Apt42

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhanced social engineering schemes and credential harvesting. These methods have enabled APT42 to infiltrate various sectors globally, with a particular focus on Microsoft 365 environments. The group's activities often involve impersonating high-ranking individuals from reputable organizations like the Aspen Institute. The group's victimology, widely reported in open sources, indicates a strategic targeting approach. APT42 has targeted Middle East policy experts in the region, the US, and Europe, using a fake webinar platform to compromise its victims. Furthermore, the group has been known to send links directly to victims' WhatsApp or Telegram accounts, engaging them in chats to manipulate them through social engineering. High-profile targets include researchers, NGO leaders, and human rights activists perceived as threats to the Iranian government. Mandiant, a Google-owned threat intelligence firm, has extensively reported on APT42's activities, highlighting its worldwide impact. The firm warns that the extent of APT42's operations could be far more significant than currently understood, given the group's emphasis on credential harvesting. In some instances, members of APT42 have posed as journalists to steal vast amounts of data. The group has also used legitimate but compromised accounts to send phishing lures, demonstrating a refined tradecraft aimed at high-value targets.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
TA453	3	TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
APT35	3	APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Phosphorus	3	Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Mint Sandstorm	3	Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Charming Kitten	3	Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
COBALT ILLUSION	1	Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
MuddyWater	1	MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Rocket Kitten	1	Rocket Kitten is a recognized threat actor in the cybersecurity world, known for its malicious activities. This group was particularly active in 2016, using domains such as yahoo-drive.signin-useraccount-mail.com and yahoo-reset.signin-useraccount-mail.com to execute their operations. The group's mo
Imperial Kitten	1	Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other
Charmingcypress	1	CharmingCypress, also known as Charming Kitten and APT42, is a threat actor linked to Iran that has recently targeted Middle East policy experts in the region, as well as those in the US and Europe. The group is highly committed to surveillance of their targets, using this information to manipulate

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Apt

Exploit

Mandiant

Iran

Volexity

Phishing

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Apt42 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	3 months ago	New Report Exposes Iranian Hacking Group's Media Masquerade
DARKReading	5 months ago	Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
CERT-EU	6 months ago	Iranian threat group Mint Sandstorm targets high-profile Middle East researchers
CERT-EU	9 months ago	Iran’s role in Israel-Hamas war largely 'opportunistic'
CERT-EU	a year ago	Iran-linked APT TA453 targets Windows and macOS systems \| IT Security News
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
Securityaffairs	a year ago	Iran-linked Mint Sandstorm APT targeted US critical infrastructure
Recorded Future	a year ago	Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
BankInfoSecurity	10 months ago	Iranian Hackers Gain Sophistication, Microsoft Warns
CERT-EU	10 months ago	Iranian Cyberspies Deployed New Backdoor to 34 Organizations
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products