APT33
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 25 attack patterns (mitre), 8 malware, 6 sectors, 3 countries, 9 indicators, 9 tool
Aliases
HOLMIUM Elfin Peach Sandstorm
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (25 / 43)
-
T1003.003 usesNTDS
-
T1552.006 usesGroup Policy Preferences
-
T1573.001 usesSymmetric Cryptography
-
T1011
-
T1588.002 usesTool
-
T1571 usesNon-Standard Port
-
T1204.002 usesMalicious File
-
T1021.002 usesSMB/Windows Admin Shares
-
LSA Secrets uses
-
T1068 usesExploitation for Privilege Escalation
-
Password Spraying usesT1110.003
-
Scripting uses
-
T1102.003 usesOne-Way Communication
-
T1078.004 usesCloud Accounts
-
T1071.001 usesWeb Protocols
-
T1566.001 usesSpearphishing Attachment
-
T1003.005
-
T1560.001 usesArchive via Utility
-
T1040 usesNetwork Sniffing
-
T1569.002 usesService Execution
-
T1555 usesCredentials from Password Stores
-
T1105 usesIngress Tool Transfer
-
T1048.003 usesExfiltration Over Unencrypted Non-C2 Protocol
Malware (8)
- AutoIt backdoor
- DEADWOOD
- NETWIRE
- NanoCore
-
Tickler usesFamilyPublished 04/03/2026 15:30 · Modified 04/03/2026 15:30
- TURNEDUP
- StoneDrill
- POWERTON
Sectors (6)
- Government targets
- Aerospace targets
- Pharmacy and drugs manufacturing targets
- Energy targets
- Defense targets
- Education targets
Countries (3)
- United Arab Emirates targets
- United States of America targets
- Australia targets
Indicators (9)
-
7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198indicates -
711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350indicates -
ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4indicates -
fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37findicates -
56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6indicates -
dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8indicates -
5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57bindicates -
e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5indicates -
22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4indicates
Tool (9)
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code …
Published 18/04/2018 19:59 · Modified 27/03/2026 01:07 -
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while …
Published 23/04/2019 14:31 · Modified 27/03/2026 01:07 -
Pupy usesThe MITRE Corporation Confidence 100
[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as …
Published 18/04/2018 19:59 · Modified 27/03/2026 01:07 -
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows …
Published 30/01/2019 17:44 · Modified 27/03/2026 01:07 -
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …
Published 11/03/2019 15:13 · Modified 27/03/2026 01:07 -
Ruler usesThe MITRE Corporation Confidence 100
[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) …
Published 04/02/2019 19:27 · Modified 27/03/2026 01:07 -
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a …
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07