Charmingcypress

CharmingCypress, also known as Charming Kitten and APT42, is a threat actor linked to Iran that has recently targeted Middle East policy experts in the region, as well as those in the US and Europe. The group is highly committed to surveillance of their targets, using this information to manipulate them and deploy malware. Their operations are marked by a significant volume of campaigns, supported by dedicated human operators. The group leverages a variety of techniques, including spear-phishing and the use of a phony webinar platform, to compromise its targets. In September and October 2023, CharmingCypress utilized typo-squatted domains, which mimic legitimate domain names, to pose as officials from the International Institute of Iranian Studies (IIIS). They invited policy experts to a webinar, demonstrating a low-and-slow approach that avoided immediate suspicion by not including any malicious links or attachments in the initial communication. Instead, they encouraged targets to engage through other communication channels such as WhatsApp and Signal. The ultimate goal of CharmingCypress's attacks is to convince policy experts to install malware. These attacks typically begin with spear-phishing and end with the delivery of malware to the target's system. According to an advisory published by incident response services firm Volexity, CharmingCypress exhibits innovative persistence in its operations, consistently evolving its tactics to maintain effectiveness and avoid detection. The group's ongoing efforts present a significant cybersecurity threat to targeted individuals and organizations.