Charming Kitten

Threat Actor updated a day ago (2024-11-20T18:10:49.194Z)
Download STIX
Preview STIX
Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infection chain culminating in the deployment of the Snail Resin malware. This backdoor, titled "SlugResin", along with the malware, have both been attributed to Charming Kitten by cybersecurity researchers at ClearSky. Additionally, Charming Kitten has been associated with reconnaissance and attacks conducted under the cover of companies such as Najee Technology and Afkar System, both of which were sanctioned by the US Treasury Department in 2022. In recent times, Charming Kitten has targeted individuals associated with both Democratic and Republican presidential campaigns, according to the US Cybersecurity and Infrastructure Security Agency (CISA). The group has also been linked to attempts to log into personal email accounts of individuals affiliated with President Biden, Vice President Kamala Harris, and former President Trump, as reported by Google's Threat Analysis Group (TAG). Furthermore, the group has executed phishing attacks using a PowerShell-based malware toolkit dubbed “BlackSmith” and engaged in diverse social engineering tactics reflecting its geopolitical stance. The activities of Charming Kitten are perceived as part of Iran's broader strategy to influence global events, particularly elections. There is an increasing inclination from Tehran to shape outcomes that could impact its national security interests. As such, it is likely that Iran-backed threat groups like Charming Kitten will continue their efforts to disrupt future elections. While Proofpoint analysts cannot directly link Charming Kitten to individual members of the Islamic Revolutionary Guard Corps (IRGC), they assess that the group operates in support of the IRGC Intelligence Organization (IRGC-IO), based on overlaps in unit numbering between Charming Kitten reports and IRGC units.
Description last updated: 2024-11-15T16:11:00.458Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT35 is a possible alias for Charming Kitten. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corp
8
TA453 is a possible alias for Charming Kitten. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
6
Phosphorus is a possible alias for Charming Kitten. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ
5
Yellow Garuda is a possible alias for Charming Kitten. Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, Cobalt Illusion, and TA453 among other names, is a threat actor believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been active in various cyber espionage campaigns over the years. I
4
Apt42 is a possible alias for Charming Kitten. APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such
4
Mint Sandstorm is a possible alias for Charming Kitten. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
4
ITG18 is a possible alias for Charming Kitten. ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various webs
2
Newscaster is a possible alias for Charming Kitten. APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
2
Ballistic Bobcat is a possible alias for Charming Kitten. Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
2
Tortoiseshell is a possible alias for Charming Kitten. Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Iran
Apt
Exploit
Backdoor
Espionage
Ransomware
Dropper
Proofpoint
iranian
Microsoft
Volexity
Aws
Windows
Eset
Remote Code ...
Vulnerability
Zero Day
Analyst Notes & Discussion
a
@Blue Unicorn, 3 months ago
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bellaciao Malware is associated with Charming Kitten. "BellaCiao" is a .NET-based malware linked to the Iran-sponsored group known as Charming Kitten (also referred to as Newsbeef and APT35). First observed in use since at least November 2022, this malicious script dropper has targeted systems in Afghanistan, Austria, Israel, and Turkey. Likely exploitUnspecified
4
The CharmPower Malware is associated with Charming Kitten. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, anUnspecified
3
The Powerstar Malware is associated with Charming Kitten. Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinchas used
3
The PowerLess Malware is associated with Charming Kitten. Powerless is a malicious software (malware) that was deployed by Ballistic Bobcat in September 2021, during the wrap-up of the campaign documented in CISA Alert AA21-321A. This malware was introduced as part of the PowerLess campaign, which involved the use of a new command and control (C&C) server.Unspecified
2
The Noknok Malware is associated with Charming Kitten. NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactionsUnspecified
2
Source Document References
Information about the Charming Kitten Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 days ago
DARKReading
16 days ago
DARKReading
2 months ago
Malwarebytes
3 months ago
DARKReading
3 months ago
InfoSecurity-magazine
3 months ago
DARKReading
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
SecurityIntelligence.com
6 months ago
Securityaffairs
7 months ago