TA453

Threat Actor updated 18 days ago (2024-08-20T14:17:42.304Z)

Download STIX

Preview STIX

TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researchers at cybersecurity firm Proofpoint attributed a cyberattack on an affiliate of former National Security Adviser John Bolton to TA453. The group has been observed conducting attacks in countries such as Brazil, Israel, and the United Arab Emirates. Furthermore, ESET researchers noted that the activities of this group overlapped with those of other groups like APT35, APT42, and Charming Kitten. The modus operandi of TA453 includes phishing campaigns, deployment of novel malware, and exploitation of unpatched systems. For instance, Proofpoint discovered TA453 engaging in a phishing campaign aimed at nuclear weapons experts. In another campaign, they targeted Macintosh computers with malware-loaded attachments upon receiving responses from victims. They also used sophisticated tactics to maintain secrecy along their attack paths, including deploying modular PowerShell backdoors at the end of their infection chains. Recently, TA453 executed a phishing attack against an Israeli rabbi, demonstrating the group's ongoing malicious activities. In 2020 and 2021, X-Force published details of operations by ITG18 (which overlaps with Charming Kitten, Phosphorous, and TA453) exploiting identities. Moreover, TA453 was observed deploying a previously unknown backdoor malware named 'Sponsor' against 34 companies in Brazil, Israel, and the UAE. These incidents underscore the persistent threat posed by TA453 and the importance of maintaining robust cybersecurity measures to counter their activities.

Description last updated: 2024-08-20T14:16:00.025Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Charming Kitten	6	Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
Apt42	4	APT42, also known as Charming Kitten and CharmingCypress, is an Iran-nexus advanced persistent threat (APT) group known for its sophisticated and persistent cyber-attack strategies. The group has recently targeted Middle East policy experts in the region, as well as in the US and Europe, using a pho
Phosphorus	4	Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
APT35	3	APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Mint Sandstorm	3	Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typica
COBALT ILLUSION	3	Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
Yellow Garuda	2	Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, Cobalt Illusion, and TA453 among other names, is a threat actor believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been active in various cyber espionage campaigns over the years. I

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Proofpoint

Reconnaissance

Apt

Blacksmith

Outlook

Backdoor

Macos

Vpn

Windows

Espionage

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
GorjolEcho	Unspecified	2	GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving
Noknok	Unspecified	2	NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Seaborgium	Unspecified	2	Seaborgium, also known as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor linked to suspected Russian threat activity groups. Open-source reporting has enabled Insikt Group to profile the infrastructure used by this group, revealing significant overlaps with other known malic

Source Document References

Information about the TA453 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	12 days ago	26th August – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	18 days ago	Iranian Group TA453 Launches Phishing Attacks with BlackSmith
DARKReading	18 days ago	IRGC-Linked Hackers Roll Malware into Monolithic Trojan
SecurityIntelligence.com	4 months ago	Threat intelligence to protect vulnerable communities
CERT-EU	10 months ago	Pro-Palestinian hacking group evolves tactics amid war
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
CERT-EU	a year ago	‘Scan-and-exploit’ campaign snares unpatched Exchange servers
CERT-EU	a year ago	Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU	a year ago	Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU	a year ago	Les dernières cyberattaques détectées \| 11 juillet 2023
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Security Affairs newsletter Round 427 by Pierluigi Paganini – International edition \| IT Security News
CERT-EU	a year ago	L’hebdo cybersécurité \| 8 juillet 2023
CERT-EU	a year ago	Iran-linked APT TA453 targets Windows and macOS systems \| IT Security News
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
BankInfoSecurity	a year ago	Breach Roundup: Iranian Group Targets Nuclear Experts
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie