Check out the results from our first round of ATT&CK Evaluations at!


APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [1] [2]

ID: G0064
Aliases: APT33
Version: 1.0

Alias Descriptions

APT33[1] [2]

Techniques Used

EnterpriseT1192Spearphishing LinkAPT33 sent spear phishing emails containing links to .hta files.[1]
EnterpriseT1204User ExecutionAPT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[1]
EnterpriseT1078Valid AccountsAPT33 has used valid accounts for privilege escalation.[2]


S0198NETWIRECode Signing, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, System Information Discovery
S0199TURNEDUPCommand-Line Interface, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, System Information Discovery