Charmingcypress

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
CharmingCypress, also known as Charming Kitten and APT42, is a threat actor linked to Iran that has recently targeted Middle East policy experts in the region, as well as those in the US and Europe. The group is highly committed to surveillance of their targets, using this information to manipulate them and deploy malware. Their operations are marked by a significant volume of campaigns, supported by dedicated human operators. The group leverages a variety of techniques, including spear-phishing and the use of a phony webinar platform, to compromise its targets. In September and October 2023, CharmingCypress utilized typo-squatted domains, which mimic legitimate domain names, to pose as officials from the International Institute of Iranian Studies (IIIS). They invited policy experts to a webinar, demonstrating a low-and-slow approach that avoided immediate suspicion by not including any malicious links or attachments in the initial communication. Instead, they encouraged targets to engage through other communication channels such as WhatsApp and Signal. The ultimate goal of CharmingCypress's attacks is to convince policy experts to install malware. These attacks typically begin with spear-phishing and end with the delivery of malware to the target's system. According to an advisory published by incident response services firm Volexity, CharmingCypress exhibits innovative persistence in its operations, consistently evolving its tactics to maintain effectiveness and avoid detection. The group's ongoing efforts present a significant cybersecurity threat to targeted individuals and organizations.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Charming Kitten
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Apt42
1
APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhan
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Signal
Spearphishing
Volexity
Whatsapp
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Charmingcypress Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Novel backdoor used in Charming Kitten attacks
DARKReading
5 months ago
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets