Phosphorus

Threat Actor updated 4 months ago (2024-05-04T20:04:31.537Z)
Download STIX
Preview STIX
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the Cybereason Nocturnus Team who found an undocumented PowerShell backdoor related to Phosphorus, named PowerLess Backdoor. This tool has been incorporated into the group's arsenal, marking an evolution in their capabilities. The group has been observed targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations across several countries since November 2023. Phosphorus employs unique methods in its operations. In recent attacks, they have been seen sending "interview requests" to targeted individuals through emails that contain tracking links, confirming if the user has opened the file. Once a response is received from the target user, the attackers send a link to a benign list of interview questions hosted on a cloud service provider. This tactic indicates a shift from or expansion upon their past strategies of sending unsolicited links and attachments in spear-phishing email campaigns for credential theft. Furthermore, the Microsoft Threat Intelligence Center (MSTIC) has observed Phosphorus using BitLocker to encrypt data and ransom victims at several targeted organizations. In addition to its malicious activities, Phosphorus stands out in the cybersecurity landscape with its unique capability to provide complete discovery, remediation, and security management across a wide range of devices on the xIoT. It has fully automated the remediation of the two biggest IoT vulnerabilities: out-of-date firmware and default credentials. This dual role of Phosphorus - as both a threat actor and a cybersecurity solution provider - is noteworthy. In December 2023, Phosphorus raised $27M for research and development, indicating a significant investment in enhancing its capabilities.
Description last updated: 2024-05-04T16:06:52.206Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT35
5
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Charming Kitten
5
Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
Mint Sandstorm
4
Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typica
TA453
4
TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher
Apt42
3
APT42, also known as Charming Kitten and CharmingCypress, is an Iran-nexus advanced persistent threat (APT) group known for its sophisticated and persistent cyber-attack strategies. The group has recently targeted Middle East policy experts in the region, as well as in the US and Europe, using a pho
Ballistic Bobcat
3
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Mango Sandstorm
2
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
Newscaster
2
APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Iran
Ransomware
Malware
Implant
Espionage
Microsoft
Payload
Backdoor
flaw
State Sponso...
Vulnerability
Papercut
iranian
Microsoft’s
Proxy
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
PowerLessUnspecified
6
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
MERCURYUnspecified
2
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
MuddyWaterUnspecified
2
MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the Phosphorus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
7 months ago
Rhysida Ransomware Cracked & Decrypted
DARKReading
7 months ago
Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor
CERT-EU
8 months ago
Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU
9 months ago
AI looks inward, antitrust bites big tech again and cybersecurity battles intensify | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
9 months ago
Nashville-based Phosphorus gets $27M to build out its xIoT security solutions
MITRE
9 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
CERT-EU
9 months ago
Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d
CERT-EU
9 months ago
Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d | CISA
CERT-EU
10 months ago
Why cyberspace remains largely unaffected amidst ongoing geopolitical turmoil
CERT-EU
10 months ago
Weaponizing Wheat: How Strategic Competition With Russia Could Threaten American Food Security – Analysis
CERT-EU
a year ago
Thousands of devices exposed to critical Cisco IOS XE software bug
CERT-EU
a year ago
The Brief – Living online in wartime
CERT-EU
a year ago
Israel Hamas war: Netanyahu warns Israel will ‘demolish Hamas' as thousands flee Gaza
CERT-EU
a year ago
SecurityWeek to Host 2023 ICS Cybersecurity Conference October 23-26 in Atlanta
CERT-EU
a year ago
RagnarLocker Ransomware, LokiLocker Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: September 27th, 2023
CERT-EU
a year ago
Cyber security week in review: April 21, 2023
ESET
a year ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
a year ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
a year ago
Iranian Cyberspies Deployed New Backdoor to 34 Organizations
CERT-EU
a year ago
‘Scan-and-exploit’ campaign snares unpatched Exchange servers