Mint Sandstorm

Threat Actor updated a month ago (2024-08-13T20:18:01.284Z)
Download STIX
Preview STIX
Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typical hallmarks of phishing emails, making them harder to detect. They have been found to rapidly weaponize N-day vulnerabilities in common enterprise applications and conduct targeted phishing campaigns to gain access to environments of interest. Notably, in June, they targeted US critical infrastructure by sending a spear-phishing email from a compromised account to a high-ranking official of the Trump campaign. In recent years, Mint Sandstorm has refined their tradecraft and increased their activity. They have targeted various high-profile individuals and organizations, including journalists, researchers, professors, and other experts covering security and policy topics of interest to the Iranian government. In one notable campaign, they used a tailored phishing scam related to the Hamas-Israel conflict to target universities. The group also tends to drop malicious files in specific locations on compromised systems, such as C:\\Users\\[REDACTED] \\AppData\\Local\\Microsoft\\Media Player\\MediaPl.dll, to maintain persistence and evade detection. To mitigate the threats posed by Mint Sandstorm, Microsoft has recommended several measures. These include being vigilant against phishing attempts, regularly updating and patching software to protect against the exploitation of known vulnerabilities, and maintaining robust cybersecurity protocols. Despite these recommendations, Mint Sandstorm continues to evolve its tooling and techniques to better persist in compromised environments and evade detection, demonstrating the ongoing threat it poses to cybersecurity.
Description last updated: 2024-08-13T20:15:37.528Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Phosphorus
4
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
APT35
4
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Charming Kitten
4
Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
Apt42
3
APT42, also known as Charming Kitten and CharmingCypress, is an Iran-nexus advanced persistent threat (APT) group known for its sophisticated and persistent cyber-attack strategies. The group has recently targeted Middle East policy experts in the region, as well as in the US and Europe, using a pho
TA453
3
TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher
COBALT ILLUSION
2
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
MERCURY
2
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
MuddyWater
2
MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Microsoft
Apt
iranian
Exploit
Iran
Malware
Curl
Papercut
Vulnerability
flaw
exploitation
State Sponso...
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
CharmPowerUnspecified
2
CharmPower, also known as POWERSTAR or GhostEcho, is a malicious software developed by the Iranian hacking group known as Charming Kitten. This PowerShell-based modular backdoor malware has recently been updated and distributed through spear-phishing campaigns, as discovered by Volexity. The malware
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Mango SandstormUnspecified
2
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the Mint Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
Google disrupted hacking campaigns carried out by Iran-linked APT42
Securityaffairs
a month ago
Elon Musk claims that a DDoS attack caused problems with the livestream interview with Donald Trump
InfoSecurity-magazine
a month ago
Microsoft Reveals Iranian US Election Interference Ops
Securityaffairs
a month ago
Foreign nation-state actors hacked Donald Trump’s campaign
DARKReading
5 months ago
5 Attack Trends Organizations of All Sizes Should Be Monitoring
DARKReading
7 months ago
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
InfoSecurity-magazine
8 months ago
New Leaks Expose Web of Iranian Intelligence and Cyber Companies
Checkpoint
8 months ago
22nd January – Threat Intelligence Report - Check Point Research
CERT-EU
8 months ago
Iran’s Mint Sandstorm APT Hits Universities with Hamas-Israel Phishing Scam
DARKReading
8 months ago
Microsoft: Iran's Mint Sandstorm APT Blasts Educators, Researchers
CERT-EU
8 months ago
Cyber Security Today, Jan. 19, 2024 – Vulnerabilities found in server firmware, a warning to Docker administrators, and more | IT World Canada News
CERT-EU
8 months ago
Cyber Security Week in Review: January 19, 2024
CERT-EU
8 months ago
Iranian threat group Mint Sandstorm targets high-profile Middle East researchers
InfoSecurity-magazine
8 months ago
Iranian Phishing Campaign Targets Israel-Hamas War Experts
CERT-EU
8 months ago
Iranian Mint Sandstorm Attacking Researchers With Hacking Tools | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU
8 months ago
Iranian hackers targeting ‘high-profile’ experts on Middle East | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Iranian Hackers Impersonated Journalists to Study Israel-Hamas War | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog
MITRE
9 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog