Skip to main content
Mallory
Back to threat actors
Iran🇮🇷 IR4 malware families

Curious Serpens

Also known ascurious_serpens

Curious Serpens is an Iranian-linked threat actor also referred to in the provided content as Peach Sandstorm, APT33, and Elfin. The content describes it as an espionage group active since at least 2013, with some reporting in the source material also stating activity since at least 2020. It has targeted the aerospace, defense, and energy sectors in the United States, Middle East, and Europe. The group is described as engaging in espionage and is suspected to have ties to the IRGC. The provided content states that Curious Serpens has used password spray campaigns for initial access and has leveraged cloud-focused post-compromise discovery tooling in Microsoft environments, including ROADtools and AzureHound, to enumerate and map Microsoft Entra ID/Azure AD tenants. Reported activity includes use of ROADtools by 2023 following password spray campaigns, and repurposing AzureHound in post-compromise discovery phases to map Entra ID environments. The content also notes use of cloud infrastructure including Azure for command and control. The source material further associates Curious Serpens/APT33 with high-visibility destructive activity during the 2016-2019 period, including targeting IT infrastructure with disk-wiping malware alongside other Iranian groups. Some mention contexts additionally claim exploitation of zero-day vulnerabilities, deployment of custom backdoors, and supply-chain targeting, but these points are only presented in isolated mention text within the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics19 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
4 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1195
Supply Chain Compromise
T1566×2
Phishing
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1133
External Remote Services
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
2 techniques
T1078
Valid Accounts
T1218
System Binary Proxy Execution
TA0006
Credential Access
4 techniques
T1110
Brute Force
T1110.003
Password Spraying
T1539
Steal Web Session Cookie
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1621
Multi-Factor Authentication Request Generation
TA0007
Discovery
2 techniques
T1087
Account Discovery
T1087.004
Cloud Account
T1526×3
Cloud Service Discovery
TA0040
Impact
1 technique
T1561
Disk Wipe
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AzureHound"Threat Actors Abuse AzureHound for Post-Compromise Discovery in Microsoft Azure Environments" ... "AzureHound is an open-source data collection tool initially developed by SpecterOps (@SpecterOps) for penetration testing within the BloodHound suite."1Mar 8, 2026
Raccoon Stealer"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."1Mar 8, 2026
RedLine"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."1Mar 8, 2026
ShamoonShamoon resurgence: Following its initial debut in 2012, Shamoon 2 and Shamoon 3 were deployed against Middle Eastern entities. These attacks utilized spearphishing to gain initial access, eventually relying on the Eldos RawDisk driver to bypass Windows APIs and overwrite the master boot record (MBR).1Mar 16, 2026
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
security online infoNews
May 28, 2026
ROADtools Cloud Attack Toolkit: Threat Intelligence Report

Iranian threat group observed using ROADtools-like discovery tooling during active intrusions in 2023.

Read more
cyber security newsNews
May 27, 2026
ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls - Cyber Security News

Used ROADtools following password spray campaigns to operate in Microsoft cloud environments.

Read more
palo alto networks unit 42 blogNews
Mar 16, 2026
Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

Iran-linked threat actor associated in this content with disruptive attacks against IT infrastructure using disk-wiping malware.

Read more
polyswarmNews
Mar 6, 2026
Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks

Suspected IRGC-tied espionage actor emphasizing tailored phishing, supply-chain compromise, and use of zero-days/custom backdoors; reported targeting includes Israeli defense contractors.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.