Table of Contents
APT35, also widely known by its alias Charming Kitten, represents a significant and persistent cyber espionage threat attributed to the Iranian government. Active for nearly a decade, this Advanced Persistent Threat (APT) group focuses on conducting long-term operations aimed at collecting strategic intelligence aligned with Iranian national interests. Operating with considerable resources, APT35 targets a diverse range of sectors globally, with a particular emphasis on the United States, Israel, and other Middle Eastern nations. This group employs a variety of tactics, ranging from sophisticated social engineering campaigns to the deployment of custom malware and exploitation of known vulnerabilities. Understanding the origins, motives, tactics, and targets of APT35 is crucial for security professionals seeking to defend their organizations against this adaptive and determined adversary. This profile provides a comprehensive overview of APT35, detailing its evolution, operational methods, victimology, notable campaigns, and effective defense strategies.
Origins & Evolution
APT35, also tracked under numerous aliases including Phosphorus, Mint Sandstorm (Microsoft), Magic Hound (CrowdStrike), COBALT MIRAGE (Secureworks), Newscaster Team, Ajax Security, TunnelVision, TA453 (Proofpoint), COBALT ILLUSION (Mandiant), ITG18 (IBM), and G0059 (MITRE ATT&CK), was first prominently identified in the cybersecurity landscape around 2014. However, evidence suggests its activities may date back to at least 2013. Multiple cybersecurity firms (including Mandiant, Microsoft, FireEye, CrowdStrike, Google) and government agencies consistently attribute APT35's operations to the Islamic Republic of Iran, often linking it specifically to the Islamic Revolutionary Guard Corps (IRGC). This attribution is based on targeting patterns aligning with IRGC strategic interests, technical indicators, and operational characteristics.
Initially, some assessments described APT35's technical sophistication as marginal compared to other state-sponsored APTs, often relying heavily on readily available tools and spear-phishing. However, the group has demonstrated significant evolution over time. Early campaigns focused heavily on social media spying and credential harvesting through relatively simple phishing pages. Over the years, APT35 has expanded its capabilities significantly. Research from firms like FireEye noted an expansion in their malware development capabilities as early as 2018.
The group has adapted its tactics to include the exploitation of significant vulnerabilities like Log4j (Log4Shell) and Microsoft Exchange (ProxyShell) shortly after their public disclosure, indicating a well-resourced and agile operational posture. They have developed and deployed more sophisticated custom tools, such as the HYPERSCRAPE email extraction tool and the PowerLess backdoor, designed for stealth and enhanced data collection. Despite periodic disruptions, such as Microsoft's seizure of 99 domains used by the group in 2019, APT35 has proven resilient, rebuilding infrastructure and continuing its espionage campaigns. Their evolution highlights a commitment to long-term strategic intelligence gathering, adapting their methods to bypass defenses and maintain persistence against high-value targets. One of their TTPs is vulnerability exploitation, something security professionals should be aware of.
Tactics & Techniques
APT35 employs a multi-faceted approach to achieve its espionage objectives, blending social engineering, vulnerability exploitation, and malware deployment. Their Tactics, Techniques, and Procedures (TTPs) demonstrate adaptability and persistence across the attack lifecycle. Understanding IOC is very important to identify attacks.
Reconnaissance: The group invests significant effort in identifying targets and gathering intelligence. This includes Open-Source Intelligence (OSINT) gathering, identifying key personnel within target organizations (often via LinkedIn or professional networking sites), and creating fake personas and spoofed domains that mimic legitimate entities (e.g., news organizations, technology companies, conferences).
Initial Access: Spear-phishing remains a primary vector for APT35. They craft highly targeted emails often leveraging lures relevant to the victim's industry or interests, such as job postings, resumes, healthcare information, password policy updates, or invitations to conferences. These emails typically contain malicious links directing victims to credential harvesting pages or malicious attachments (e.g., Office documents with macros or remote template injection). They have also been observed using SMS-based phishing (smishing) and exploiting public-facing vulnerabilities like Log4Shell, ProxyShell, Fortinet SSL VPN flaws, and VMware vCenter vulnerabilities (CVE-2021-21972). Watering hole attacks, compromising legitimate websites frequented by targets, have also been part of their repertoire.
Execution & Persistence: Once initial access is gained, APT35 employs various methods to execute code and maintain persistence. This includes leveraging PowerShell for command execution (often obfuscated), deploying custom backdoors like PowerLess (which runs PowerShell in a .NET context for stealth), and utilizing Remote Access Trojans (RATs) such as PupyRAT. Persistence is often achieved through scheduled tasks, registry run keys, or abusing legitimate system accounts (like the
DefaultAccount) for RDP access. One way to identify the attacks is security logging.Defense Evasion: APT35 utilizes several techniques to evade detection. They run malware in hidden windows, attempt to disable security features like LSA protection, use encryption for C2 communications (HTTPS, DNS tunneling, custom protocols), leverage legitimate cloud services (Dropbox, Google Drive) for hosting payloads or C2, and employ tools designed to mimic legitimate user activity (e.g., HYPERSCRAPE mimicking an email client). Their PowerLess backdoor's execution within a .NET context is another stealth measure.
Credential Access: A core objective for APT35 is stealing credentials. This is achieved through phishing pages, keyloggers deployed via malware, extracting credentials from browser data, and dumping LSASS memory to harvest cached credentials. Stolen credentials are often validated across multiple services.
Discovery: Post-compromise, the group gathers information about the compromised system and network, including OS version, hostname, user accounts, network configuration, connected Wi-Fi networks, running processes, and directory listings.
Lateral Movement: APT35 moves laterally within compromised networks primarily using stolen credentials, often via Remote Desktop Protocol (RDP). They frequently use tunneling tools like Fast Reverse Proxy (FRP) or Plink (PuTTY Link) to encapsulate RDP traffic, often over SSH or non-standard ports (e.g., 4443, 10151), to bypass network segmentation and security monitoring.
Collection & Exfiltration: The group's primary goal is data collection. They deploy tools like HYPERSCRAPE specifically designed to steal emails en masse from providers like Google, Yahoo!, and Microsoft Outlook, often requiring stolen credentials or session cookies. Keyloggers, screen capture utilities, and direct file access are also used. Data exfiltration typically occurs over the established C2 channel, sometimes using encrypted archives or uploading data to compromised or attacker-controlled cloud storage accounts. They have also shown interest in compromising Telegram accounts, likely requiring access to the victim's linked email for verification codes. They sometimes abuse google ads to get initial access.
Associated Tools and Malware:
APT35 utilizes a mix of custom and publicly available tools.
Tactics and Techniques
|
Tactic
|
Technique ID
|
Technique Name
|
Description
|
|---|---|---|---|
|
Initial Access
|
T1566
|
Phishing
|
Using emails with malicious links/attachments to gain entry.
|
|
T1190
|
Exploit Public-Facing Application
|
Exploiting vulnerabilities in web servers, VPNs, etc.
|
|
|
T1078
|
Valid Accounts
|
Using stolen or brute-forced credentials for initial access.
|
|
|
T1189
|
Drive-by Compromise
|
Compromising users through malicious websites or ads.
|
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
Using PowerShell for execution of commands and payloads.
|
|
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
Using
cmd.exe for execution. |
|
|
T1204.002
|
User Execution: Malicious File
|
Relies on user interaction to execute malicious files (e.g., opening attachment).
|
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|
Adding entries to registry keys or startup folders to run malware at startup.
|
|
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
Creating scheduled tasks to maintain persistence or execute payloads.
|
|
|
Privilege Escalation
|
T1068
|
Exploitation for Privilege Escalation
|
Exploiting local vulnerabilities to gain higher privileges.
|
|
T1055
|
Process Injection
|
Injecting code into legitimate processes.
|
|
|
Defense Evasion
|
T1070.004
|
Indicator Removal on Host: File Deletion
|
Deleting malware binaries, logs, or original files post-encryption.
|
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
Disabling antivirus, EDR, or other security software.
|
|
|
T1027
|
Obfuscated Files or Information
|
Using packers or obfuscation to hide malicious code.
|
|
|
T1211
|
Exploitation for Defense Evasion
|
Exploiting vulnerabilities in security software.
|
|
|
T1070.006
|
Indicator Removal: Timestomp
|
Modifying timestamps of files to blend in.
|
|
|
Credential Access
|
T1003
|
OS Credential Dumping
|
Dumping credentials from memory (e.g., LSASS).
|
|
T1555
|
Credentials from Password Stores
|
Stealing credentials stored in browsers or password managers.
|
|
|
T1110.001
|
Brute Force: Password Guessing
|
Attempting to guess passwords for accounts.
|
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
Searching for sensitive files and directories.
|
|
T1057
|
Process Discovery
|
Identifying running processes (e.g., security tools to disable).
|
|
|
T1016
|
System Network Configuration Discovery
|
Identifying network settings, domains, and connections.
|
|
|
T1135
|
Network Share Discovery
|
Finding accessible network shares for lateral movement or data staging.
|
|
|
T1082
|
System Information Discovery
|
Gathering information about the compromised system (OS, hardware).
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
Using RDP to move between systems.
|
|
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
Using administrative shares (C$, ADMIN$) for lateral movement.
|
|
|
T1570
|
Lateral Tool Transfer
|
Copying tools or malware to remote systems.
|
|
|
Collection
|
T1074
|
Data Staged
|
Collecting data in a central location before exfiltration.
|
|
T1119
|
Automated Collection
|
Using scripts to automatically gather specific file types.
|
|
|
Command & Control
|
T1071
|
Application Layer Protocol
|
Using standard protocols (HTTP/S, DNS) for C2 communication. Often via Tor or legitimate services.
|
|
T1105
|
Ingress Tool Transfer
|
Downloading additional tools or malware components from C2 servers.
|
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
Sending stolen data back through the established C2 channel.
|
|
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
Uploading data to legitimate cloud storage services (e.g., MEGA, Dropbox).
|
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
Encrypting files on local systems and network shares.
|
|
T1490
|
Inhibit System Recovery
|
Deleting shadow copies, backups, or disabling recovery features.
|
|
|
T1489
|
Service Stop
|
Stopping services (e.g., databases, security tools) that might interfere with encryption or recovery.
|
|
|
T1529
|
System Shutdown/Reboot
|
Potentially rebooting systems after encryption.
|
Tools and Malware
|
Tool/Malware Name
|
Type/Description
|
|---|---|
|
HYPERSCRAPE
|
.NET Email data extraction tool (Gmail, Yahoo, Outlook)
|
|
PowerLess
|
PowerShell backdoor running in .NET context
|
|
PupyRAT
|
Open-source Remote Access Trojan
|
|
ASPXSHELLSV
|
Web Shell
|
|
DownPaper
|
Downloader
|
|
StoneDrill
|
Wiper/Backdoor
|
|
BROKEYOLK
|
Credential Stealer
|
|
TUNNA
|
Tunneling Tool
|
|
MANGOPUNCH
|
Backdoor
|
|
DRUBOT
|
Malware Dropper
|
|
HOUSEBLEND
|
Backdoor
|
|
SysKit
|
Information Stealer/Backdoor
|
|
Telegram_Grabber
|
Tool targeting Telegram accounts
|
|
Chairmack
|
Backdoor
|
|
Disttrack
|
Wiper Malware (related to Shamoon)
|
|
Fast Reverse Proxy
|
Open-source Tunneling Tool
|
|
Plink (PuTTY Link)
|
Command-line connection tool (used for tunneling)
|
|
DiskCryptor/BitLocker
|
Legitimate disk encryption tools (abused)
|
|
Mimikatz
|
Credential Dumping Tool (likely used)
|
Targets or Victimology
APT35's targeting strategy is directly aligned with the strategic interests of the Iranian government, primarily focusing on cyber espionage to gather intelligence. While espionage is the main driver, there have been indicators suggesting potential links to disruptive activities (like wiper malware) and possibly monetization attempts (e.g., selling access, links to ransomware like Momento).
Geographic Focus: The group primarily targets organizations and individuals in the United States, Israel, and other Middle Eastern countries. Activity has also been observed targeting entities in Western Europe.
Industry Sectors: APT35 exhibits broad targeting across multiple critical sectors:
Government & Diplomacy: Ministries, diplomatic missions, government officials (especially those involved in foreign policy, defense, or sanctions related to Iran).
Military & Defense: Defense contractors, military personnel, organizations within the Defense Industrial Base (DIB).
Academia & Research: Universities and research institutions, particularly those involved in Middle Eastern studies, nuclear research, or sensitive scientific fields (e.g., genetics, oncology).
Media & Journalism: News organizations and journalists, especially those covering Middle Eastern affairs or Iranian politics.
Activists & Dissidents: Human rights activists, political opponents of the Iranian regime, both inside and outside Iran.
Critical Infrastructure & Private Sector: Organizations in energy, telecommunications, engineering, and business services.
Potential Impact: Successful intrusions by APT35 can lead to significant consequences, including:
Data Breaches: Theft of sensitive government secrets, military plans, intellectual property, proprietary business information, and personal data.
Operational Disruption: While primarily focused on espionage, the use of wipers (StoneDrill, Disttrack) or links to ransomware (Momento) indicate a potential for disruptive or destructive attacks.
Compromise of Communications: Access to email accounts and messaging platforms enables surveillance and potential manipulation.
Erosion of Trust: Attacks on diplomatic or media entities can undermine trust and influence public opinion.
The consistent focus on these targets underscores APT35's role as an intelligence-gathering arm for the Iranian state, seeking information to inform policy, counter perceived threats, and advance national security objectives. Insider threats are also common now.
Attack Campaigns
APT35 has been linked to numerous high-profile and persistent campaigns over the years. Some notable examples include:
Early Social Media Spying (2014 onwards): Initial campaigns involved creating extensive networks of fake social media profiles (often impersonating journalists or recruiters) to establish trust and ultimately deliver malware or direct targets to credential harvesting sites.
HBO Hack (2017): APT35 was widely implicated in the significant cyberattack against HBO, resulting in the theft of 1.5 terabytes of data, including unaired television episodes (like Game of Thrones) and internal documents. An Iranian national, Behzad Mesri, associated with the group, was indicted by the U.S. Department of Justice for this attack.
Iran Nuclear Deal Targeting (Ongoing): The group has repeatedly targeted individuals and organizations involved with the Joint Comprehensive Plan of Action (JCPOA), including U.S. officials, think tanks, and researchers, attempting to gain insights into negotiations and policy positions.
U.S. Presidential Election Interference Attempts (2019-2020): Microsoft and U.S. government agencies reported attempts by APT35 to compromise email accounts associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran. These efforts primarily involved credential harvesting attempts.
"BadBlood" Campaign (Targeting Medical Research): APT35 targeted medical research organizations in the U.S. and Israel focusing on genetics, oncology, and neurology, using phishing lures related to topics like Israeli nuclear capabilities to trick victims into revealing credentials.
Vulnerability Exploitation Waves (2021 onwards): The group rapidly adopted exploits for major vulnerabilities like ProxyShell (Microsoft Exchange) and Log4Shell (Log4j), conducting widespread scanning and exploitation campaigns to gain initial access into vulnerable organizations globally.
HYPERSCRAPE Deployment (2022 onwards): Development and use of the custom HYPERSCRAPE tool marked a significant evolution, enabling large-scale, stealthy extraction of email data from compromised accounts, initially observed targeting Iranian dissidents.
Momento Ransomware Association (Observed 2021): Researchers noted TTP overlaps (shared URL patterns, file naming, vulnerability exploitation like CVE-2021-21972) between APT35 activity and deployments of the Momento ransomware, suggesting a possible connection or shared infrastructure/tooling, potentially indicating attempts at monetization or false flag operations. These attacks can cause data privacy breach to healthcare organizations.
These campaigns illustrate APT35's persistence, adaptability, and alignment with Iranian state interests across espionage, potential disruption, and influence operations. To prevent these attacks, one should implement patch management strategy.
Defenses
Defending against a persistent and adaptive threat actor like APT35 requires a multi-layered, defense-in-depth security strategy. Given their heavy reliance on phishing, credential theft, and vulnerability exploitation, specific focus areas are crucial:
Strengthen Email Security: Implement robust email filtering solutions (including AI-driven detection) to block phishing attempts. Enforce email authentication standards like DMARC, SPF, and DKIM. Regularly train users to identify and report suspicious emails and types of phishing attacks and social engineering tactics.
Enforce Strong Authentication: Mandate Multi-Factor Authentication (MFA) across all externally accessible services (email, VPN, cloud platforms) and for privileged accounts. This is critical to mitigate the impact of stolen credentials, a primary APT35 objective. To enhance security, consider using passwordless authentication.
Vulnerability and Patch Management: Maintain a rigorous patch management program to address known vulnerabilities promptly, especially for internet-facing systems like VPNs, web servers, and email servers (e.g., Exchange). Prioritize patching vulnerabilities known to be exploited by APT35. Conduct regular vulnerability assessments.
Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting malicious PowerShell execution, process injection, credential dumping attempts (LSASS access), and known APT35 malware signatures/behaviors.
Network Monitoring and Segmentation: Monitor network traffic for unusual patterns, including connections to known malicious IPs/domains, communication over non-standard ports, and tunneling protocols (SSH, FRP). Implement network segmentation to limit lateral movement opportunities. Consider egress filtering to block unauthorized C2 channels. A SIEM or security information is very helpful in that case.
Principle of Least Privilege: Enforce the principle of least privilege for user accounts and service accounts. Limit administrative privileges strictly to those who require them. Use Privileged Access Management (PAM) solutions.
Zero Trust Architecture: Adopt Zero Trust principles, continuously verifying user and device access requests regardless of network location. Assume breach and verify explicitly.
Secure Configuration: Harden system configurations, disable unnecessary services, restrict script execution where possible, and implement security features like LSA Protection.
Incident Response Plan: Develop, maintain, and regularly test an incident response plan specifically considering APT tactics like credential compromise, lateral movement via RDP/tunnels, and data exfiltration. Tabletop exercises simulating APT35 scenarios can be highly beneficial.
Threat Intelligence: Leverage threat intelligence feeds to stay updated on APT35 TTPs, IOCs (Indicators of Compromise), and targeted vulnerabilities. Integrate IOCs into security tools (SIEM, EDR, Firewalls).
By implementing these combined technical and procedural controls, organizations can significantly improve their resilience against APT35's espionage activities. Moreover, organizations should be aware of the latest cybersecurity incidents.
Conclusion
APT35 (Charming Kitten) remains a formidable and highly active cyber espionage group operating with the suspected backing of the Iranian government, likely the IRGC. Their primary objective is gathering strategic intelligence to support Iranian state interests, targeting a wide array of sectors across the globe, particularly in the US and the Middle East. Characterized by persistent spear-phishing campaigns, evolving malware capabilities (including custom tools like HYPERSCRAPE and PowerLess), and the opportunistic exploitation of vulnerabilities, APT35 poses a significant threat. While initially perceived as less sophisticated, their adaptability, resourcefulness, and resilience have proven effective over nearly a decade of operations. Defending against APT35 requires a comprehensive security posture emphasizing robust authentication, vigilant phishing defense, timely patching, advanced endpoint and network monitoring, and a well-rehearsed incident response capability. Continuous vigilance and adaptation of defenses are essential to mitigate the risks posed by this enduring threat actor. One more thing that is important is to understand what is CVSS to mitigate against existing vulnerabilities.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Charming Kitten Deploys New C++ BellaCiao Malware Variant in Cyber Espionage Campaign
• APT42 – Iranian Cyber Espionage Group
• Iran Linked Hackers Deploy Sophisticated IOCONTROL Malware Targeting Critical Infrastructure
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 19, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 19, 2025
