Home/ Threat Actors/ APT33

🇮🇷APT33

🇮🇷 APT33 is a tracked threat actor in the Clankerusecase corpus. Attributed to IR. Primary motivation: State. We map 26 detection use cases to this actor across 52 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-03-12 to 2026-05-22.

crit 2

View full actor card → All threat actors MITRE ATT&CK group spec (G0064) ↗

26Use cases

2Articles

52Techniques

0IOCs

Known aliases

APT33Refined KittenElfinHolmiumPeach SandstormHOLMIUM

Top techniques

T1087 · Account Discovery T1098.005 · Device Registration T1190 · Exploit Public-Facing Application

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.004 · LSA Secrets T1003.005 · Cached Domain Credentials T1021.002 · SMB/Windows Admin Shares T1027.013 · Encrypted/Encoded File T1040 · Network Sniffing T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1053.005 · Scheduled Task T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1068 · Exploitation for Privilege Escalation T1071.001 · Web Protocols T1078 · Valid Accounts T1078.004 · Cloud Accounts T1098.001 · Additional Cloud Credentials T1105 · Ingress Tool Transfer T1110.003 · Password Spraying T1132.001 · Standard Encoding T1195.002 · Compromise Software Supply Chain T1199 · Trusted Relationship T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1528 · Steal Application Access Token T1546.003 · Windows Management Instrumentation Event Subscription T1547.001 · Registry Run Keys / Startup Folder T1550 · Use Alternate Authentication Material T1550.001 · Application Access Token T1552.001 · Credentials In Files T1552.006 · Group Policy Preferences T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1556.006 · Multi-Factor Authentication T1560.001 · Archive via Utility T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution T1571 · Non-Standard Port T1573.001 · Symmetric Cryptography T1588.002 · Tool T1606.002 · SAML Tokens T1621 · Multi-Factor Authentication Request Generation

Detection use cases (26)

APT33 (Peach Sandstorm) password-spray success chained with AAD persistence (device/MFA registration) AI · profile SDD APT33 / Elfin maldoc execution chain — Office spawning script host with download/encoded payload (POWERTON / FalseFont lure) AI · profile SΣDD Curious Serpens / APT29 ROADtools-pattern: device registration immediately following non-interactive token acquisition Bespoke UTA0355 device-code phishing: deviceCode auth flow with cross-IP token redemption Bespoke ROADtools roadtx FOCI client-ID swap: refresh-token resource hop across MS Office FOCI app IDs Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Remote service execution — PsExec / SMB lateral movement Internal OAuth consent / suspicious app grant Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Trusted vendor binary / installer launching unusual children Internal MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke 1Password impossible-travel sign-in MITRE match 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match

Threat-intel articles (2)

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud · 2026-05-22

crit Cyber fallout from the Iran war: What to have on your radar · 2026-03-12