Table of Contents
April 4, 2025
|
15m

APT35


A sleek black cat with glowing green eyes and a colorful shawl sits on a laptop keyboard displaying colorful code, blending cuteness with cybersecurity vibes.

APT35, also widely known by its alias Charming Kitten, represents a significant and persistent cyber espionage threat attributed to the Iranian government. Active for nearly a decade, this Advanced Persistent Threat (APT) group focuses on conducting long-term operations aimed at collecting strategic intelligence aligned with Iranian national interests. Operating with considerable resources, APT35 targets a diverse range of sectors globally, with a particular emphasis on the United States, Israel, and other Middle Eastern nations. This group employs a variety of tactics, ranging from sophisticated social engineering campaigns to the deployment of custom malware and exploitation of known vulnerabilities. Understanding the origins, motives, tactics, and targets of APT35 is crucial for security professionals seeking to defend their organizations against this adaptive and determined adversary. This profile provides a comprehensive overview of APT35, detailing its evolution, operational methods, victimology, notable campaigns, and effective defense strategies.

Origins & Evolution

APT35, also tracked under numerous aliases including PhosphorusMint Sandstorm (Microsoft), Magic Hound (CrowdStrike), COBALT MIRAGE (Secureworks), Newscaster TeamAjax SecurityTunnelVisionTA453 (Proofpoint), COBALT ILLUSION (Mandiant), ITG18 (IBM), and G0059 (MITRE ATT&CK), was first prominently identified in the cybersecurity landscape around 2014. However, evidence suggests its activities may date back to at least 2013. Multiple cybersecurity firms (including Mandiant, Microsoft, FireEye, CrowdStrike, Google) and government agencies consistently attribute APT35's operations to the Islamic Republic of Iran, often linking it specifically to the Islamic Revolutionary Guard Corps (IRGC). This attribution is based on targeting patterns aligning with IRGC strategic interests, technical indicators, and operational characteristics.

Initially, some assessments described APT35's technical sophistication as marginal compared to other state-sponsored APTs, often relying heavily on readily available tools and spear-phishing. However, the group has demonstrated significant evolution over time. Early campaigns focused heavily on social media spying and credential harvesting through relatively simple phishing pages. Over the years, APT35 has expanded its capabilities significantly. Research from firms like FireEye noted an expansion in their malware development capabilities as early as 2018.

The group has adapted its tactics to include the exploitation of significant vulnerabilities like Log4j (Log4Shell) and Microsoft Exchange (ProxyShell) shortly after their public disclosure, indicating a well-resourced and agile operational posture. They have developed and deployed more sophisticated custom tools, such as the HYPERSCRAPE email extraction tool and the PowerLess backdoor, designed for stealth and enhanced data collection. Despite periodic disruptions, such as Microsoft's seizure of 99 domains used by the group in 2019, APT35 has proven resilient, rebuilding infrastructure and continuing its espionage campaigns. Their evolution highlights a commitment to long-term strategic intelligence gathering, adapting their methods to bypass defenses and maintain persistence against high-value targets. One of their TTPs is vulnerability exploitation, something security professionals should be aware of.

Tactics & Techniques

APT35 employs a multi-faceted approach to achieve its espionage objectives, blending social engineering, vulnerability exploitation, and malware deployment. Their Tactics, Techniques, and Procedures (TTPs) demonstrate adaptability and persistence across the attack lifecycle. Understanding IOC is very important to identify attacks.

  • Reconnaissance: The group invests significant effort in identifying targets and gathering intelligence. This includes Open-Source Intelligence (OSINT) gathering, identifying key personnel within target organizations (often via LinkedIn or professional networking sites), and creating fake personas and spoofed domains that mimic legitimate entities (e.g., news organizations, technology companies, conferences).

  • Initial Access: Spear-phishing remains a primary vector for APT35. They craft highly targeted emails often leveraging lures relevant to the victim's industry or interests, such as job postings, resumes, healthcare information, password policy updates, or invitations to conferences. These emails typically contain malicious links directing victims to credential harvesting pages or malicious attachments (e.g., Office documents with macros or remote template injection). They have also been observed using SMS-based phishing (smishing) and exploiting public-facing vulnerabilities like Log4Shell, ProxyShell, Fortinet SSL VPN flaws, and VMware vCenter vulnerabilities (CVE-2021-21972). Watering hole attacks, compromising legitimate websites frequented by targets, have also been part of their repertoire.

  • Execution & Persistence: Once initial access is gained, APT35 employs various methods to execute code and maintain persistence. This includes leveraging PowerShell for command execution (often obfuscated), deploying custom backdoors like PowerLess (which runs PowerShell in a .NET context for stealth), and utilizing Remote Access Trojans (RATs) such as PupyRAT. Persistence is often achieved through scheduled tasks, registry run keys, or abusing legitimate system accounts (like the DefaultAccount) for RDP access. One way to identify the attacks is security logging.

  • Defense Evasion: APT35 utilizes several techniques to evade detection. They run malware in hidden windows, attempt to disable security features like LSA protection, use encryption for C2 communications (HTTPS, DNS tunneling, custom protocols), leverage legitimate cloud services (Dropbox, Google Drive) for hosting payloads or C2, and employ tools designed to mimic legitimate user activity (e.g., HYPERSCRAPE mimicking an email client). Their PowerLess backdoor's execution within a .NET context is another stealth measure.

  • Credential Access: A core objective for APT35 is stealing credentials. This is achieved through phishing pages, keyloggers deployed via malware, extracting credentials from browser data, and dumping LSASS memory to harvest cached credentials. Stolen credentials are often validated across multiple services.

  • Discovery: Post-compromise, the group gathers information about the compromised system and network, including OS version, hostname, user accounts, network configuration, connected Wi-Fi networks, running processes, and directory listings.

  • Lateral Movement: APT35 moves laterally within compromised networks primarily using stolen credentials, often via Remote Desktop Protocol (RDP). They frequently use tunneling tools like Fast Reverse Proxy (FRP) or Plink (PuTTY Link) to encapsulate RDP traffic, often over SSH or non-standard ports (e.g., 4443, 10151), to bypass network segmentation and security monitoring.

  • Collection & Exfiltration: The group's primary goal is data collection. They deploy tools like HYPERSCRAPE specifically designed to steal emails en masse from providers like Google, Yahoo!, and Microsoft Outlook, often requiring stolen credentials or session cookies. Keyloggers, screen capture utilities, and direct file access are also used. Data exfiltration typically occurs over the established C2 channel, sometimes using encrypted archives or uploading data to compromised or attacker-controlled cloud storage accounts. They have also shown interest in compromising Telegram accounts, likely requiring access to the victim's linked email for verification codes. They sometimes abuse google ads to get initial access.

Associated Tools and Malware:

APT35 utilizes a mix of custom and publicly available tools.

Tactics and Techniques

Tactic
Technique ID
Technique Name
Description
Initial Access
T1566
Phishing
Using emails with malicious links/attachments to gain entry.
T1190
Exploit Public-Facing Application
Exploiting vulnerabilities in web servers, VPNs, etc.
T1078
Valid Accounts
Using stolen or brute-forced credentials for initial access.
T1189
Drive-by Compromise
Compromising users through malicious websites or ads.
Execution
T1059.001
Command and Scripting Interpreter: PowerShell
Using PowerShell for execution of commands and payloads.
T1059.003
Command and Scripting Interpreter: Windows Command Shell
Using cmd.exe for execution.
T1204.002
User Execution: Malicious File
Relies on user interaction to execute malicious files (e.g., opening attachment).
Persistence
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Adding entries to registry keys or startup folders to run malware at startup.
T1053.005
Scheduled Task/Job: Scheduled Task
Creating scheduled tasks to maintain persistence or execute payloads.
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Exploiting local vulnerabilities to gain higher privileges.
T1055
Process Injection
Injecting code into legitimate processes.
Defense Evasion
T1070.004
Indicator Removal on Host: File Deletion
Deleting malware binaries, logs, or original files post-encryption.
T1562.001
Impair Defenses: Disable or Modify Tools
Disabling antivirus, EDR, or other security software.
T1027
Obfuscated Files or Information
Using packers or obfuscation to hide malicious code.
T1211
Exploitation for Defense Evasion
Exploiting vulnerabilities in security software.
T1070.006
Indicator Removal: Timestomp
Modifying timestamps of files to blend in.
Credential Access
T1003
OS Credential Dumping
Dumping credentials from memory (e.g., LSASS).
T1555
Credentials from Password Stores
Stealing credentials stored in browsers or password managers.
T1110.001
Brute Force: Password Guessing
Attempting to guess passwords for accounts.
Discovery
T1083
File and Directory Discovery
Searching for sensitive files and directories.
T1057
Process Discovery
Identifying running processes (e.g., security tools to disable).
T1016
System Network Configuration Discovery
Identifying network settings, domains, and connections.
T1135
Network Share Discovery
Finding accessible network shares for lateral movement or data staging.
T1082
System Information Discovery
Gathering information about the compromised system (OS, hardware).
Lateral Movement
T1021.001
Remote Services: Remote Desktop Protocol
Using RDP to move between systems.
T1021.002
Remote Services: SMB/Windows Admin Shares
Using administrative shares (C$, ADMIN$) for lateral movement.
T1570
Lateral Tool Transfer
Copying tools or malware to remote systems.
Collection
T1074
Data Staged
Collecting data in a central location before exfiltration.
T1119
Automated Collection
Using scripts to automatically gather specific file types.
Command & Control
T1071
Application Layer Protocol
Using standard protocols (HTTP/S, DNS) for C2 communication. Often via Tor or legitimate services.
T1105
Ingress Tool Transfer
Downloading additional tools or malware components from C2 servers.
Exfiltration
T1041
Exfiltration Over C2 Channel
Sending stolen data back through the established C2 channel.
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Uploading data to legitimate cloud storage services (e.g., MEGA, Dropbox).
Impact
T1486
Data Encrypted for Impact
Encrypting files on local systems and network shares.
T1490
Inhibit System Recovery
Deleting shadow copies, backups, or disabling recovery features.
T1489
Service Stop
Stopping services (e.g., databases, security tools) that might interfere with encryption or recovery.
T1529
System Shutdown/Reboot
Potentially rebooting systems after encryption.

Tools and Malware

Tool/Malware Name
Type/Description
HYPERSCRAPE
.NET Email data extraction tool (Gmail, Yahoo, Outlook)
PowerLess
PowerShell backdoor running in .NET context
PupyRAT
Open-source Remote Access Trojan
ASPXSHELLSV
Web Shell
DownPaper
Downloader
StoneDrill
Wiper/Backdoor
BROKEYOLK
Credential Stealer
TUNNA
Tunneling Tool
MANGOPUNCH
Backdoor
DRUBOT
Malware Dropper
HOUSEBLEND
Backdoor
SysKit
Information Stealer/Backdoor
Telegram_Grabber
Tool targeting Telegram accounts
Chairmack
Backdoor
Disttrack
Wiper Malware (related to Shamoon)
Fast Reverse Proxy
Open-source Tunneling Tool
Plink (PuTTY Link)
Command-line connection tool (used for tunneling)
DiskCryptor/BitLocker
Legitimate disk encryption tools (abused)
Mimikatz
Credential Dumping Tool (likely used)

Targets or Victimology

APT35's targeting strategy is directly aligned with the strategic interests of the Iranian government, primarily focusing on cyber espionage to gather intelligence. While espionage is the main driver, there have been indicators suggesting potential links to disruptive activities (like wiper malware) and possibly monetization attempts (e.g., selling access, links to ransomware like Momento).

  • Geographic Focus: The group primarily targets organizations and individuals in the United StatesIsrael, and other Middle Eastern countries. Activity has also been observed targeting entities in Western Europe.

  • Industry Sectors: APT35 exhibits broad targeting across multiple critical sectors:

    • Government & Diplomacy: Ministries, diplomatic missions, government officials (especially those involved in foreign policy, defense, or sanctions related to Iran).

    • Military & Defense: Defense contractors, military personnel, organizations within the Defense Industrial Base (DIB).

    • Academia & Research: Universities and research institutions, particularly those involved in Middle Eastern studies, nuclear research, or sensitive scientific fields (e.g., genetics, oncology).

    • Media & Journalism: News organizations and journalists, especially those covering Middle Eastern affairs or Iranian politics.

    • Activists & Dissidents: Human rights activists, political opponents of the Iranian regime, both inside and outside Iran.

    • Critical Infrastructure & Private Sector: Organizations in energy, telecommunications, engineering, and business services.

  • Potential Impact: Successful intrusions by APT35 can lead to significant consequences, including:

    • Data Breaches: Theft of sensitive government secrets, military plans, intellectual property, proprietary business information, and personal data.

    • Operational Disruption: While primarily focused on espionage, the use of wipers (StoneDrill, Disttrack) or links to ransomware (Momento) indicate a potential for disruptive or destructive attacks.

    • Compromise of Communications: Access to email accounts and messaging platforms enables surveillance and potential manipulation.

    • Erosion of Trust: Attacks on diplomatic or media entities can undermine trust and influence public opinion.

The consistent focus on these targets underscores APT35's role as an intelligence-gathering arm for the Iranian state, seeking information to inform policy, counter perceived threats, and advance national security objectives. Insider threats are also common now.

Attack Campaigns

APT35 has been linked to numerous high-profile and persistent campaigns over the years. Some notable examples include:

  1. Early Social Media Spying (2014 onwards): Initial campaigns involved creating extensive networks of fake social media profiles (often impersonating journalists or recruiters) to establish trust and ultimately deliver malware or direct targets to credential harvesting sites.

  2. HBO Hack (2017): APT35 was widely implicated in the significant cyberattack against HBO, resulting in the theft of 1.5 terabytes of data, including unaired television episodes (like Game of Thrones) and internal documents. An Iranian national, Behzad Mesri, associated with the group, was indicted by the U.S. Department of Justice for this attack.

  3. Iran Nuclear Deal Targeting (Ongoing): The group has repeatedly targeted individuals and organizations involved with the Joint Comprehensive Plan of Action (JCPOA), including U.S. officials, think tanks, and researchers, attempting to gain insights into negotiations and policy positions.

  4. U.S. Presidential Election Interference Attempts (2019-2020): Microsoft and U.S. government agencies reported attempts by APT35 to compromise email accounts associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran. These efforts primarily involved credential harvesting attempts.

  5. "BadBlood" Campaign (Targeting Medical Research): APT35 targeted medical research organizations in the U.S. and Israel focusing on genetics, oncology, and neurology, using phishing lures related to topics like Israeli nuclear capabilities to trick victims into revealing credentials.

  6. Vulnerability Exploitation Waves (2021 onwards): The group rapidly adopted exploits for major vulnerabilities like ProxyShell (Microsoft Exchange) and Log4Shell (Log4j), conducting widespread scanning and exploitation campaigns to gain initial access into vulnerable organizations globally.

  7. HYPERSCRAPE Deployment (2022 onwards): Development and use of the custom HYPERSCRAPE tool marked a significant evolution, enabling large-scale, stealthy extraction of email data from compromised accounts, initially observed targeting Iranian dissidents.

  8. Momento Ransomware Association (Observed 2021): Researchers noted TTP overlaps (shared URL patterns, file naming, vulnerability exploitation like CVE-2021-21972) between APT35 activity and deployments of the Momento ransomware, suggesting a possible connection or shared infrastructure/tooling, potentially indicating attempts at monetization or false flag operations. These attacks can cause data privacy breach to healthcare organizations.

These campaigns illustrate APT35's persistence, adaptability, and alignment with Iranian state interests across espionage, potential disruption, and influence operations. To prevent these attacks, one should implement patch management strategy.

Defenses

Defending against a persistent and adaptive threat actor like APT35 requires a multi-layered, defense-in-depth security strategy. Given their heavy reliance on phishing, credential theft, and vulnerability exploitation, specific focus areas are crucial:

  1. Strengthen Email Security: Implement robust email filtering solutions (including AI-driven detection) to block phishing attempts. Enforce email authentication standards like DMARC, SPF, and DKIM. Regularly train users to identify and report suspicious emails and types of phishing attacks and social engineering tactics.

  2. Enforce Strong Authentication: Mandate Multi-Factor Authentication (MFA) across all externally accessible services (email, VPN, cloud platforms) and for privileged accounts. This is critical to mitigate the impact of stolen credentials, a primary APT35 objective. To enhance security, consider using passwordless authentication.

  3. Vulnerability and Patch Management: Maintain a rigorous patch management program to address known vulnerabilities promptly, especially for internet-facing systems like VPNs, web servers, and email servers (e.g., Exchange). Prioritize patching vulnerabilities known to be exploited by APT35. Conduct regular vulnerability assessments.

  4. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting malicious PowerShell execution, process injection, credential dumping attempts (LSASS access), and known APT35 malware signatures/behaviors.

  5. Network Monitoring and Segmentation: Monitor network traffic for unusual patterns, including connections to known malicious IPs/domains, communication over non-standard ports, and tunneling protocols (SSH, FRP). Implement network segmentation to limit lateral movement opportunities. Consider egress filtering to block unauthorized C2 channels. A SIEM or security information is very helpful in that case.

  6. Principle of Least Privilege: Enforce the principle of least privilege for user accounts and service accounts. Limit administrative privileges strictly to those who require them. Use Privileged Access Management (PAM) solutions.

  7. Zero Trust Architecture: Adopt Zero Trust principles, continuously verifying user and device access requests regardless of network location. Assume breach and verify explicitly.

  8. Secure Configuration: Harden system configurations, disable unnecessary services, restrict script execution where possible, and implement security features like LSA Protection.

  9. Incident Response Plan: Develop, maintain, and regularly test an incident response plan specifically considering APT tactics like credential compromise, lateral movement via RDP/tunnels, and data exfiltration. Tabletop exercises simulating APT35 scenarios can be highly beneficial.

  10. Threat Intelligence: Leverage threat intelligence feeds to stay updated on APT35 TTPs, IOCs (Indicators of Compromise), and targeted vulnerabilities. Integrate IOCs into security tools (SIEM, EDR, Firewalls).

By implementing these combined technical and procedural controls, organizations can significantly improve their resilience against APT35's espionage activities. Moreover, organizations should be aware of the latest cybersecurity incidents.

Conclusion

APT35 (Charming Kitten) remains a formidable and highly active cyber espionage group operating with the suspected backing of the Iranian government, likely the IRGC. Their primary objective is gathering strategic intelligence to support Iranian state interests, targeting a wide array of sectors across the globe, particularly in the US and the Middle East. Characterized by persistent spear-phishing campaigns, evolving malware capabilities (including custom tools like HYPERSCRAPE and PowerLess), and the opportunistic exploitation of vulnerabilities, APT35 poses a significant threat. While initially perceived as less sophisticated, their adaptability, resourcefulness, and resilience have proven effective over nearly a decade of operations. Defending against APT35 requires a comprehensive security posture emphasizing robust authentication, vigilant phishing defense, timely patching, advanced endpoint and network monitoring, and a well-rehearsed incident response capability. Continuous vigilance and adaptation of defenses are essential to mitigate the risks posed by this enduring threat actor. One more thing that is important is to understand what is CVSS to mitigate against existing vulnerabilities.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive tips like this. 

You may also like these articles:

• Charming Kitten Deploys New C++ BellaCiao Malware Variant in Cyber Espionage Campaign

• APT42 – Iranian Cyber Espionage Group

• Iran Linked Hackers Deploy Sophisticated IOCONTROL Malware Targeting Critical Infrastructure

• FinalDraft Malware

• Moses Staff

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe