Phosphorus

Threat Actor updated a month ago (2024-10-02T01:00:55.108Z)
Download STIX
Preview STIX
Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at universities and research organizations across Belgium, France, Gaza, Israel, the United Kingdom, and the United States since November 2023. Phosphorus employs sophisticated tactics such as custom-tailored phishing emails sent via previously compromised accounts, making their attacks difficult to detect. The Cybereason Nocturnus Team recently discovered a novel PowerShell backdoor related to the Phosphorus group, named PowerLess Backdoor. This previously undocumented tool has been incorporated into Phosphorus' arsenal and used in recent attacks. Phosphorus continually develops and refines its tools, demonstrating its ongoing threat to cybersecurity worldwide. In addition to its malicious activities, Phosphorus is also the name of an IoT security startup which has raised $27M for research and development. The firm, led by CISO John Terrill and security strategist John Vecchi, is focused on mitigating IoT vulnerabilities, particularly out-of-date firmware and default credentials. Phosphorus Security's experts have voiced concerns about resource allocation challenges and cultural differences across various agencies, emphasizing the need for effective and collaborative operational cybersecurity.
Description last updated: 2024-10-02T00:15:32.615Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT35 is a possible alias for Phosphorus. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
5
Charming Kitten is a possible alias for Phosphorus. Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is a threat actor linked to Iran that has been involved in various cyberattacks targeting entities in Brazil, Israel, and the U.A.E. using a new backdoor. This group has been implicated in sophisti
5
Mint Sandstorm is a possible alias for Phosphorus. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
4
TA453 is a possible alias for Phosphorus. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
4
Apt42 is a possible alias for Phosphorus. APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such
3
Ballistic Bobcat is a possible alias for Phosphorus. Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
3
Newscaster is a possible alias for Phosphorus. APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
2
Mango Sandstorm is a possible alias for Phosphorus. Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Iran
Ransomware
Malware
Implant
Espionage
Microsoft
Payload
Backdoor
flaw
State Sponso...
Vulnerability
CISA
Papercut
iranian
Microsoft’s
Proxy
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PowerLess Malware is associated with Phosphorus. Powerless is a malicious software (malware) that was deployed by Ballistic Bobcat in September 2021, during the wrap-up of the campaign documented in CISA Alert AA21-321A. This malware was introduced as part of the PowerLess campaign, which involved the use of a new command and control (C&C) server.Unspecified
6
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The MERCURY Threat Actor is associated with Phosphorus. Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLOUnspecified
2
The MuddyWater Threat Actor is associated with Phosphorus. MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The groupUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-27350 Vulnerability is associated with Phosphorus. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
2
Source Document References
Information about the Phosphorus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
a month ago
DARKReading
a month ago
DARKReading
a month ago
BankInfoSecurity
a month ago
CERT-EU
8 months ago
DARKReading
8 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
MITRE
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago