Iran's IRGC-Affiliated Cyber Espionage Group — Dual Espionage/Destructive Capability — Wiper & Cloud-Native Operations
On March 11, 2026, Stryker Corporation — a Fortune 200 medical technology company headquartered in Portage, Michigan — experienced a catastrophic cyberattack attributed to Handala (a.k.a. Handala Hack Team), a pro-Palestinian hacktivist group with strong ties to Iran's Ministry of Intelligence and Security (MOIS).
The attack deployed destructive wiper malware that permanently erased data from corporate servers, endpoint devices, and personal smartphones enrolled in Stryker's Microsoft Intune mobile device management. The attackers defaced Microsoft Entra (Azure AD) login pages with Handala's distinctive logo and remotely wiped managed devices at approximately 3:30 AM EDT.
Over 5,500 employees in Cork, Ireland — Stryker's largest hub outside the US — were sent home. Operations halted across manufacturing, R&D, and engineering facilities worldwide. The company's main US headquarters voicemail reported a "building emergency." Stryker stock dropped approximately 4% within hours.
Handala claimed the operation affected 200,000+ systems and exfiltrated 50 terabytes of data. While these figures remain unverified, the operational impact is confirmed by multiple sources including Stryker's own statements, Irish media, and employee reports.
Stryker confirmed: "We have no indication of ransomware or malware." This was a destructive wiper attack — the goal was permanent data destruction, not extortion. Wiper attacks may cause irreversible data loss with no recovery path. This aligns with Handala's documented operational doctrine of disruption over monetization.
This attack comes ~2 weeks after US-Israeli strikes against Iran (late February 2026). CSIS analysis warns this marks "the beginning of a new phase of cyber escalation" under Iran's "Great Epic" cyber campaign. Handala explicitly framed this as retaliation for the "attack on a school in Minab" and "ongoing cyber assaults against the Resistance Axis."
APT33 is tracked under multiple naming conventions across the threat intelligence community:
| Vendor / Organization | Cluster Name | Notes |
|---|---|---|
| MITRE ATT&CK | G0064 | Canonical group identifier |
| FireEye / Mandiant / Google | APT33 | Original designation (2017) |
| Microsoft | Peach Sandstorm (HOLMIUM) | Current + legacy designation |
| Symantec / Broadcom | Elfin | Focus on aerospace targeting |
| Dragos / Secureworks | Magnallium | Industrial/OT context |
| Proofpoint | Refined Kitten | Credential harvesting campaigns |
| PwC | HOLMIUM | Microsoft legacy name |
| Recorded Future | TAG-35 | Internal tracking |
Multiple independent sources attribute APT33 to Iran's Islamic Revolutionary Guard Corps (IRGC) with high confidence. FireEye's original 2017 research identified connections to the IRGC Nasr Institute — a Tehran-based organization responsible for offensive cyber operations supporting IRGC strategic priorities.
Attribution evidence includes:
APT33's mission set encompasses two distinct but overlapping operational categories:
This dual mandate is consistent with IRGC cyber doctrine, which views offensive cyber operations as both an intelligence collection capability and a strategic deterrent/retaliation mechanism.
Saudi Arabia represents APT33's most heavily targeted geography. The group has conducted sustained campaigns against:
UAE energy sector organizations face elevated risk, particularly those with operations intersecting Iranian regional interests. The 2018 Shamoon 3 attacks targeting Saipem (an Italian energy services company) impacted UAE operations.
All GCC organizations in aviation, energy, defense, and critical infrastructure sectors should consider APT33 a named threat requiring specific defensive countermeasures.
| Tactic | Technique ID | Technique Name | APT33 Usage |
|---|---|---|---|
| Initial Access | T1566.001 | Spear Phishing Attachment | HTA files, malicious archives (ZIP, RAR), executable-disguised PDFs |
| Initial Access | T1566.002 | Spear Phishing Link | LinkedIn impersonation, malicious recruitment pages |
| Initial Access | T1078 | Valid Accounts | Password spraying via go-http-client, thousands of orgs targeted |
| Execution | T1059.001 | PowerShell | DROPSHOT, FalseFont, ALMA — PowerShell payloads |
| Execution | T1204.002 | Malicious File | Victim opens ZIP/HTA/archive, double-extension files |
| Execution | T1203 | Exploitation for Client Execution | CVE-2017-11774 (Outlook), CVE-2018-20250 (WinRAR) |
| Persistence | T1547.001 | Registry Run Keys | Tickler adds persistence via reg.exe (SharePoint.exe) |
| Persistence | T1137.004 | Outlook Home Page | Ruler tool + CVE-2017-11774 for persistent code execution |
| Persistence | T1199 | Trusted Relationship | AnyDesk deployed post-compromise for persistent access |
| Privilege Escalation | T1484.002 | Golden SAML | Forged SAML tokens for Azure/O365 federation persistence |
| Defense Evasion | T1027 | Obfuscation | Encoded payloads, masquerading (SharePoint.exe, PDF.exe) |
| Defense Evasion | T1036 | Masquerading | Malware disguised as PDFs, Boeing/Northrop domain typosquatting |
| Defense Evasion | T1102 | Web Service | Fraudulent Azure subscriptions for Tickler C2 (azurewebsites.net) |
| Credential Access | T1110.003 | Password Spraying | Large-scale low-rate spray via go-http-client, avoids lockout |
| Credential Access | T1528 | Steal Application Access Token | Session token theft following successful password spray |
| Discovery | T1087 | Account Discovery | AD Explorer snapshots of Active Directory |
| Discovery | T1082 | System Information Discovery | Tickler collects network/system info, POSTs to C2 |
| Lateral Movement | T1021.002 | SMB/Windows Admin Shares | SMB lateral movement post-Tickler deployment |
| Collection | T1114.002 | Remote Email Collection | Email access via Outlook Home Page persistence |
| C2 | T1071.001 | Application Layer Protocol | Tickler C2 via HTTPS to Azure infrastructure |
| C2 | T1583.001 | Acquire Infrastructure | Fraudulent Azure subscriptions, compromised education accounts |
| Impact | T1485 | Data Destruction | SHAPESHIFT wiper (DROPSHOT dropper) |
| Impact | T1561.002 | Disk Structure Wipe | Shamoon-linked wiper capability |
1. Initial Access — APT33 employs two primary access vectors: (a) Spear-phishing with malicious attachments — HTA files disguised as legitimate documents, often impersonating aviation firms or using .hta extensions delivered via spoofed domains mimicking Boeing, Alsalam Aircraft Company, and other aerospace entities; (b) Mass password spraying — Large-scale authentication attempts against thousands of organizations using common/weak passwords to identify vulnerable accounts.
2. Execution & Deployment — Spear-phishing emails contain HTA attachments that automatically download APT33 backdoors upon opening. The .hta file contains embedded code that retrieves TURNEDUP backdoor from attacker C2. In 2024 campaigns, successful password spray attempts led to deployment of the multi-stage Tickler backdoor using fraudulent Azure infrastructure.
3. Persistence — APT33 establishes persistence using custom backdoors: TURNEDUP (file upload/download, system reconnaissance, reverse shell capability), Tickler (multi-stage modular backdoor, Azure-hosted C2), SHAPESHIFT (HTTP-based backdoor with DNS tunneling), and DROPSHOT (wiper with persistence mechanisms). Tools are often compiled with developer PDB paths (e.g., "xman_1365_x") linking to IRGC Nasr Institute.
4. Credential Access & Lateral Movement — APT33 uses Mimikatz, Procdump, and custom credential harvesters to extract credentials from memory. Compromised credentials used for lateral movement via RDP, SMB, and Windows admin shares. In energy sector intrusions, APT33 demonstrated ability to pivot from IT networks into OT/ICS environments.
5. Collection & Exfiltration — Focus on technical documentation related to aviation programs, defense contracts, and energy infrastructure. Long-term intelligence collection aligns with IRGC strategic requirements. Data exfiltration uses encrypted channels and public cloud services.
6. Impact (Destructive Operations) — When tasked with destructive operations, APT33 deploys wiper malware: SHAMOON (disk-wiping malware targeting master boot record), STONEDRILL (backdoor with disk-wiping capability), and DROPSHOT (wiper linked to Shamoon campaigns). Wipers overwrite files and critical system areas to render systems inoperable.
| Tactic | Technique ID | Technique Name | APT33 Usage |
|---|---|---|---|
| Reconnaissance | T1589 | Gather Victim Identity Information | Email harvesting and employee reconnaissance |
| Reconnaissance | T1590 | Gather Victim Network Information | Domain registration reconnaissance for typosquatting |
| Resource Development | T1583 | Acquire Infrastructure | Cloud-hosted proxies, fraudulent Azure subscriptions |
| Resource Development | T1585 | Establish Accounts | Fake Azure tenant accounts for C2 infrastructure |
| Resource Development | T1586 | Compromise Accounts | Compromised O365 accounts used with Ruler tool |
| Resource Development | T1587 | Develop Capabilities | Custom backdoors (TURNEDUP, Tickler, SHAPESHIFT) |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Malicious HTA files impersonating aerospace firms |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Links to attacker-controlled domains hosting backdoors |
| Initial Access | T1078 | Valid Accounts | Password spraying yields compromised credentials |
| Initial Access | T1190 | Exploit Public-Facing Application | Historical exploitation of Outlook, Fortinet CVEs |
| Execution | T1059.001 | PowerShell | PowerShell used for post-compromise scripting |
| Execution | T1059.003 | Windows Command Shell | Batch scripts and cmd.exe for malware execution |
| Execution | T1203 | Exploitation for Client Execution | CVE-2017-11774 (Outlook), CVE-2018-20250 (WinRAR) |
| Execution | T1204.002 | User Execution: Malicious File | Victim opens HTA attachment triggering download |
| Persistence | T1053 | Scheduled Task/Job | Backdoor persistence via Windows Task Scheduler |
| Persistence | T1098 | Account Manipulation | Compromised account access maintained over time |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | Mimikatz, Procdump for credential extraction |
| Credential Access | T1110.003 | Brute Force: Password Spraying | Mass password spraying across thousands of organizations |
| Credential Access | T1555 | Credentials from Password Stores | Browser credential extraction |
| Discovery | T1083 | File and Directory Discovery | System enumeration via backdoors |
| Discovery | T1082 | System Information Discovery | TURNEDUP collects hostname, domain, user info |
| Discovery | T1016 | System Network Configuration Discovery | Network reconnaissance post-compromise |
| Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol | RDP for lateral movement |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | SMB for internal network traversal |
| Lateral Movement | T1534 | Internal Spearphishing | Compromised accounts used for internal phishing |
| Collection | T1005 | Data from Local System | Collection of technical documents, aviation data |
| Collection | T1114 | Email Collection | Ruler tool for mailbox access via O365 |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTP/HTTPS C2 communication |
| Command and Control | T1071.004 | Application Layer Protocol: DNS | SHAPESHIFT backdoor DNS tunneling capability |
| Command and Control | T1102 | Web Service | Tickler backdoor uses fraudulent Azure infrastructure |
| Command and Control | T1090 | Proxy | Cloud-hosted proxies relay C2 traffic |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data exfiltration via established backdoor channels |
| Impact | T1485 | Data Destruction | SHAMOON/STONEDRILL/DROPSHOT wipers |
| Impact | T1561.001 | Disk Wipe: Disk Content Wipe | Shamoon overwrites master boot record and files |
| Impact | T1490 | Inhibit System Recovery | Wiper attacks prevent recovery |
APT33 heavily uses Azure cloud infrastructure (azurewebsites[.]net subdomains) and dynamic DNS for C2 — specific domain/IP IOCs rotate rapidly. The go-http-client user agent IOC in Azure AD logs has the longest shelf life and highest operational value.
| Indicator | Type | Notes / Source |
|---|---|---|
| go-http-client/2.0 | User Agent | Distinctive UA used in password spray campaigns since Feb 2023 |
| go-http-client/1.1 | User Agent | Alternate version of spray UA |
| *[.]azurewebsites[.]net | Domain Pattern | Fraudulent Azure subscriptions used as Tickler C2 |
| SharePoint[.]exe (Run key) | Registry | Tickler persistence — any Run key entry named SharePoint.exe from non-MS path is malicious |
| xman_1365_x | PDB string | TurnedUp backdoor developer artifact — APT33 attribution indicator |
Rules 1 (go-http-client spray), 2 (Tickler SharePoint.exe), and 5 (AD Explorer snapshot) have the lowest false-positive risk. Rule 2 carries near-zero false positive risk. Rule 6 (DROPSHOT/SHAPESHIFT) is CRITICAL-level requiring immediate IR on trigger.
HIGH Detects APT33's distinctive go-http-client HTTP user agent in Azure AD password spray campaigns.
title: APT33 - Password Spray via go-http-client
logsource:
product: azure
service: signinlogs
detection:
selection:
UserAgent|contains: 'go-http-client'
ResultType|contains: ['50126', '50053', '50055', '50056']
condition: selection
level: highCRITICAL Detects Tickler backdoor persistence via reg.exe Run key as SharePoint.exe.
title: APT33 - Tickler SharePoint.exe Persistence
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'reg.exe'
CommandLine|contains|all:
- 'CurrentVersion\Run'
- 'SharePoint.exe'
condition: selection
level: criticalFull Sigma rule set (10 rules) available in source PDF with complete YAML syntax. Deploy all rules for comprehensive APT33 detection coverage.