Phosphorus

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the Cybereason Nocturnus Team who found an undocumented PowerShell backdoor related to Phosphorus, named PowerLess Backdoor. This tool has been incorporated into the group's arsenal, marking an evolution in their capabilities. The group has been observed targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations across several countries since November 2023. Phosphorus employs unique methods in its operations. In recent attacks, they have been seen sending "interview requests" to targeted individuals through emails that contain tracking links, confirming if the user has opened the file. Once a response is received from the target user, the attackers send a link to a benign list of interview questions hosted on a cloud service provider. This tactic indicates a shift from or expansion upon their past strategies of sending unsolicited links and attachments in spear-phishing email campaigns for credential theft. Furthermore, the Microsoft Threat Intelligence Center (MSTIC) has observed Phosphorus using BitLocker to encrypt data and ransom victims at several targeted organizations. In addition to its malicious activities, Phosphorus stands out in the cybersecurity landscape with its unique capability to provide complete discovery, remediation, and security management across a wide range of devices on the xIoT. It has fully automated the remediation of the two biggest IoT vulnerabilities: out-of-date firmware and default credentials. This dual role of Phosphorus - as both a threat actor and a cybersecurity solution provider - is noteworthy. In December 2023, Phosphorus raised $27M for research and development, indicating a significant investment in enhancing its capabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT35
5
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Charming Kitten
5
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Mint Sandstorm
4
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
TA453
4
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
Apt42
3
APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhan
Ballistic Bobcat
3
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Mango Sandstorm
2
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
Newscaster
2
APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
ITG18
1
ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various webs
Ajax Security Team
1
None
Midnight Blizzard
1
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity concern. The group is known for executing actions with malicious intent and has been linked to several high-profile cyber attacks on global organizations. Notably, it breached the sy
COBALT ILLUSION
1
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Iran
Ransomware
Malware
Backdoor
State Sponso...
Espionage
Vulnerability
Implant
Payload
Microsoft
flaw
iranian
Proxy
Papercut
Microsoft’s
Masquerading
exploitation
Encryption
Extortion
Exploits
Ransom
Encrypt
Log4j
Fortios
Cybereason
Ibm
Eset
Cisco
Trojan
Exploit
PowerShell
State Sponso...
Outlook
Israel
Hamas
CISA
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PowerLessUnspecified
6
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
PowerstarUnspecified
1
Powerstar is a malicious software (malware) deployed by the Iranian Advanced Persistent Threat (APT) group known as Charming Kitten, also referred to as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware was used in a series of spear-phishing attacks launched by the group since
Powerless BackdoorUnspecified
1
The PowerLess Backdoor is a novel and previously undocumented malware linked to the Phosphorus group, an Iranian-aligned threat actor. This malicious software was discovered by the Cybereason Nocturnus Team in September 2021 when a victim received an updated version of the Ballistic Bobcat tools, wh
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MERCURYUnspecified
2
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
MuddyWaterUnspecified
2
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Volt TyphoonUnspecified
1
Volt Typhoon is a sophisticated threat actor, linked to China, that has managed to infiltrate and remain undetected within US infrastructure for several years. The group exhibits strong operational security and uses advanced techniques such as obfuscation of their malware to avoid detection. These t
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Cozy BearUnspecified
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
YTTRIUMUnspecified
1
Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor
STRONTIUMUnspecified
1
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Lace TempestUnspecified
1
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
POTASSIUMUnspecified
1
Potassium, also known as APT10, CVNX, Stone Panda, MenuPass, and POTASSIUM, is a threat actor that has been linked to multiple cyberattacks. This entity is believed to be operating out of China, with Zhu Hua and Zhang Shilong identified as key players within the group. They are reportedly associated
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2018-13379Unspecified
1
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
ProxyshellUnspecified
1
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
Proxyshell Cve-2021-26855Unspecified
1
None
CVE-2021-26857Unspecified
1
None
CVE-2021-27065Unspecified
1
None
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
CVE-2021-26855Unspecified
1
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
CVE-2021-26858Unspecified
1
None
Source Document References
Information about the Phosphorus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Rhysida Ransomware Cracked & Decrypted
DARKReading
5 months ago
Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor
CERT-EU
6 months ago
Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU
7 months ago
AI looks inward, antitrust bites big tech again and cybersecurity battles intensify | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
Nashville-based Phosphorus gets $27M to build out its xIoT security solutions
MITRE
7 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
CERT-EU
8 months ago
Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d
CERT-EU
8 months ago
Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d | CISA
CERT-EU
8 months ago
Why cyberspace remains largely unaffected amidst ongoing geopolitical turmoil
CERT-EU
9 months ago
Weaponizing Wheat: How Strategic Competition With Russia Could Threaten American Food Security – Analysis
CERT-EU
9 months ago
Thousands of devices exposed to critical Cisco IOS XE software bug
CERT-EU
9 months ago
The Brief – Living online in wartime
CERT-EU
9 months ago
Israel Hamas war: Netanyahu warns Israel will ‘demolish Hamas' as thousands flee Gaza
CERT-EU
9 months ago
SecurityWeek to Host 2023 ICS Cybersecurity Conference October 23-26 in Atlanta
CERT-EU
10 months ago
RagnarLocker Ransomware, LokiLocker Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: September 27th, 2023
CERT-EU
a year ago
Cyber security week in review: April 21, 2023
ESET
10 months ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
10 months ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
10 months ago
Iranian Cyberspies Deployed New Backdoor to 34 Organizations
CERT-EU
10 months ago
‘Scan-and-exploit’ campaign snares unpatched Exchange servers