TIARAS - APT33

Threat Actor Profile

High APT

Description

APT33is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

Confidence Score

100%

First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 43 minutes ago

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (23)

T1560 - Archive Collected Data

Collection

T1071 - Application Layer Protocol

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1132 - Data Encoding

Command and Control

T1571 - Non-Standard Port

Command and Control

T1573 - Encrypted Channel

Command and Control

T1003 - OS Credential Dumping

Credential Access

T1040 - Network Sniffing

Credential Access

T1110 - Brute Force

Credential Access

T1552 - Unsecured Credentials

Credential Access

T1555 - Credentials from Password Stores

Credential Access

T1027 - Obfuscated Files or Information

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1053 - Scheduled Task/Job

Execution

T1059 - Command and Scripting Interpreter

Execution

T1203 - Exploitation for Client Execution

Execution

T1204 - User Execution

Execution

T1048 - Exfiltration Over Alternative Protocol

Exfiltration

T1566 - Phishing

Initial Access

T1547 - Boot or Logon Autostart Execution

Persistence

T1068 - Exploitation for Privilege Escalation

Privilege Escalation

T1546 - Event Triggered Execution

Privilege Escalation

T1588 - Obtain Capabilities

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': [],
 'description': 'APT33is a suspected Iranian threat group that has carried out '
                'operations since at least 2013. The group has targeted '
                'organizations across multiple industries in the United '
                'States, Saudi Arabia, and South Korea, with a particular '
                'interest in the aviation and energy sectors.[1][2]',
 'external_references': [{'external_id': 'G0064',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0064/'}],
 'id': 'threat-actor--G0064',
 'metadata': {'crawled_at': '2026-04-29T14:32:47.090307+00:00',
              'mitre_group_id': 'G0064',
              'page_title': 'APT33, HOLMIUM, Elfin, Peach Sandstorm, Group '
                            'G0064 | MITRE ATT&CK®'},
 'name': 'APT33',
 'type': 'threat-actor'}

Quick Actions

Related TTPs (23)

Archive Collected Data
Collection

Application Layer Protocol
Command and Control

Ingress Tool Transfer
Command and Control

Data Encoding
Command and Control

Non-Standard Port
Command and Control

View All 23 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (23)

T1560 - Archive Collected Data

T1071 - Application Layer Protocol

T1105 - Ingress Tool Transfer

T1132 - Data Encoding

T1571 - Non-Standard Port

T1573 - Encrypted Channel

T1003 - OS Credential Dumping

T1040 - Network Sniffing

T1110 - Brute Force

T1552 - Unsecured Credentials

T1555 - Credentials from Password Stores

T1027 - Obfuscated Files or Information

T1078 - Valid Accounts

T1053 - Scheduled Task/Job

T1059 - Command and Scripting Interpreter

T1203 - Exploitation for Client Execution

T1204 - User Execution

T1048 - Exfiltration Over Alternative Protocol

T1566 - Phishing

T1547 - Boot or Logon Autostart Execution

T1068 - Exploitation for Privilege Escalation

T1546 - Event Triggered Execution

T1588 - Obtain Capabilities

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (23)

Please wait…