Apt42

Threat Actor updated 23 days ago (2024-11-29T14:09:47.672Z)
Download STIX
Preview STIX
APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such as sending links directly to victims' WhatsApp or Telegram accounts and engaging them in chats to manipulate through social engineering. These TTPs are commonly associated with Iranian APT groups like APT42 and Phosphorus. APT42's activities signify a prolonged, targeted attack on specific entities with the intent to compromise their systems and gain valuable information. The group has recently targeted Middle East policy experts in the region, the US, and Europe, using a fake webinar platform to compromise its victims, according to an advisory published by Volexity. In addition, APT42 has been implicated in attacks against individuals associated with both Democratic and Republican presidential campaigns. In one notable instance, the group used spoofed emails from the Institute for the Study of War (ISW) to invite victims to a fake podcast, ultimately delivering malware named BlackSmith via a malicious Google Drive link. On August 15, Google revealed that APT42 was attempting to compromise the email accounts of individuals associated with the respective US Presidential campaigns via spearphishing attacks. Since June 2024, Insikt Group has tracked infrastructure linked to GreenCharlie, another Iran-nexus cyber threat group with connections to Mint Sandstorm, Charming Kitten, and APT42. There has been a significant increase in cyber threat activity from GreenCharlie. Google attributed Iranian campaign hacking to APT42, which operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. As tensions between Iran and Israel intensify, it is expected that APT42 will continue to launch increased campaigns, particularly focused on Israel and the U.S., demonstrating their sophisticated, persistent threat capabilities.
Description last updated: 2024-09-18T09:17:00.363Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Charming Kitten is a possible alias for Apt42. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect
4
TA453 is a possible alias for Apt42. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
4
Phosphorus is a possible alias for Apt42. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ
3
APT35 is a possible alias for Apt42. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corp
3
Mint Sandstorm is a possible alias for Apt42. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Apt
Whatsapp
Email Accounts
Malware
Iran
Exploit
Microsoft
Ransomware
Google
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Apt42 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
3 months ago
Malwarebytes
4 months ago
Checkpoint
4 months ago
InfoSecurity-magazine
4 months ago
Recorded Future
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
InfoSecurity-magazine
4 months ago
BankInfoSecurity
8 months ago
DARKReading
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
BankInfoSecurity
a year ago
Securityaffairs
2 years ago
Recorded Future
2 years ago
BankInfoSecurity
a year ago