What is Dropshot malware?

Dropshot (also called StoneDrill) is a destructive malware used by a known hacking group. It’s designed to wipe data and make systems unusable.

Who is behind the attack?

The malware is linked to APT33, a group previously associated with cyber operations targeting the Middle East, especially Saudi Arabia.

What was the goal of the attack?

Dropshot is a wiper, meaning its main goal is to destroy data and disrupt operations rather than steal information.

Who or what was targeted?

Organizations in Saudi Arabia were the primary targets, likely due to geopolitical interests.

How does the malware work?

It hides its real functionality by encrypting strings and dynamically loading needed system functions, making it hard for analysts to study.

Why are such targets attractive?

Critical infrastructure and government-linked organizations in the Middle East are high-value targets due to regional tensions and strategic importance.

What can organizations do to protect themselves?

They should use advanced malware detection tools, monitor for signs of tampering like unusual memory activity, and stay updated on APT group indicators.

Is this a widespread threat?

This appears to be a targeted attack rather than a broad campaign, but the techniques used can be adapted for wider use.

Threats Feed|APT33|Last Updated 07/05/2025|AuthorCertfa Radar|Publish Date21/05/2018

APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled

Actor Motivations: Sabotage
Attack Vectors: Wiper
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

Reference and Credit: Megabeets - May 2018

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1

Detected Targets

Type	Description	Confidence
Sector	Energy	High
Region	Saudi Arabia	Verified

Extracted IOCs

0ccc9ec82f1d44c243329014b82d3125
279ff728023eeaa1715403ec823801bf3493f5ca

download

Tip: 2 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.

FAQs

Understanding the Dropshot Malware

: Dropshot (also called StoneDrill) is a destructive malware used by a known hacking group. It’s designed to wipe data and make systems unusable.
: The malware is linked to APT33, a group previously associated with cyber operations targeting the Middle East, especially Saudi Arabia.
: Dropshot is a wiper, meaning its main goal is to destroy data and disrupt operations rather than steal information.
: Organizations in Saudi Arabia were the primary targets, likely due to geopolitical interests.
: It hides its real functionality by encrypting strings and dynamically loading needed system functions, making it hard for analysts to study.
: Critical infrastructure and government-linked organizations in the Middle East are high-value targets due to regional tensions and strategic importance.
: They should use advanced malware detection tools, monitor for signs of tampering like unusual memory activity, and stay updated on APT group indicators.
: This appears to be a targeted attack rather than a broad campaign, but the techniques used can be adapted for wider use.

About Affiliation

APT33

Associate threats