APT33 (Mandiant), HOLMIUM (MS), Refined Kitten (CS), Elfin, Magic Hound
Iranian state-sponsored threat actor known to conduct espionage operations. In at least one campaign, they moved laterally into their targets’ cloud environments once gaining initial access to on-premise devices.
APT33 is a state-sponsored Iranian threat actor active since at least 2013. The group has primarily targeted entities in the United States, Saudi Arabia, and South Korea—focusing especially on the aviation and oil industries.
APT33 is known for leveraging Azure Active Directory (AAD) and Azure subscriptions as part of its command-and-control (C2) infrastructure. Their custom malware, Tickler, has been observed communicating directly with attacker-controlled Azure assets.
The group executes large-scale password-spraying attacks targeting Microsoft 365 and AAD environments. They often route this activity through TOR exit nodes and use open-source tools like Roadtools and AzureHound to conduct post-compromise reconnaissance within cloud environments.
APT33 has been seen creating and managing malicious Azure resources—including C2 servers and beaconing endpoints—to camouflage their traffic within legitimate cloud activity, making detection more difficult.
Although APT33’s malware payloads are typically Windows-based, their campaigns frequently affect Linux-hosted services, including Azure virtual machines, VPN appliances, and cloud-based web services.
The group also employs LinkedIn-based social engineering, impersonating professionals to lure victims into disclosing credentials. These efforts can lead to unauthorized access to cloud IAM portals, GitHub repositories, and Linux servers via SSH.