Apt42

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhanced social engineering schemes and credential harvesting. These methods have enabled APT42 to infiltrate various sectors globally, with a particular focus on Microsoft 365 environments. The group's activities often involve impersonating high-ranking individuals from reputable organizations like the Aspen Institute. The group's victimology, widely reported in open sources, indicates a strategic targeting approach. APT42 has targeted Middle East policy experts in the region, the US, and Europe, using a fake webinar platform to compromise its victims. Furthermore, the group has been known to send links directly to victims' WhatsApp or Telegram accounts, engaging them in chats to manipulate them through social engineering. High-profile targets include researchers, NGO leaders, and human rights activists perceived as threats to the Iranian government. Mandiant, a Google-owned threat intelligence firm, has extensively reported on APT42's activities, highlighting its worldwide impact. The firm warns that the extent of APT42's operations could be far more significant than currently understood, given the group's emphasis on credential harvesting. In some instances, members of APT42 have posed as journalists to steal vast amounts of data. The group has also used legitimate but compromised accounts to send phishing lures, demonstrating a refined tradecraft aimed at high-value targets.
What's your take? (Question 1 of 5)
d3e0f225-98f8-4ac5-b4a9-bab6493fa482 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TA453
3
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
Charming Kitten
3
Charming Kitten is a threat actor group, believed to be of Iranian origin, known for its advanced and sophisticated cyberattacks. The group has been active in launching attacks against various entities in Brazil, Israel, and the United Arab Emirates using a new backdoor method, as reported by Securi
Mint Sandstorm
3
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Phosphorus
3
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
APT35
3
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Apt42 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
25 days ago
New Report Exposes Iranian Hacking Group's Media Masquerade
Recorded Future
a year ago
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
Securityaffairs
a year ago
Iran-linked Mint Sandstorm APT targeted US critical infrastructure
Securityaffairs
a year ago
Iran-linked APT TA453 targets Windows and macOS systems
BankInfoSecurity
9 months ago
Feds Urge Immediately Patching of Zoho and Fortinet Products
BankInfoSecurity
9 months ago
Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity
8 months ago
Iranian Hackers Gain Sophistication, Microsoft Warns
CERT-EU
9 months ago
Iranian Cyberspies Deployed New Backdoor to 34 Organizations
CERT-EU
4 months ago
Iranian threat group Mint Sandstorm targets high-profile Middle East researchers
CERT-EU
7 months ago
Iran’s role in Israel-Hamas war largely 'opportunistic'
CERT-EU
a year ago
Iran-linked APT TA453 targets Windows and macOS systems | IT Security News
DARKReading
3 months ago
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets