privilege). Both CVE-2017-11774 and CVE-2018-20250 appear in CISA's Known Exploited Vulnerabilities catalogue.
Starting in February 2023, APT33 launched wide-scale password spray campaignsT1110.003 — Microsoft's reporting described them as targeting thousands of organizations worldwide. These are not targeted, low-volume attacks — they are wide-net, high-frequency operations designed to find any valid credential in a target sector. By April and May 2024, Microsoft observed the group specifically targeting organizations in the defense, space, education, and government sectors in the United States and Australia. A distinctive technical fingerprint emerged: the attacks consistently used the go-http-client user agent string and were routed through TOR exit nodesT1090.003 to obscure their origin. It is worth noting that OAuth device code phishing represents a parallel credential-theft technique that similarly sidesteps MFA — a reminder that password spraying is one of several identity-based attack vectors Iranian APTs have operationalized against Microsoft 365 environments. Microsoft also documented APT33 conducting LinkedIn-based social engineering during the same 2024 campaign period — impersonating students, developers, and talent acquisition managers to identify targets and initiate credential harvesting chains against defense, satellite, and higher education organizations.
xman_1365_x PDB artifact. DROPSHOT loader and SHAPESHIFT/STONEDRILL wiper capability first formally attributed. Targets confirmed across U.S., Saudi Arabia, and South Korea.go-http-client user agent string becomes APT33's consistent fingerprint. TOR routing is adopted to obscure campaign origin.One of the most operationally significant elements of APT33's recent campaigns is how the group acquires its command-and-control (C2) infrastructure. Rather than registering domains or renting servers, the group began abusing Microsoft Azure. Microsoft's reporting made a precise and operationally important distinction: password spray activity targeted organizations across all sectors, but compromised accounts from the education sector — specifically university accounts with Azure for Students entitlements — were used exclusively for infrastructure procurement, not intelligence collection. This bifurcated targeting model means that a university breach that appears unrelated to an organization's own sector may in fact be a logistical precursor to an attack against that organization.T1102.002 Microsoft documented that between April and July 2024, APT33 provisioned fraudulent Azure subscriptions — in some cases using compromised accounts from universities that had Azure for Students entitlements — and used those subscriptions to host C2 nodes for their custom Tickler backdoor. The effect is deliberate: malicious traffic blends into legitimate Azure traffic, making IP-based blocking useless and forcing defenders to detect behavioral anomalies rather than known-bad indicators.
APT33's password spray attacks are identifiable through the go-http-client user agent string in authentication logs. Outbound HTTP on non-standard ports 808 and 880, combined with base64-encoded payloads, is the group's characteristic C2 communication pattern. Both indicators should be prioritized in SIEM detection logic for organizations in aerospace, defense, energy, and government sectors.
Microsoft confirmed it disrupted the fraudulent Azure infrastructure and notified affected organizations. However, disruption of infrastructure does not disrupt the capability. The tradecraft — using legitimate cloud platforms as operational cover — has since been observed in other Iranian groups including Smoke Sandstorm, suggesting the technique has become a shared doctrine within Iran's cyber ecosystem rather than a one-time experiment.
Tickler, FalseFont, and the Custom Malware Doctrine
APT33's investment in custom-built tooling is one of the clearest indicators of a well-resourced, state-directed operation. The group does not rely solely on off-the-shelf remote access trojans — though it does use commercial tools like Remcos, DarkComet, and AnyDesk in lower-priority operations. For high-value targets, APT33 deploys bespoke malware developed in-house.
Tickler, first identified in July 2024, is the group's current flagship implant — a custom C/C++ backdoor. Microsoft Threat Intelligence identified two distinct samples. The first collects network system information from the compromised host and sends it to the C2 server via HTTP POST — a reconnaissance function designed to orient the attacker on the target network. The second sample is more capable: it functions as a Trojan dropper, downloading additional payloads from the C2 serverT1105 including a backdoor, a batch script that establishes persistence through the Windows Run registry keyT1547.001 (registered as SharePoint.exeT1036.005 to blend into expected process names), and legitimate files used for DLL sideloading.T1574.002 Tickler is distributed inside ZIP archives with double-extension filenamesT1036.007 such as YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe — a technique that exploits Windows' default behavior of hiding file extensions. Technically, the implant uses PEB (Process Environment Block) traversal to locate kernel32.dll and dynamically resolve API addresses, a method specifically designed to bypass endpoint detection and response (EDR) solutions that hook common API calls.
FalseFont preceded Tickler. In November 2023, Microsoft disclosed that APT33 had been targeting defense industrial base (DIB) contractors with this previously unseen backdoor, using it against U.S. defense contractors following password spray compromise. FalseFont and Tickler together represent a pattern: APT33 continuously develops new implants rather than relying on a single tool that security vendors eventually develop signatures for.
A third implant worth noting is POWERTON — a PowerShell-based backdoor observed in later-stage APT33 operations. Brandefense's 2025 analysis documents POWERTON appearing in post-compromise environments alongside TURNEDUP, suggesting APT33 maintains a multi-backdoor strategy where different implants serve different phases of an operation. POWERTON's PowerShell foundation makes it particularly difficult to detect in environments that have not disabled or restricted PowerShell execution, and its presence on a host alongside AD Explorer artifacts is a strong indicator of an active late-stage APT33 intrusion.
The group's older malware remains relevant to understand the full threat picture. DROPSHOT is a loader that has been linked to the SHAPESHIFT wiper (also tracked as STONEDRILL by Kaspersky)T1561.001 — a destructive disk-wiping payload that Kaspersky compared to Shamoon in 2017, noting that SHAPESHIFT uses more sophisticated anti-emulation techniques including in-memory injection,T1055 and contains Farsi-language artifacts rather than the Arabic-Yemeni resources found in Shamoon. FireEye's original reporting was careful to note that while APT33 is the only group observed using the DROPSHOT dropper, direct observation of SHAPESHIFT being deployed destructively by APT33 had not been confirmed at that time. That distinction matters less in 2026 than it did then — the pre-positioning of a wiper-delivery mechanism in espionage-focused campaigns is itself a threat indicator that defenders must take seriously.
.hta files embedded in aerospace and defense job listings.xman_1365_x developer handle..pdf.exe) exploiting Windows' default extension-hiding behavior.kernel32.dll and resolve API addresses dynamically — bypasses EDR solutions that hook standard API calls. Persistence registered as SharePoint.exe.Brandefense Threat Intelligence (November 2025) assessed that finding APT33 tooling on a network should be treated not as a data breach, but as a potential precursor to sabotage.
The OT Threat: Espionage as a Setup for Sabotage
The aspect of APT33's evolution that carries the highest consequence for critical infrastructure operators is what Brandefense analysts described in November 2025 as the Cloud-to-OT attack scenario. A precision note matters here: Dragos, which tracks the group as MAGNALLIUM, has stated in its public reporting that the group remains focused on initial IT intrusions and that ICS-specific disruption tooling has not been confirmed in public reporting. The documented concern is therefore structural — APT33 achieves persistent IT-layer access to organizations that operate ICS environments, and the DROPSHOT/SHAPESHIFT capability means that access could be converted to destructive use. Confirmed OT disruption by APT33 has not been publicly documented as of this writing. The trajectory is nonetheless documented: APT33 compromises a cloud-connected Microsoft 365 account via password spraying, uses that identity to access the corporate IT network, then moves laterally toward OT-adjacent systems. Post-compromise activity documented by Microsoft includes lateral movement via SMB,T1021.002 deployment of AnyDeskT1219 for persistent remote access, and the use of Sysinternals AD ExplorerT1087.002 to take Active Directory snapshots — the last of which is used by attackers to map the network environment in detail, identify privileged accounts, and plan subsequent movement.
In mid-2025, multiple joint advisories and commercial threat bulletins reported a sharp increase in activity from APT33-aligned groups specifically against OT and critical infrastructure operators. Nozomi Networks, which collects telemetry from operational technology environments, documented APT33 as responsible for attacks against at least three U.S. companies between May and July 2025 — the period immediately following escalating tensions in the Middle East conflict. The group used tools including AzureHound and RoadtoolsT1069.003 to map Azure Active Directory environments and identify privilege escalation paths, demonstrating cloud-specific post-compromise capability that goes well beyond what older network-perimeter defenses are designed to detect.
The strategic logic behind this behavior is what Brandefense analysts have termed operational duality — the doctrine that espionage and sabotage are not separate mission types but sequential phases. DROPSHOT, capable of delivering either the TURNEDUP espionage backdoor or the SHAPESHIFT wiper, is the clearest technical expression of this doctrine. Access gained in an espionage campaign is access that can be converted to destructive action if geopolitical conditions change. Iran-linked actors have demonstrated exactly this escalation pattern in the physical world: the Handala wiper attack on Stryker is a documented example of Iranian threat actors weaponizing legitimate management tooling for destructive ends. The implication for energy sector and defense sector defenders is not that an APT33 intrusion will immediately produce a wiper attack — it is that the access required for a wiper attack looks identical to the access maintained during a long-running espionage campaign.
What Happens After Initial Access — Dwell Time, Exfiltration, and Exit
The article's focus on initial access and lateral movement reflects where public reporting is densest — but a serious threat assessment cannot stop at the point of compromise. The question defenders rarely see answered is what APT33 actually does once it has established persistent access, how long it stays, and how it leaves.
Dwell time data for APT33 intrusions is limited by the same factor that makes the group dangerous: it is exceptionally good at avoiding detection. In cases where post-incident analysis has been possible, dwell times measured in months — not days — are the consistent finding. The group's use of AnyDesk for persistent remote access, registered under plausible process names, and its preference for LOLBin executionT1218 over dropping novel executables, means that many APT33 intrusions are identified only retrospectively, often during a broader incident response engagement triggered by a different alert. The average dwell time across sophisticated nation-state intrusions is well over two months industry-wide; APT33 operates at the longer end of that distribution.
Exfiltration methodology reflects the same operational discipline as the rest of the group's tradecraft. APT33 does not bulk-exfiltrate indiscriminately. Post-compromise AD Explorer snapshots and AzureHound output suggest the group first builds a comprehensive map of the target environment — accounts, privilege levels, network topology, connected systems — before deciding what data is worth extracting and through which channel. Exfiltration in documented cases uses outbound HTTP on non-standard portsT1571 (808 and 880) with base64-encoded payloads,T1027.001 routed through infrastructure that blends with legitimate cloud traffic. This approach makes volume-based exfiltration detection unreliable; defenders cannot rely on data-loss prevention tools tuned to large transfer events.
Exit and cleanup behavior varies by operation type. In pure espionage campaigns, APT33 typically maintains access indefinitely rather than executing a clean exit — the objective is continued presence, not a one-time data theft. When infrastructure is disrupted, as occurred with the Azure C2 network in mid-2024, the group reconstitutes using a different cloud provider or a different class of compromised accounts rather than going dark. In operations where destructive payloads are deployed, the exit is the payload: SHAPESHIFT's disk-wiping function removes the evidence of how the group got in at the same time it executes the destructive objective. That self-erasing quality is a deliberate feature, not a side effect — it simultaneously achieves the sabotage mission and degrades the forensic trail available to responders.
Because APT33 favors LOLBin execution, AnyDesk for persistence, and cloud-hosted C2 that mimics legitimate traffic, traditional IOC-based detection often produces no signal. The most reliable forensic indicator of a historical APT33 presence is AD Explorer output files — .dat snapshots of the Active Directory environment — found in unexpected locations on a compromised host. Their presence indicates the attacker completed environment mapping, which is a late-stage pre-exfiltration or pre-lateral-movement activity.
What 2025 and 2026 Activity Reveals
APT33's activity in 2025 reflects both the group's maturation and the broader context of Iranian geopolitical aggression following the June 2025 conflict between Israel and Iran. An ISAC advisory published in March 2026 noted that Iranian APT groups — including APT33, MuddyWater, OilRig, and the newer UNC1549 — showed telemetry-confirmed spikes in attacks against U.S. transportation and manufacturing organizations in the months surrounding the conflict's peak escalation. The June 2025 conflict (Operation Rising Lion) — a 12-day exchange of airstrikes between Israel and Iran that ended in a ceasefire on June 24, 2025 — represented the first major escalation. The February 28, 2026 strikes (Operation Epic Fury), which killed Iranian Supreme Leader Ali Khamenei and several senior IRGC commanders, represented a categorically larger escalation and have generated the most intensive period of Iranian-linked cyber activity since the Russia-Ukraine war began. For a view of how a quieter Iranian espionage unit operates in parallel, see the profile of APT55, Iran's intelligence-gathering arm targeting U.S. energy and defense. The advisory also flagged an emerging alignment between Russian hacktivist groups and Iranian threat actors as a compounding factor, with Russian-aligned actors attacking Israeli critical infrastructure in parallel with Iranian cyber operations.
APT33's specific contributions to this surge included supply chain attacks and password spraying campaigns targeting aerospace, energy, and government sectors. Intel 471 reporting from mid-2025 documented Iranian APTs including APT33, APT34, and APT39 executing coordinated campaigns across North America, Europe, and the Middle East, combining credential harvesting with registry manipulation and encrypted data exfiltration. The group has also expanded its inter-group coordination, sharing tools and infrastructure with APT34 (OilRig) and MuddyWater — a pattern that intelligence analysts have characterized as evidence of a unified Iranian cyber command structure operating with increasingly integrated tasking.
A 2024 ALMA backdoor deployment — a PowerShell-basedT1059.001 implant targeting defense contractors and logistics firms in North America and the Gulf region — represents the group's continued investment in credential exfiltration tooling. In early 2025, Brandefense documented APT33 initiating reconnaissance campaigns against energy and oilfield service companies, using phishing and credential harvesting to map industrial control networks. These campaigns are consistent with the group's long-standing interest in Iranian energy competitiveness: mapping the infrastructure of Saudi, Emirati, and U.S. energy producers provides strategic intelligence about production capacity, pricing dynamics, and physical vulnerabilities that could be exploited in a future escalation.
Nozomi Networks data confirmed a 133% rise in Iranian APT attack volume during prior Middle East escalations. With the June 2025 conflict and ongoing regional instability, organizations in the aerospace, defense, satellite, oil and gas, and government sectors should treat APT33 as an active, elevated-priority threat regardless of whether they have previously been targeted.
Select every condition that applies to your organization. The assessment will indicate your likely exposure to APT33 targeting based on documented group behavior.
Defensive Countermeasures — Specific and Testable
The general advice — "enforce MFA, segment your OT, review vendor posture" — is repeated across every APT33 report published since 2023 and has not stopped the group from continuing to operate successfully. What follows is a more specific evaluation of countermeasures tied directly to APT33's documented techniques, with enough operational detail to implement or test.
1. Entra ID Hardening Beyond Basic MFA
Phishing-resistant MFA (FIDO2 or certificate-based) on human accounts is necessary but not sufficient. APT33's spray campaigns are specifically designed to find the accounts that slip through — legacy authentication protocols, shared mailboxes, service accounts, break-glass accounts, and OAuth app registrations. Each of these is invisible to standard MFA enforcement policies unless explicitly scoped.
The specific controls that close APT33's documented entry points: block all legacy authentication protocols at the Conditional Access layer (Basic Auth, SMTP AUTH, IMAP, POP3) — APT33 has used these to bypass MFA entirely. Create a named location policy that treats TOR exit node IP ranges as high-risk and enforces step-up authentication or block. Enable Entra ID sign-in risk policies at the tenant level and set the risk threshold to medium-or-above for interactive sign-ins: APT33's spray pattern generates detectable anomaly scores before a successful compromise. For non-human identities — service principals and managed identities — enforce workload identity Conditional Access policies; most organizations leave these entirely uncovered because standard MFA policies do not apply to them. Finally, audit OAuth app registrations and API permissions monthly: APT33 has been documented abusing over-privileged app registrations to maintain access after password resets.
2. Azure Subscription Monitoring for Attacker-Provisioned Infrastructure
The specific detection gap APT33 exploits is that most organizations monitor traffic to Azure but not within their Azure tenants for anomalous subscription creation. The Microsoft Entra admin center's Billing > Subscriptions view shows all subscriptions tied to your tenant. Any subscription created outside normal procurement channels — particularly Azure for Students or Pay-As-You-Go subscriptions created from a non-corporate email — is worth immediate investigation.
Using the Microsoft Graph API, the query GET /subscriptions returns all subscriptions with creation timestamps and associated identities. A SIEM rule alerting on new Azure subscription creation events (Azure Activity Log: Microsoft.Subscription/subscriptions/write) with a creation identity outside your approved service principal list provides behavioral detection that IP-reputation blocking cannot. Additionally, alert on creation of new Azure resource groups from accounts that have never provisioned resources before — this is the exact pattern Microsoft observed in the April–July 2024 Tickler campaigns.
3. Tickler and Persistence Artifact Hunting
APT33's Tickler backdoor leaves specific, huntable artifacts. The persistence batch script registers under the Windows Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name SharePoint pointing to a binary that is not actually SharePoint. A scheduled hunt querying for Run key entries where the executable path does not match known-good Microsoft binaries catches this. Similarly, hunt for dxgi.dll loaded by ApplicationFrameworkHost.exe — this is a specific CandleStone campaign indicator published by CyberShelter in March 2026 and is not a legitimate loading pattern.
For C2 detection: create egress firewall rules blocking outbound HTTP on ports 808 and 880 for all workstations and servers. These are not standard business ports and have no legitimate use in enterprise environments. If your organization cannot block them, alert on any connection to those ports — the presence of traffic is a high-confidence APT33 indicator. For Tickler's Azure C2 pattern, create a Cloud App Security or Defender for Cloud Apps policy alerting on HTTPS connections to azurewebsites.net subdomains that are not pre-approved business applications; Tickler-linked C2 used attacker-controlled Azure web app hostnames that follow no corporate naming convention.
4. AzureHound and Roadtools Detection via Entra Audit Logs
AzureHound and Roadtools both generate distinctive patterns in Microsoft Entra ID audit logs because they make high-volume, sequential Graph API calls to enumerate groups, roles, and directory objects — behavior that no human user replicates. Specifically: a single service principal or user account making more than 50 Graph API calls to /groups, /directoryRoles, or /servicePrincipals endpoints within a 60-second window is a strong indicator of automated enumeration. Entra ID audit logs expose this via the Microsoft Graph Activity Logs workbook in Sentinel. A KQL query filtering for OperationName == "List groupMembers" with ResultCount > 20 in a short window surfaces AzureHound-style enumeration reliably.
5. AD Explorer Artifact Hunting
AD Explorer creates .dat snapshot files of the Active Directory environment when run. These files are typically written to the directory from which AD Explorer is launched, or to a path specified by the operator. Hunt for .dat files in non-standard locations (desktop, temp directories, user profile folders) that are larger than 5MB — AD snapshots of even modest environments are several megabytes. The PowerShell command Get-ChildItem -Path C:\ -Filter *.dat -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 5MB} run as part of a periodic hunt will surface these files. Also alert on execution of ADExplorer.exe or ADExplorer64.exe from any host that is not a designated IT administration workstation — APT33 runs it on compromised user endpoints, not jump servers.
6. VHD and ISO Container Blocking
The CandleStone campaign's use of VHD containers to bypass Mark-of-the-Web protections is directly counterable via Group Policy. The setting Computer Configuration > Administrative Templates > Windows Components > File Explorer > Allow mounting of .VHD files can be set to Disabled, preventing standard users from mounting VHD files entirely. Similarly, Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies can block execution of LNK files from mounted drive letters that fall outside expected paths. This is a targeted control that addresses a specific documented APT33 delivery evolution and is not commonly deployed in enterprise environments — making it a meaningful differentiator against the current CandleStone campaign.
7. Golden SAML Detection
Detecting forged SAML tokens requires telemetry that most organizations do not enable by default. In Microsoft Entra ID, enable the Sign-in activity audit log and specifically alert on sign-ins where the authentication method is listed as federatedSingleSignOn for accounts that have not previously used federated authentication, or for sign-ins occurring outside normal business hours from a federated identity. In Microsoft Sentinel, the Suspicious SAML Token analytic rule (available in the Sentinel content hub) specifically flags SAML assertions with anomalous attributes. The underlying prerequisite is ensuring that ADFS or your IdP logs are ingested into your SIEM — many organizations collect Entra ID logs but not on-premises ADFS event logs, leaving the token-forgery layer blind.
8. OT-Specific Isolation — Beyond "Segment Your OT"
Network segmentation is necessary but inadequate against APT33's documented Cloud-to-OT pivot, because APT33 compromises the IT identities that legitimately bridge into OT environments. The deeper countermeasures are: unidirectional security gateways (data diodes) on the IT-OT boundary that physically prevent return traffic from OT to IT — these eliminate the lateral movement path even if an IT identity is compromised. For organizations that cannot deploy data diodes, enforce protocol-aware inspection at the IT-OT boundary: legitimate OT-bound traffic from IT systems follows predictable patterns (historian queries, SCADA polling) and should be whitelisted by protocol and source-destination pair. Any SMB, RDP, or AnyDesk traffic crossing the IT-OT boundary should be treated as an incident, not an alert.
For the pre-sabotage detection problem — identifying wiper staging before execution — hunt for DROPSHOT behavioral indicators: execution of signed binaries that load unsigned DLLs, large-scale file enumeration followed by small outbound transfers (exfil reconnaissance), and process creation chains where a legitimate system binary spawns an unexpected child process. These are harder to detect than IOC-based rules but survive APT33's practice of cycling implant signatures.
9. Geopolitical-Triggered Threat Hunting
Augur Security's infrastructure data shows that APT33 pre-positions — building out C2 infrastructure and running reconnaissance — before major geopolitical escalations rather than reacting to them. This is operationally actionable: organizations in APT33's target verticals should maintain a geopolitical threat hunting SOP that activates at defined escalation thresholds (IRGC-linked military conflict, U.S. sanctions actions against Iran, significant Iranian domestic instability). The SOP should include: a full review of Entra ID sign-in logs for the prior 90 days for go-http-client indicators, a hunt for AD Explorer artifacts across endpoints, a review of all Azure subscription creation events in the prior 6 months, and a check of LinkedIn for accounts impersonating your organization's recruiters or HR staff. This converts geopolitical intelligence into a scheduled defensive action rather than a passive threat awareness update.
10. Supply Chain — Specific Controls
Vendor security posture reviews are table stakes. The specific controls that address APT33's documented supplier-as-bridge pattern are: just-in-time (JIT) access for all vendor accounts with network access to corporate systems — no standing permissions, no persistent VPN credentials for third parties. Enforce mutual TLS on all vendor API integrations and rotate certificates on a 90-day cycle. Maintain a code-signing certificate inventory and alert on any new certificate issuance or usage from a CA that is not your internal PKI — APT33 has been documented seeking code-signing access through supply chain compromises specifically because signed binaries bypass many endpoint controls. Finally, enforce network microsegmentation ensuring that vendor-accessible network segments have no lateral connectivity to OT-adjacent zones — the compromise of a vendor's credentials should not provide a path to ICS environments regardless of what access that vendor legitimately holds.
The common thread across all of these is specificity tied to APT33's documented behavior rather than generic security hygiene. The group has operated successfully for over a decade against organizations that maintain the hygiene. What it struggles against is detection specifically tuned to its tradecraft — the go-http-client string, the Run key registration pattern, the AD Explorer artifacts, the AzureHound enumeration signatures. None of these require new tooling. They require deliberate tuning of existing telemetry sources toward the indicators this group has already shown.
Why Mature Security Programs Still Get Compromised
The question that the defender-focused framing of most threat intelligence reports quietly avoids is the uncomfortable one: if the mitigations are known, the IOCs are published, and MITRE ATT&CK G0064 is populated, why does APT33 continue to succeed against organizations with dedicated security teams and substantial tooling investments?
The first answer is structural. Password spraying against Microsoft 365 is not a sophisticated technique — it is a volume game played against an attack surface that most large organizations cannot fully control. Every contractor, vendor, university partner, and cloud integration that touches a corporate M365 tenant is a potential entry point. A single account without phishing-resistant MFA in a 50,000-seat deployment is enough. APT33 does not need to be more sophisticated than the perimeter; it needs to be more patient than the monitoring team is attentive.
The second answer is architectural. APT33's migration to Azure-hosted C2 deliberately exploits a gap between what organizations monitor and what they trust. Most security operations centers are tuned to flag traffic to known-bad IP ranges, suspicious domains, and unusual geographic endpoints. Traffic to Azure — even Azure subscriptions that were provisioned by the attacker — does not trigger those rules. The group's adoption of AzureHound and Roadtools for post-compromise enumeration compounds this: both are legitimate, open-source tools used by red teams and administrators alike. When the attacker's toolkit is indistinguishable from the defender's toolkit, signature-based detection fails by design.
The third answer is organizational. APT33 targets Tier 2 and Tier 3 suppliersT1195 not because those organizations are the objective, but because their security programs are typically less mature than the prime contractors they connect to. A mid-size aerospace component supplier with 200 employees and a shared IT team is unlikely to have a SIEM tuned for go-http-client user agent strings, behavioral Azure monitoring, or a threat hunting capability. APT33 uses that supplier as a bridge — not just to gain credentials that enable VPN or remote access to the prime contractor, but sometimes to gain code-signing certificates, build system access, or supply chain insertion points that are far more valuable than a single set of stolen credentials.
Attribution Confidence and Its Limits
The IRGC attribution for APT33 is assessed at high confidence by every major vendor who has published on the group. The convergent evidence is substantial: Farsi-language artifacts in custom malware, operational hours consistent with Iranian Standard Time, target selection that maps precisely to Iranian strategic interests, the xman_1365_x PDB handle linked to the Nasr Institute, and the Nasr Institute's documented relationship with the IRGC confirmed in part by the 2016 DOJ indictments. Attribution at this level of corroboration is rarely contested.
But high confidence is not certainty, and the limits of the attribution are worth stating plainly. APT33 has never been confirmed through a controlled technical operation or a defector disclosure — the attribution rests on forensic analysis of malware artifacts, behavioral patterns, and open-source research. A sophisticated adversary aware of those attribution signals could deliberately plant false indicators. Iranian threat actors have shown awareness of attribution methodology: the SHAPESHIFT wiper's use of Farsi artifacts, for instance, is exactly the kind of cultural marker that could be planted to implicate Iran by a third party seeking to create that impression. Analysts who have reviewed the totality of APT33's behavior — the consistency of targeting over more than a decade, the operational security discipline, and the alignment between campaign objectives and Iranian state interests — generally conclude the Iranian attribution is genuine rather than a false flag. But the epistemological point stands: forensic attribution has limits, and threat intelligence consumers should understand those limits before making policy decisions based on them.
The deterrence picture is similarly unresolved. The U.S. has indicted Iranian nationals connected to Iranian cyber operations — most notably the 2016 Operation Ababil indictments and subsequent actions — but those indictments have produced no extraditions, no prosecutions, and no observable change in Iranian APT behavior. Offensive cyber responses to Iranian operations exist in classified form; their effect on APT33's operational tempo is unknown from open sources. The honest assessment is that the international response to APT33's activity has not produced measurable deterrence. The group has operated continuously for over a decade through sanctions, indictments, infrastructure takedowns, and public attribution reports. Organizations in APT33's target verticals should plan their defenses on the assumption that geopolitical pressure will not stop the group from attempting to access their networks.
Two developments in early 2026 illustrate the current threat posture with precision. First, on March 4, 2026, CyberShelter Threat Intelligence published advisory TIA-UAE-2026-023 documenting an active APT33 campaign, tracked as CandleStone, targeting aerospace, defence contractors, and government entities in the UAE. The campaign used spear-phishing emails referencing the Abu Dhabi Space Debate as a lure, distributing malicious archives containing Virtual Hard Disk (VHD) containers designed to bypass Windows Mark-of-the-Web security protections. Once mounted, the VHD files deliver a backdoor conducting system reconnaissance and establishing encrypted communication over port 443 — blending with legitimate HTTPS traffic. The use of VHD containers as a delivery vehicle is a significant evolution from APT33's earlier .hta and ZIP-based delivery, and represents the group's continuing investment in initial access techniques that defeat perimeter-based file inspection.
Second, on February 28, 2026, the United States and Israel launched Operation Epic Fury — coordinated strikes on Iranian leadership, IRGC facilities, and nuclear-related infrastructure. Augur Security's infrastructure analysis documented a sustained spike in APT33-aligned infrastructure activity in the six months preceding the strikes, consistent with pre-positioning for anticipated retaliation scenarios. The operational pattern mirrors what Nozomi Networks observed in mid-2025: APT33 tends to increase infrastructure provisioning and targeting activity in the lead-up to geopolitical escalation rather than reacting to it. Organizations that experienced APT33 password spray attempts in late 2025 or early 2026 should treat those events not as random noise but as potential pre-positioning activity linked to a strategic anticipation of the current conflict environment.
Frequently Asked Questions
What is APT33?
APT33 is an Iranian state-sponsored cyber espionage group assessed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC). It is also tracked as Peach Sandstorm (Microsoft), Elfin (Symantec), Refined Kitten (CrowdStrike), and Magnallium (Dragos). The group has been active since at least 2013 and focuses on aerospace, energy, petrochemical, defense, satellite, and government sectors across the United States, Saudi Arabia, South Korea, the UAE, and Western Europe.
What is Tickler malware?
Tickler is a custom multi-stage backdoor deployed by APT33, first identified by Microsoft Threat Intelligence in July 2024. It is distributed inside ZIP archives using double-extension filenames to exploit Windows' default behavior of hiding file extensions. The implant uses PEB (Process Environment Block) traversal to resolve API addresses dynamically, which is designed to evade EDR solutions that hook standard API calls. A second Tickler sample functions as a dropper, downloading additional payloads and establishing persistence via the Windows Run registry key, registered as SharePoint.exe.
How does APT33 use Microsoft Azure for command and control?
Between April and July 2024, APT33 provisioned fraudulent Azure subscriptions — in some cases using compromised university accounts with Azure for Students entitlements — and used those subscriptions to host C2 nodes for the Tickler backdoor. Because malicious traffic blends with legitimate Azure traffic, IP-reputation-based blocking is ineffective. Detection requires behavioral monitoring: unusual Azure resource provisioning, new tenant creation from compromised accounts, and outbound patterns to Azure endpoints outside normal business activity.
What sectors does APT33 target?
APT33's documented targeting covers aerospace and defense contractors, petrochemical and oil and gas operators, satellite and telecommunications providers, defense industrial base (DIB) suppliers, and government agencies. Every sector maps to a specific Iranian strategic interest — closing technology gaps caused by sanctions, monitoring regional adversaries, and pre-positioning for potential disruption of energy infrastructure that competes with Iranian exports.
Is APT33 the same as Peach Sandstorm?
Yes. Peach Sandstorm is Microsoft's current tracking designation for the group historically known as APT33. Other vendors use different names for the same actor: Elfin (Symantec/Broadcom), Refined Kitten (CrowdStrike), Magnallium (Dragos), and HOLMIUM (an earlier Microsoft designation). The underlying attribution — an IRGC-linked group operating since at least 2013 — is consistent across all vendors.
What is the difference between APT33's espionage and sabotage capabilities?
APT33 maintains what analysts call operational duality — espionage and sabotage are not separate mission types but sequential phases. The DROPSHOT loader can deliver either the TURNEDUP espionage backdoor or the SHAPESHIFT disk-wiping payload depending on the operational objective. Access obtained during a long-running intelligence-collection campaign is structurally identical to pre-positioned access for a destructive attack. The implication for defenders is that confirming APT33 espionage activity on a network is not merely a data-loss incident — it is a potential pre-sabotage indicator.
How does APT33 differ from other Iranian APT groups like APT34 and MuddyWater?
APT33 is distinguished from its Iranian peer groups by two factors that rarely coexist: long-term patience and a credible destructive payload. APT34 (OilRig) is the closest peer and shares some infrastructure through coordinated tasking, but concentrates on financial and government targets in the Middle East using DNS tunneling and web shells. APT35 (Charming Kitten) focuses on human intelligence targets — journalists, academics, dissidents — through elaborate persona-building rather than mass credential spraying. MuddyWater operates at broader geographic scale using commodity tools and faster dwell times. APT33's OT-targeting dimension and the DROPSHOT/SHAPESHIFT wiper capability place it in a separate risk tier for energy, defense, and critical infrastructure organizations.
How long does APT33 typically remain undetected after initial access?
Dwell times for confirmed APT33 intrusions trend toward months rather than days. The group's use of LOLBin execution, AnyDesk for persistent remote access, and cloud-hosted C2 that mimics legitimate Azure traffic means that many intrusions are identified only retrospectively. APT33 does not bulk-exfiltrate indiscriminately — it maps the environment first using AD Explorer and AzureHound, then extracts selectively. In pure espionage campaigns the group typically maintains access indefinitely rather than executing a clean exit. The most reliable forensic indicator of a historical APT33 presence is unexpected AD Explorer .dat snapshot files on compromised hosts.
Has international response — sanctions or indictments — deterred APT33?
No. Despite U.S. indictments of Iranian nationals connected to Iranian cyber operations, APT33 has operated continuously for over a decade through sanctions, infrastructure takedowns, and multiple public attribution reports. None of those measures has produced a measurable change in the group's operational tempo. Organizations in APT33's target verticals should plan defenses on the assumption that geopolitical pressure will not interrupt the group's targeting of their networks.
| Initial Access | ||
|---|---|---|
| T1566.001 | Phishing: Spear-phishing Attachment | Malicious .hta files embedded in aerospace job-listing emails; primary initial access vector through approximately 2019. |
| T1110.003 | Brute Force: Password Spraying | Wide-scale campaigns targeting Microsoft 365 environments; go-http-client user agent string via TOR exit nodes. Primary initial access vector from 2023 onward. |
| T1195 | Supply Chain Compromise | Targeting Tier 2 and Tier 3 aerospace and defense suppliers as stepping-stone access to prime contractors. |
| Execution | ||
| T1059.001 | Command and Scripting: PowerShell | ALMA backdoor; PowerShell-native execution for credential exfiltration against defense contractors and logistics firms. |
| T1204.002 | User Execution: Malicious File | Tickler delivered via ZIP archives using double-extension filenames (.pdf.exe) exploiting Windows file-extension hiding. |
| Persistence | ||
| T1547.001 | Boot/Logon Autostart: Registry Run Keys | Tickler dropper establishes persistence via Windows Run registry key registered as SharePoint.exe. |
| T1505.003 | Server Software Component: Web Shell | Signature technique of peer group APT34 (OilRig); associated with shared infrastructure operations. |
| Privilege Escalation & Defense Evasion | ||
| T1055 | Process Injection | DROPSHOT and SHAPESHIFT use in-memory injection to evade detection; avoids disk-resident payloads. |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Tickler persistence batch script registered as SharePoint.exe to blend with expected process names. |
| T1036.007 | Masquerading: Double File Extension | Tickler distributed in ZIP archives with .pdf.exe double-extension filenames exploiting Windows default extension-hiding. |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Tickler dropper delivers legitimate files alongside malicious DLLs to achieve side-loading execution. |
| T1218 | System Binary Proxy Execution (LOLBins) | Living-off-the-land binary abuse (mshta.exe, certutil.exe, regsvr32.exe) to execute malicious code while evading signature-based detection. |
| T1027.001 | Obfuscated Files: Binary Padding / Base64 | C2 payloads base64-encoded on non-standard ports 808 and 880 to evade content inspection. |
| Credential Access | ||
| T1606.002 | Forge Web Credentials: SAML Tokens | APT33 assessed capable of Golden SAML attacks — forging SAML tokens for persistent cloud access surviving password resets. |
| Discovery | ||
| T1087.002 | Account Discovery: Domain Account | Sysinternals AD Explorer used post-compromise to snapshot Active Directory environments; .dat output files are a key forensic indicator. |
| T1069.003 | Permission Groups Discovery: Cloud Groups | AzureHound and Roadtools used to map Azure Active Directory environments and identify privilege escalation paths. |
| Lateral Movement | ||
| T1021.002 | Remote Services: SMB/Windows Admin Shares | Post-compromise lateral movement across corporate networks toward OT-adjacent systems. |
| Command and Control | ||
| T1102.002 | Web Service: Bidirectional Communication | Fraudulent and compromised Azure subscriptions used to host Tickler C2 nodes; malicious traffic blends with legitimate Azure traffic. |
| T1219 | Remote Access Software | AnyDesk deployed for persistent remote access post-compromise; registered under benign process names. |
| T1071.004 | Application Layer Protocol: DNS | DNS tunneling used by peer group APT34 in coordinated campaigns sharing APT33 infrastructure. |
| T1090.003 | Proxy: Multi-hop Proxy | TOR exit nodes used to route password spray traffic, obscuring campaign origin and defeating IP-reputation blocking. |
| T1571 | Non-Standard Port | C2 communication on ports 808 and 880 with base64-encoded payloads to evade standard traffic inspection rules. |
| Exfiltration | ||
| T1105 | Ingress Tool Transfer | Tickler dropper pulls additional payloads from Azure-hosted C2 servers after initial reconnaissance phase. |
| Impact | ||
| T1561.001 | Disk Wipe: Disk Content Wipe | SHAPESHIFT destructive disk-wiper delivered via DROPSHOT loader; self-erasing payload degrades forensic trail simultaneously with destructive objective. |
What is the CandleStone campaign?
CandleStone is an active APT33 espionage campaign documented by CyberShelter Threat Intelligence in advisory TIA-UAE-2026-023 (March 4, 2026). The campaign targets aerospace, defence contractors, and government entities in the UAE using spear-phishing emails referencing the Abu Dhabi Space Debate as a lure. The emails deliver malicious archives containing Virtual Hard Disk (VHD) containers, which bypass Windows Mark-of-the-Web security protections by causing Windows to treat files mounted from the VHD as local rather than internet-downloaded content. Once executed, the backdoor performs reconnaissance and establishes encrypted C2 communication over port 443. The VHD delivery method is a meaningful evolution from APT33's previous .hta and ZIP-based initial access techniques.
Does APT33 use LinkedIn for targeting?
Yes. Microsoft documented APT33 conducting LinkedIn-based social engineering during the same period as the 2024 Tickler campaign. The group impersonated students, developers, and talent acquisition managers on LinkedIn to identify and approach targets at defense, satellite, and higher education organizations. LinkedIn targeting complements the password spray campaigns: spray attacks cast a wide net for any valid credential, while LinkedIn reconnaissance allows the group to identify specific individuals worth targeting with more tailored social engineering before or after a credential compromise.
Sources
- Microsoft Security Blog — Peach Sandstorm Deploys New Custom Tickler Malware (August 2024)
- Mandiant / Google Cloud Blog — APT33 Insights into Iranian Cyber Espionage (September 2017)
- Brandefense — APT33/Peach Sandstorm: 2025 Threat Forecast (November 2025)
- Nozomi Networks — Threat Actor Activity Related to the Iran Conflict (July 2025)
- Picus Security — Iranian Threat Actors: What Defenders Need to Know (March 2026)
- BleepingComputer — New Tickler Malware Used to Backdoor US Govt, Defense Orgs (August 2024)
- MITRE ATT&CK — APT33 Group Profile (G0064)
- Industrial Cyber — ISAC Advisory: Cyber and Physical Risks to Critical Infrastructure (March 2026)
- Hack The Box Blog — Ghost in the PowerShell: APT33's Low-and-Slow Tactics (2025)
- GBHackers — Iranian APT Groups Intensify Cyberattacks (March 2026)
- CyberShelter Threat Intelligence — Advisory TIA-UAE-2026-023: APT33 CandleStone Campaign Against UAE Aerospace (March 2026)
- Augur Security — Iran 2026 Threat Posture Assessment (March 2026)
- Flare / Recorded Future — Cyberattacks Linked to US-Israel-Iran Military Conflict (March 2026)
- Threat Intel Report — APT33 Threat Actor Profile (February 2026)