Apt42

Threat Actor updated 7 months ago (2024-11-29T14:09:47.672Z)

Download STIX

Preview STIX

APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such as sending links directly to victims' WhatsApp or Telegram accounts and engaging them in chats to manipulate through social engineering. These TTPs are commonly associated with Iranian APT groups like APT42 and Phosphorus. APT42's activities signify a prolonged, targeted attack on specific entities with the intent to compromise their systems and gain valuable information. The group has recently targeted Middle East policy experts in the region, the US, and Europe, using a fake webinar platform to compromise its victims, according to an advisory published by Volexity. In addition, APT42 has been implicated in attacks against individuals associated with both Democratic and Republican presidential campaigns. In one notable instance, the group used spoofed emails from the Institute for the Study of War (ISW) to invite victims to a fake podcast, ultimately delivering malware named BlackSmith via a malicious Google Drive link. On August 15, Google revealed that APT42 was attempting to compromise the email accounts of individuals associated with the respective US Presidential campaigns via spearphishing attacks. Since June 2024, Insikt Group has tracked infrastructure linked to GreenCharlie, another Iran-nexus cyber threat group with connections to Mint Sandstorm, Charming Kitten, and APT42. There has been a significant increase in cyber threat activity from GreenCharlie. Google attributed Iranian campaign hacking to APT42, which operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. As tensions between Iran and Israel intensify, it is expected that APT42 will continue to launch increased campaigns, particularly focused on Israel and the U.S., demonstrating their sophisticated, persistent threat capabilities.

Description last updated: 2024-09-18T09:17:00.363Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TA453 is a possible alias for Apt42. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear	4
Charming Kitten is a possible alias for Apt42. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect	4
APT35 is a possible alias for Apt42. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corp	3
Mint Sandstorm is a possible alias for Apt42. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c	3
Phosphorus is a possible alias for Apt42. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ	3
Imperial Kitten is a possible alias for Apt42. Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other	2
MuddyWater is a possible alias for Apt42. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and mal	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Apt

Email Accounts

Iran

Google

Malware

Ransomware

Microsoft

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Apt42 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	14 hours ago	Threat Brief: Escalation of Cyber Risk Related to Iran
DARKReading	9 months ago	As Geopolitical Tensions Mount, Iran's Cyber Operations Grow
Malwarebytes	10 months ago	Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign \| Malwarebytes
Checkpoint	10 months ago	26th August – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	10 months ago	Iran Behind Trump Campaign Hack, US Government Confirms
Recorded Future	10 months ago	GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
BankInfoSecurity	10 months ago	FBI Confirms Iranian Hack Targeting Trump Campaign
Securityaffairs	10 months ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	10 months ago	Google disrupted hacking campaigns carried out by Iran-linked APT42
DARKReading	10 months ago	Google: Iran's Charming Kitten Targets US Elections, Israeli Military
InfoSecurity-magazine	10 months ago	Google Warns of Iranian Cyber-Attacks on Presidential Campaigns
BankInfoSecurity	a year ago	New Report Exposes Iranian Hacking Group's Media Masquerade
DARKReading	a year ago	Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
CERT-EU	a year ago	Iranian threat group Mint Sandstorm targets high-profile Middle East researchers
CERT-EU	2 years ago	Iran’s role in Israel-Hamas war largely 'opportunistic'
CERT-EU	2 years ago	Iran-linked APT TA453 targets Windows and macOS systems \| IT Security News
Securityaffairs	2 years ago	Iran-linked APT TA453 targets Windows and macOS systems
BankInfoSecurity	2 years ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
Securityaffairs	2 years ago	Iran-linked Mint Sandstorm APT targeted US critical infrastructure
Recorded Future	2 years ago	Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank