OSINT - More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.
AI Analysis
Technical Summary
APT33 is a well-documented advanced persistent threat (APT) group known for targeting critical sectors such as the oil and aviation industries. The group is believed to be state-sponsored and has been active for several years, focusing on strategic espionage and sabotage. Recent intelligence reveals that APT33 operates more than a dozen live Command and Control (C&C) servers that are heavily obfuscated to evade detection and attribution. These botnets are used in highly targeted malware campaigns, employing multiple layers of obfuscation techniques to maintain stealth and persistence. The campaigns are characterized by extreme narrow targeting, focusing on specific organizations rather than broad indiscriminate attacks. The primary geographic focus of these operations has been the Middle East, the United States, and Asia, with the intent to infiltrate and maintain long-term access to critical infrastructure and industrial networks. The malware deployed by these botnets is designed to facilitate espionage, data exfiltration, and potentially disruptive activities. Although no known exploits are currently reported in the wild, patches and mitigations are available, indicating that vulnerabilities exploited by APT33 have been identified and addressed by security vendors. The threat leverages sophisticated network activity patterns and obfuscation to avoid detection by traditional security controls, making it a persistent and high-risk threat for targeted sectors.
Potential Impact
For European organizations, particularly those in the oil, gas, and aviation sectors, the presence of APT33 botnets represents a significant risk to confidentiality, integrity, and availability of critical operational data and systems. Successful infiltration could lead to espionage, intellectual property theft, disruption of industrial control systems, and potential sabotage. Given Europe's strategic role in global energy supply chains and aviation, compromise of these sectors could have cascading effects on economic stability and national security. Additionally, the narrow targeting approach means that specific high-value organizations could be compromised without widespread detection, increasing the risk of prolonged undetected intrusions. The obfuscation techniques used by APT33 complicate incident response and forensic investigations, potentially delaying remediation and increasing damage. While the group has historically focused on other regions, the interconnectedness of global supply chains and the presence of European subsidiaries or partners in targeted regions increase the likelihood of spillover or indirect targeting. The threat also poses risks to European organizations involved in Middle Eastern and Asian markets, as well as those collaborating with U.S. entities, due to shared intelligence and operational linkages.
Mitigation Recommendations
1. Implement advanced network monitoring with behavioral analytics to detect anomalous C&C communications, focusing on obfuscated traffic patterns and unusual outbound connections. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying obfuscated malware and lateral movement techniques used by APT33. 3. Conduct regular threat hunting exercises targeting indicators of compromise (IoCs) associated with APT33, even if no direct indicators are currently published, focusing on network traffic to known C&C infrastructure. 4. Enforce strict segmentation of operational technology (OT) and industrial control systems (ICS) networks from corporate IT networks to limit lateral movement. 5. Apply all relevant patches promptly, referencing vendor advisories such as the Trend Micro blog linked in the threat report, to close vulnerabilities exploited by APT33. 6. Enhance supply chain security by vetting third-party vendors and partners, especially those with ties to Middle Eastern and Asian markets, to reduce indirect exposure. 7. Conduct targeted security awareness training for personnel in critical sectors to recognize spear-phishing and social engineering attempts that may serve as initial infection vectors. 8. Collaborate with national cybersecurity centers and participate in information sharing platforms to stay updated on emerging TTPs (tactics, techniques, and procedures) related to APT33. 9. Utilize threat intelligence feeds to update firewall and intrusion prevention system (IPS) rules to block known malicious IPs and domains associated with APT33 C&C servers. 10. Prepare and regularly test incident response plans tailored to APT-style intrusions, emphasizing rapid containment and eradication of stealthy botnets.
Affected Countries
United Kingdom, Germany, France, Italy, Netherlands, Belgium, Spain, Poland, Norway
Indicators of Compromise
- link: https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/
- text: The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.
- domain: oorgans.com
- domain: suncocity.com
- domain: zandelshop.com
- domain: simsoshop.com
- domain: zeverco.com
- domain: qualitweb.com
- domain: service-explorer.com
- domain: service-norton.com
- domain: service-eset.com
- domain: service-essential.com
- domain: update-symantec.com
- email: recruitment@alsalam.aero
- email-subject: Job Opportunity
- datetime: 2016-12-31T00:00:00
- datetime: 2017-04-17T00:00:00
- email: recruitment@alsalam.aero
- email-subject: Vacancy Announcement
- datetime: 2018-09-25T00:00:00
- email: careers@aramcojobs.ga
- email-subject: AramCo Jobs
- datetime: 2018-10-22T00:00:00
- email: jobs@samref.ga
- email-subject: Job Openning at SAMREF
- datetime: 2018-07-02T00:00:00
- email: careers@sipchem.ga
- email-subject: Job Opportunity SIPCHEM
- datetime: 2017-09-11T00:00:00
- email: jobs@ngaaksa.ga
- email-subject: Job Opportunity
- datetime: 2018-08-28T00:00:00
- email-subject: Latest Vacancy
- email: careers@aramcojobs.ga
- email: careers@aramcojobs.ga
- email-subject: Latest Vacancy
- datetime: 2018-08-26T00:00:00
- datetime: 2017-07-17T00:00:00
- email: careers@ngaaksa.com
- email-subject: Job Openning
- email: jobs@dyn-intl.ga
- email-subject: Job Openning
- datetime: 2017-11-20T00:00:00
- email-subject: Job Openning
- datetime: 2017-11-28T00:00:00
- email: jobs@mail.dyn-corp.ga
- email-subject: Job Openning
- datetime: 2018-03-05T00:00:00
- email: jobs@sipchem.ga
- email-subject: Job Openning
- datetime: 2018-07-30T00:00:00
- email: jobs@sipchem.ga
- email-subject: Job Openning
- datetime: 2018-08-14T00:00:00
- ip: 5.135.120.57
- datetime: 2018-12-04T00:00:00
- datetime: 2019-01-24T00:00:00
- ip: 5.135.199.25
- datetime: 2019-03-03T00:00:00
- datetime: 2019-03-03T00:00:00
- ip: 31.7.62.48
- datetime: 2018-09-26T00:00:00
- datetime: 2018-09-29T00:00:00
- ip: 51.77.11.46
- datetime: 2019-07-01T00:00:00
- datetime: 2019-07-02T00:00:00
- ip: 54.36.73.108
- datetime: 2019-07-22T00:00:00
- datetime: 2019-10-05T00:00:00
- ip: 54.37.48.172
- datetime: 2019-10-22T00:00:00
- datetime: 2019-11-05T00:00:00
- ip: 54.38.124.150
- datetime: 2018-10-28T00:00:00
- datetime: 2018-11-17T00:00:00
- ip: 88.150.221.107
- datetime: 2019-09-26T00:00:00
- datetime: 2019-11-07T00:00:00
- ip: 91.134.203.59
- datetime: 2018-09-26T00:00:00
- datetime: 2018-12-04T00:00:00
- ip: 109.169.89.103
- datetime: 2018-12-02T00:00:00
- datetime: 2018-12-14T00:00:00
- ip: 109.200.24.114
- datetime: 2018-11-19T00:00:00
- datetime: 2018-12-25T00:00:00
- ip: 137.74.80.220
- datetime: 2018-09-29T00:00:00
- datetime: 2018-10-23T00:00:00
- ip: 137.74.157.84
- datetime: 2018-12-18T00:00:00
- datetime: 2019-10-21T00:00:00
- ip: 185.122.56.232
- datetime: 2018-09-29T00:00:00
- datetime: 2018-11-04T00:00:00
- ip: 185.125.204.57
- datetime: 2018-10-25T00:00:00
- datetime: 2019-01-14T00:00:00
- ip: 185.175.138.173
- datetime: 2019-01-19T00:00:00
- datetime: 2019-01-22T00:00:00
- ip: 188.165.119.138
- datetime: 2018-10-08T00:00:00
- datetime: 2018-11-19T00:00:00
- ip: 193.70.71.112
- datetime: 2019-03-07T00:00:00
- datetime: 2019-03-17T00:00:00
- ip: 195.154.41.72
- datetime: 2019-01-13T00:00:00
- datetime: 2019-01-20T00:00:00
- ip: 213.32.113.159
- datetime: 2019-06-30T00:00:00
- datetime: 2019-09-16T00:00:00
- ip: 216.244.93.137
- datetime: 2018-12-10T00:00:00
- datetime: 2018-12-21T00:00:00
- file: MsdUpdate.exe
- hash: e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd
- file: MsdUpdate.exe
- hash: b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e
- file: MsdUpdate.exe
- hash: a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449
- file: MsdUpdate.exe
- hash: c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2
- file: MsdUpdate.exe
- hash: 75e6bafc4fa496b418df0208f12e688b16e7afdb94a7b30e3eca532717beb9ba
- file: MsdUpdate.exe
- hash: 8fb6cbf6f6b6a897bf0ee1217dbf738bce7a3000507b89ea30049fd670018b46
- file: DysonPart.exe
- hash: ba9d76cca6b5c7308961cfe3739dc1328f3dad9a824417fad73b842b043daa1a
- hash: 07e1baf1d0207a139bcf39c60354666496e4331381d36eef9359120b1d8497f1
OSINT - More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
Description
The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.
AI-Powered Analysis
Technical Analysis
APT33 is a well-documented advanced persistent threat (APT) group known for targeting critical sectors such as the oil and aviation industries. The group is believed to be state-sponsored and has been active for several years, focusing on strategic espionage and sabotage. Recent intelligence reveals that APT33 operates more than a dozen live Command and Control (C&C) servers that are heavily obfuscated to evade detection and attribution. These botnets are used in highly targeted malware campaigns, employing multiple layers of obfuscation techniques to maintain stealth and persistence. The campaigns are characterized by extreme narrow targeting, focusing on specific organizations rather than broad indiscriminate attacks. The primary geographic focus of these operations has been the Middle East, the United States, and Asia, with the intent to infiltrate and maintain long-term access to critical infrastructure and industrial networks. The malware deployed by these botnets is designed to facilitate espionage, data exfiltration, and potentially disruptive activities. Although no known exploits are currently reported in the wild, patches and mitigations are available, indicating that vulnerabilities exploited by APT33 have been identified and addressed by security vendors. The threat leverages sophisticated network activity patterns and obfuscation to avoid detection by traditional security controls, making it a persistent and high-risk threat for targeted sectors.
Potential Impact
For European organizations, particularly those in the oil, gas, and aviation sectors, the presence of APT33 botnets represents a significant risk to confidentiality, integrity, and availability of critical operational data and systems. Successful infiltration could lead to espionage, intellectual property theft, disruption of industrial control systems, and potential sabotage. Given Europe's strategic role in global energy supply chains and aviation, compromise of these sectors could have cascading effects on economic stability and national security. Additionally, the narrow targeting approach means that specific high-value organizations could be compromised without widespread detection, increasing the risk of prolonged undetected intrusions. The obfuscation techniques used by APT33 complicate incident response and forensic investigations, potentially delaying remediation and increasing damage. While the group has historically focused on other regions, the interconnectedness of global supply chains and the presence of European subsidiaries or partners in targeted regions increase the likelihood of spillover or indirect targeting. The threat also poses risks to European organizations involved in Middle Eastern and Asian markets, as well as those collaborating with U.S. entities, due to shared intelligence and operational linkages.
Mitigation Recommendations
1. Implement advanced network monitoring with behavioral analytics to detect anomalous C&C communications, focusing on obfuscated traffic patterns and unusual outbound connections. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying obfuscated malware and lateral movement techniques used by APT33. 3. Conduct regular threat hunting exercises targeting indicators of compromise (IoCs) associated with APT33, even if no direct indicators are currently published, focusing on network traffic to known C&C infrastructure. 4. Enforce strict segmentation of operational technology (OT) and industrial control systems (ICS) networks from corporate IT networks to limit lateral movement. 5. Apply all relevant patches promptly, referencing vendor advisories such as the Trend Micro blog linked in the threat report, to close vulnerabilities exploited by APT33. 6. Enhance supply chain security by vetting third-party vendors and partners, especially those with ties to Middle Eastern and Asian markets, to reduce indirect exposure. 7. Conduct targeted security awareness training for personnel in critical sectors to recognize spear-phishing and social engineering attempts that may serve as initial infection vectors. 8. Collaborate with national cybersecurity centers and participate in information sharing platforms to stay updated on emerging TTPs (tactics, techniques, and procedures) related to APT33. 9. Utilize threat intelligence feeds to update firewall and intrusion prevention system (IPS) rules to block known malicious IPs and domains associated with APT33 C&C servers. 10. Prepare and regularly test incident response plans tailored to APT-style intrusions, emphasizing rapid containment and eradication of stealthy botnets.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 1
- Analysis
- 2
- Uuid
- 5de6335d-e128-4bc0-87e2-4db4950d210f
- Original Timestamp
- 1579534868
Patch Information
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textThe threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia. | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainoorgans.com | APT33 C&C domains for extreme narrow targeting | |
domainsuncocity.com | APT33 C&C domains for extreme narrow targeting | |
domainzandelshop.com | APT33 C&C domains for extreme narrow targeting | |
domainsimsoshop.com | APT33 C&C domains for extreme narrow targeting | |
domainzeverco.com | APT33 C&C domains for extreme narrow targeting | |
domainqualitweb.com | APT33 C&C domains for extreme narrow targeting | |
domainservice-explorer.com | APT33 C&C domains for extreme narrow targeting | |
domainservice-norton.com | APT33 C&C domains for extreme narrow targeting | |
domainservice-eset.com | APT33 C&C domains for extreme narrow targeting | |
domainservice-essential.com | APT33 C&C domains for extreme narrow targeting | |
domainupdate-symantec.com | APT33 C&C domains for extreme narrow targeting |
| Value | Description | Copy |
|---|---|---|
emailrecruitment@alsalam.aero | — | |
emailrecruitment@alsalam.aero | — | |
emailcareers@aramcojobs.ga | — | |
emailjobs@samref.ga | — | |
emailcareers@sipchem.ga | — | |
emailjobs@ngaaksa.ga | — | |
emailcareers@aramcojobs.ga | — | |
emailcareers@aramcojobs.ga | — | |
emailcareers@ngaaksa.com | — | |
emailjobs@dyn-intl.ga | — | |
emailjobs@mail.dyn-corp.ga | — | |
emailjobs@sipchem.ga | — | |
emailjobs@sipchem.ga | — |
Email subject
| Value | Description | Copy |
|---|---|---|
email-subjectJob Opportunity | — | |
email-subjectVacancy Announcement | — | |
email-subjectAramCo Jobs | — | |
email-subjectJob Openning at SAMREF | — | |
email-subjectJob Opportunity SIPCHEM | — | |
email-subjectJob Opportunity | — | |
email-subjectLatest Vacancy | — | |
email-subjectLatest Vacancy | — | |
email-subjectJob Openning | — | |
email-subjectJob Openning | — | |
email-subjectJob Openning | — | |
email-subjectJob Openning | — | |
email-subjectJob Openning | — | |
email-subjectJob Openning | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2016-12-31T00:00:00 | — | |
datetime2017-04-17T00:00:00 | — | |
datetime2018-09-25T00:00:00 | — | |
datetime2018-10-22T00:00:00 | — | |
datetime2018-07-02T00:00:00 | — | |
datetime2017-09-11T00:00:00 | — | |
datetime2018-08-28T00:00:00 | — | |
datetime2018-08-26T00:00:00 | — | |
datetime2017-07-17T00:00:00 | — | |
datetime2017-11-20T00:00:00 | — | |
datetime2017-11-28T00:00:00 | — | |
datetime2018-03-05T00:00:00 | — | |
datetime2018-07-30T00:00:00 | — | |
datetime2018-08-14T00:00:00 | — | |
datetime2018-12-04T00:00:00 | — | |
datetime2019-01-24T00:00:00 | — | |
datetime2019-03-03T00:00:00 | — | |
datetime2019-03-03T00:00:00 | — | |
datetime2018-09-26T00:00:00 | — | |
datetime2018-09-29T00:00:00 | — | |
datetime2019-07-01T00:00:00 | — | |
datetime2019-07-02T00:00:00 | — | |
datetime2019-07-22T00:00:00 | — | |
datetime2019-10-05T00:00:00 | — | |
datetime2019-10-22T00:00:00 | — | |
datetime2019-11-05T00:00:00 | — | |
datetime2018-10-28T00:00:00 | — | |
datetime2018-11-17T00:00:00 | — | |
datetime2019-09-26T00:00:00 | — | |
datetime2019-11-07T00:00:00 | — | |
datetime2018-09-26T00:00:00 | — | |
datetime2018-12-04T00:00:00 | — | |
datetime2018-12-02T00:00:00 | — | |
datetime2018-12-14T00:00:00 | — | |
datetime2018-11-19T00:00:00 | — | |
datetime2018-12-25T00:00:00 | — | |
datetime2018-09-29T00:00:00 | — | |
datetime2018-10-23T00:00:00 | — | |
datetime2018-12-18T00:00:00 | — | |
datetime2019-10-21T00:00:00 | — | |
datetime2018-09-29T00:00:00 | — | |
datetime2018-11-04T00:00:00 | — | |
datetime2018-10-25T00:00:00 | — | |
datetime2019-01-14T00:00:00 | — | |
datetime2019-01-19T00:00:00 | — | |
datetime2019-01-22T00:00:00 | — | |
datetime2018-10-08T00:00:00 | — | |
datetime2018-11-19T00:00:00 | — | |
datetime2019-03-07T00:00:00 | — | |
datetime2019-03-17T00:00:00 | — | |
datetime2019-01-13T00:00:00 | — | |
datetime2019-01-20T00:00:00 | — | |
datetime2019-06-30T00:00:00 | — | |
datetime2019-09-16T00:00:00 | — | |
datetime2018-12-10T00:00:00 | — | |
datetime2018-12-21T00:00:00 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip5.135.120.57 | — | |
ip5.135.199.25 | — | |
ip31.7.62.48 | — | |
ip51.77.11.46 | — | |
ip54.36.73.108 | — | |
ip54.37.48.172 | — | |
ip54.38.124.150 | — | |
ip88.150.221.107 | — | |
ip91.134.203.59 | — | |
ip109.169.89.103 | — | |
ip109.200.24.114 | — | |
ip137.74.80.220 | — | |
ip137.74.157.84 | — | |
ip185.122.56.232 | — | |
ip185.125.204.57 | — | |
ip185.175.138.173 | — | |
ip188.165.119.138 | — | |
ip193.70.71.112 | — | |
ip195.154.41.72 | — | |
ip213.32.113.159 | — | |
ip216.244.93.137 | — |
File
| Value | Description | Copy |
|---|---|---|
fileMsdUpdate.exe | — | |
fileMsdUpdate.exe | — | |
fileMsdUpdate.exe | — | |
fileMsdUpdate.exe | — | |
fileMsdUpdate.exe | — | |
fileMsdUpdate.exe | — | |
fileDysonPart.exe | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashe954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd | — | |
hashb58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e | — | |
hasha67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 | — | |
hashc303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2 | — | |
hash75e6bafc4fa496b418df0208f12e688b16e7afdb94a7b30e3eca532717beb9ba | — | |
hash8fb6cbf6f6b6a897bf0ee1217dbf738bce7a3000507b89ea30049fd670018b46 | — | |
hashba9d76cca6b5c7308961cfe3739dc1328f3dad9a824417fad73b842b043daa1a | — | |
hash07e1baf1d0207a139bcf39c60354666496e4331381d36eef9359120b1d8497f1 | — |
Threat ID: 6834b3fa290ffd83a4eb78c4
Added to database: 5/26/2025, 6:33:30 PM
Last enriched: 6/25/2025, 6:57:53 PM
Last updated: 8/15/2025, 1:56:54 AM
Views: 23
Related Threats
ThreatFox IOCs for 2025-08-14
MediumWhen Theft Replaces Encryption: Blue Report 2025 on Ransomware & Infostealers
HighThreatFox IOCs for 2025-08-13
MediumDocker Hub still hosts dozens of Linux images with the XZ backdoor
HighCharon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.