APT33

APT33 is a cyber espionage group tracked by researchers at Mandiant. The group has been active since at least 2013, and is believed to be working for the Iranian government.

They have targeted organizations in the aerospace and energy sectors, particularly those with ties to petrochemical production in the US, Saudi Arabia, and South Korea.

APT33 employs spear-phishing with one campaign using malicious .hta files disguised as job vacancies to deploy custom backdoors into target systems.

While not directly observed using destructive malware, APT33 has ties to malware with disk-wiping capabilities, suggesting possible destructive intent or capabilities.

unit42.paloaltonetworks.com

https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

attack.mitre.org

https://attack.mitre.org/groups/G0064/

www.crowdstrike.com

https://www.crowdstrike.com/blog/who-is-refined-kitten/

www.mandiant.com

https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage

www.recordedfuture.com

https://www.recordedfuture.com/blog/ashiyane-forum-history

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/