Illustration Of CrowdStrike Adversaries

Common Aliases

REFINED KITTEN may also be identified by the following pseudonyms: 

  • APT33
  • Elfin
  • Magnallium
  • Holmium


REFINED KITTEN is a nation-state-based threat actor whose actions are likely tied to the objectives of the Islamic Revolutionary Guard Corps (IRGC) of the Islamic Republic of Iran. The adversary has been involved in conducting primarily espionage-oriented operations since at least 2013. Although intelligence gathering is REFINED KITTEN’s main focus, there have been suspected links between this adversary and the destructive Shamoon malware attacks.  

Historically, REFINED KITTEN has employed both custom-made and open-source remote access tools (RATs) to acquire intelligence from its victims. More recently, however, REFINED KITTEN has increasingly relied on mainstream open-source malware frameworks, such as PoshC2 and PowerShell Empire.


REFINED KITTEN’s ’s complete victim scope is unknown, but its activities tend to concentrate on a specific set of nations and industries – likely reflecting its changing intelligence requirements at any given time.

Target Nations

REFINED KITTEN’s targeting typically concentrates on entities in Saudi Arabia, the United Arab Emirates, and the United States; all of these countries are related to standing interests of the IRGC.

Most recently, heightened tension between the U.S. and Iran during the summer of 2019 was likely a catalyst of the uptick in activities targeting financial and government organizations in the U.S.

Target Industries

While this adversary is unlikely to shy away from any particular industry, REFINED KITTEN’s efforts are most prevalent in the following industries:

  • Aerospace
  • Defense
  • Energy
  • Oil and Gas

Recently, it appears this adversary has set its sights on the defense industry, as REFINED KITTEN has been observed spoofing job postings for defense contractors.


REFINED KITTEN heavily relies on spear-phishing as its method of malware delivery. Victims are likely sent an email that contains a Hypertext Application File (HTA) which is typically used to display spoofed domains hosting a variety of job-themed content. Recently, these spoof domains and their hosted content have defense contractor themes and invite a victim to complete a decoy job application.

In this recent activity, victims are prompted to complete a decoy job application by first taking an action (e.g. complete a CAPTCHA) that downloads additional PowerShell commands from command-and-control (C2) URLs. These additional PowerShell commands have been observed delivering open-source post-exploitation frameworks as payloads (e.g., PoshCh2, Koadic).


REFINED KITTEN is just one of many adversaries tracked by CrowdStrike® Intelligence. Some of the other threat actors that CrowdStrike monitors include the following:

Curious about other eCrime, hacktivist or nation-state adversaries? Visit our threat actor center to learn more about threat actors that the CrowdStrike threat Intelligence team tracks.

Learn More About the Cyber Threat Landscape

Want more insights on the latest adversary tactics, techniques, and procedures (TTPs)? 

CrowdStrike Falcon Free Trial

Adam Meyers

Adam Meyers has authored numerous papers for peer-reviewed industry venues and has received awards for his dedication to the information security industry. As Vice President of Intelligence for Crowdstrike, Meyers oversees all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Previously, Meyers was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International where he provided technical expertise at the tactical level and strategic guidance on overall security program objectives.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial