What is this malware and what does it do?

Dropshot, also known as StoneDrill, is a wiper malware used to destroy data on infected systems. It hides its malicious code in encrypted and compressed resources inside the malware file.

Who is believed to be behind the attack?

The malware is linked to APT33, a known Iranian threat actor. The use of the Farsi language and past targeting patterns support this attribution.

What was the goal of the attack?

The likely aim was destructive—wiping or sabotaging data. This is in line with previous operations tied to APT33 and other Iranian groups.

Who or what was targeted?

Dropshot has mainly targeted entities in Saudi Arabia, particularly within the energy and government sectors.

How did the malware work?

It used anti-analysis techniques to avoid detection, decrypted and decompressed a hidden payload from within itself, and executed it by injecting it into legitimate Windows processes.

Why are these targets important to the attackers?

Energy infrastructure and government institutions are strategic targets that align with geopolitical interests and cyber-sabotage goals.

What can be done to protect against this threat?

Organizations should enhance memory and behavior-based detection, train teams to recognize evasive malware behaviors, and inspect executable files for hidden resources and unusual entropy levels.

Is this a widespread or targeted issue?

Dropshot appears to be part of a targeted campaign, particularly aimed at Middle Eastern entities. However, the techniques used could be adapted for broader attacks.

Threats Feed|APT33|Last Updated 08/05/2025|AuthorCertfa Radar|Publish Date18/06/2018

Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware

Actor Motivations: Sabotage
Attack Vectors: Wiper
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

Reference and Credit: Megabeets - June 2018

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Detected Targets

Type	Description	Confidence
Sector	Energy	High
Region	Saudi Arabia	Verified

Extracted IOCs

697c515a46484be4f9597cb4f39b2959
b107d440ba12fd11a6c5e8b9a4078238
279ff728023eeaa1715403ec823801bf3493f5ca
b1c7558c3d26973c061f378ebdfe7aaaf48a9947
b9fc1ac4a7ccee467402f190391974a181391da3

download

Tip: 5 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

FAQs

Understanding APT33’s Dropshot Malware

: Dropshot, also known as StoneDrill, is a wiper malware used to destroy data on infected systems. It hides its malicious code in encrypted and compressed resources inside the malware file.
: The malware is linked to APT33, a known Iranian threat actor. The use of the Farsi language and past targeting patterns support this attribution.
: The likely aim was destructive—wiping or sabotaging data. This is in line with previous operations tied to APT33 and other Iranian groups.
: Dropshot has mainly targeted entities in Saudi Arabia, particularly within the energy and government sectors.
: It used anti-analysis techniques to avoid detection, decrypted and decompressed a hidden payload from within itself, and executed it by injecting it into legitimate Windows processes.
: Energy infrastructure and government institutions are strategic targets that align with geopolitical interests and cyber-sabotage goals.
: Organizations should enhance memory and behavior-based detection, train teams to recognize evasive malware behaviors, and inspect executable files for hidden resources and unusual entropy levels.
: Dropshot appears to be part of a targeted campaign, particularly aimed at Middle Eastern entities. However, the techniques used could be adapted for broader attacks.

About Affiliation

APT33

Associate threats