Threats Feed|APT33|Last Updated 08/05/2025|AuthorCertfa Radar|Publish Date18/06/2018

Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware

  • Actor Motivations: Sabotage
  • Attack Vectors: Wiper
  • Attack Complexity: Unknown
  • Threat Risk: Unknown

Threat Overview

APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

Detected Targets

TypeDescriptionConfidence
SectorEnergy
High
RegionSaudi Arabia
Verified

Extracted IOCs

  • 697c515a46484be4f9597cb4f39b2959
  • b107d440ba12fd11a6c5e8b9a4078238
  • 279ff728023eeaa1715403ec823801bf3493f5ca
  • b1c7558c3d26973c061f378ebdfe7aaaf48a9947
  • b9fc1ac4a7ccee467402f190391974a181391da3
download

Tip: 5 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

FAQs

Understanding APT33’s Dropshot Malware

Dropshot, also known as StoneDrill, is a wiper malware used to destroy data on infected systems. It hides its malicious code in encrypted and compressed resources inside the malware file.

The malware is linked to APT33, a known Iranian threat actor. The use of the Farsi language and past targeting patterns support this attribution.

The likely aim was destructive—wiping or sabotaging data. This is in line with previous operations tied to APT33 and other Iranian groups.

Dropshot has mainly targeted entities in Saudi Arabia, particularly within the energy and government sectors.

It used anti-analysis techniques to avoid detection, decrypted and decompressed a hidden payload from within itself, and executed it by injecting it into legitimate Windows processes.

Energy infrastructure and government institutions are strategic targets that align with geopolitical interests and cyber-sabotage goals.

Organizations should enhance memory and behavior-based detection, train teams to recognize evasive malware behaviors, and inspect executable files for hidden resources and unusual entropy levels.

Dropshot appears to be part of a targeted campaign, particularly aimed at Middle Eastern entities. However, the techniques used could be adapted for broader attacks.