3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Elfin

Elfin

ID: 1de00f9940207b65c5eb700f9d6c85fb15588
Cybercrime State-Sponsored
Threat types: ICS Compromise, Malware, Espionage
Iran
Updated: 2026-01-13
Created: 2025-10-21
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone:
Aliases Limited alias preview
APT33 HOLMIUM Pe*************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Elfin is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. Ref: https://attack.mitre.org/groups/G0064/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Elfin has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials. · ref
T1003.004 LSA Secrets TA0006
  • OS Credential Dumping: LSA Secrets - Elfin has used a variety of publicly available tools like LaZagne to gather credentials. · ref
T1003.005 Cached Domain Credentials TA0006
  • OS Credential Dumping: Cached Domain Credentials - Elfin has used a variety of publicly available tools like LaZagne to gather credentials. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Elfin has used base64 to encode payloads. · ref
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol TA0010
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol - Elfin has used FTP to exfiltrate files (separately from the C2 channel). · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Elfin has created a scheduled task to execute a .vbe file multiple times a day. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Elfin has utilized PowerShell to download files from the C2 server and run various scripts. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Elfin has used VBScript to initiate the delivery of payloads. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Elfin has used HTTP for command and control. · ref
T1078.004 Cloud Accounts TA0001 TA0003 TA0004 TA0005
  • Cloud Accounts - Elfin has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints. · ref
T1110.003 Password Spraying TA0006
  • Brute Force: Password Spraying - Elfin has used password spraying to gain access to target systems. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - Elfin has used base64 to encode command and control traffic. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Elfin has lured users to click links to malicious HTML applications delivered via spearphishing emails. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Elfin has used malicious e-mail attachments to lure victims into executing malware. · ref
T1546.003 Windows Management Instrumentation Event Subscription TA0003 TA0004
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription - Elfin has attempted to use WMI event subscriptions to establish persistence on compromised hosts. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Elfin has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - Elfin has used a variety of publicly available tools like LaZagne to gather credentials. · ref
T1552.006 Group Policy Preferences TA0006
  • Unsecured Credentials: Group Policy Preferences - Elfin has used a variety of publicly available tools like Gpppassword to gather credentials. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Web Browsers - Elfin has used a variety of publicly available tools like LaZagne to gather credentials. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - Elfin has used WinRAR to compress data prior to exfil. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Elfin has sent spearphishing e-mails with archive attachments. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Elfin has sent spearphishing emails containing links to .hta files. · ref
T1573.001 Symmetric Cryptography TA0011
  • Encrypted Channel: Symmetric Cryptography - Elfin has used AES for encryption of command and control traffic. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Elfin has obtained and leveraged publicly-available tools for early intrusion activities. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.