APT35

Threat Actor updated 23 days ago (2024-11-29T13:44:07.452Z)
Download STIX
Preview STIX
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran's military. Their targets primarily include U.S., Western European, and Middle Eastern military, diplomatic, and government personnel, along with organizations in media, energy, defense industrial base, engineering, business services, and telecommunications sectors. APT35 has been involved in counterintelligence operations, including attacks against international conferences such as the Munich Security Conference and Think20 Summit in Saudi Arabia. The group typically relies on spearphishing to initially compromise an organization, often using lures related to healthcare, job postings, resumes, or password policies. They have been associated with various malware, including ASPXSHELLSV, BROKEYOLK, PUPYRAT, TUNNA, MANGOPUNCH, DRUBOT, and HOUSEBLEND. Notably, between March 2021 and June 2022, APT35 backdoored at least 34 companies with previously unknown Sponsor malware, targeting government and healthcare organizations, as well as firms in financial services, engineering, manufacturing, technology, law, telecommunications, and other industry sectors. APT35 has demonstrated technical and operational maturity, conducting reconnaissance and attacks under the guise of sanctioned companies like Najee Technology and Afkar System. The group overlaps with other threat actors identified by cybersecurity firms such as Google's Mandiant and Crowdstrike. Microsoft researchers have noted that APT35 used legitimate, yet compromised accounts to send phishing lures. The goal of these activities is to steal sensitive data from high-value targets, indicating a focus on both strategic information gathering and direct disruption.
Description last updated: 2024-11-05T12:01:58.177Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Charming Kitten is a possible alias for APT35. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect
8
Phosphorus is a possible alias for APT35. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ
5
Mint Sandstorm is a possible alias for APT35. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
4
Newscaster is a possible alias for APT35. APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
3
TA453 is a possible alias for APT35. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
3
Apt42 is a possible alias for APT35. APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such
3
Tortoiseshell is a possible alias for APT35. Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Iran
Malware
Vulnerability
Android
exploitation
iranian
Log4j
Exploit
Backdoor
Apt
Espionage
Dropper
Reconnaissance
flaw
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bellaciao Malware is associated with APT35. "BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploitUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The MuddyWater Threat Actor is associated with APT35. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and malUnspecified
3
The Mango Sandstorm Threat Actor is associated with APT35. Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targeteUnspecified
2
The MERCURY Threat Actor is associated with APT35. Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLOUnspecified
2
Source Document References
Information about the APT35 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
DARKReading
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securelist
a year ago