Curious Serpens
Curious Serpens is an Iranian-linked threat actor tracked by Unit 42 and others, active since at least 2013. The group is also referred to in the provided content as Peach Sandstorm, APT33, and Elfin. It is described as an espionage-focused actor, with suspected ties to the IRGC, and has targeted the aerospace, defense, and energy sectors in the U.S., Middle East, and Europe. The content associates Curious Serpens with password spray campaigns, post-compromise cloud discovery, and use of legitimate Microsoft cloud APIs for stealthier operations. Reported tooling includes AzureHound for internal discovery and mapping of Microsoft Entra ID environments, and ROADtools for tenant enumeration and token-related activity following password spray intrusions. The group has been reported using AzureHound to enumerate identities, roles, groups, service principals, storage, applications, and other Azure resources in compromised tenants. The content also states the group has leveraged cloud infrastructure including Azure for command and control. Additional reporting in the content describes Curious Serpens as targeting IT infrastructure with high-visibility disk-wiping malware during an earlier period of Iranian operations. Some excerpts also mention exploitation of zero-day vulnerabilities, deployment of custom backdoors, and supply-chain targeting, but the strongest recurring high-confidence details in the content are its Iranian nexus, aliases, long-term activity since at least 2013, targeting of aerospace/defense/energy, password spraying, espionage, and abuse of Azure/Entra ID discovery tooling.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- IR
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iranian threat group observed using ROADtools-like discovery tooling during active intrusions in 2023.
Used ROADtools following password spray campaigns to operate in Microsoft cloud environments.
Iran-linked threat actor associated in this content with disruptive attacks against IT infrastructure using disk-wiping malware.
Suspected IRGC-tied espionage actor emphasizing tailored phishing, supply-chain compromise, and use of zero-days/custom backdoors; reported targeting includes Israeli defense contractors.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.