TA453

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliate of former National Security Adviser John Bolton in 2022 and a series of attacks targeting entities in Brazil, Israel, and the United Arab Emirates. The activity of TA453 overlaps with that of other Iranian groups such as Mint Sandstorm, APT42, and Cobalt Illusion, indicating possible collaboration or shared resources. In recent years, TA453 has demonstrated a wide range of capabilities and tactics. For instance, it was observed deploying novel malware against 34 companies across different business verticals in Brazil, Israel, and the UAE. In another campaign, they targeted unpatched Microsoft Exchange servers using a previously unseen backdoor malware. Furthermore, TA453 showed a particular interest in Macintosh computers and nuclear weapons experts, demonstrating their broad scope of targets and advanced technical proficiency. TA453 uses sophisticated social engineering techniques to enhance the success of their attacks. They have been reported to share malicious links disguised as Zoom meeting URLs and even set up actual Zoom calls to deliver these links. Additionally, they use multi-persona impersonation to add legitimacy to their operations. Once they gain access to a target's system, they steal emails and attachments and set up mail-forwarding rules for ongoing surveillance. According to cybersecurity firm Proofpoint, TA453 uses a port or evolution of the GorjolEcho malware, known as NokNok, to establish initial footholds in their intrusions.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Charming Kitten
5
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Phosphorus
4
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
APT35
3
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Mint Sandstorm
3
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
COBALT ILLUSION
3
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
Apt42
3
APT42, also known as Charming Kitten, CharmingCypress, Mint Sandstorm, and TA453, is a threat actor associated with Iran. The group has been linked to the Islamic Revolutionary Guard Corps (IRGC) and is recognized for its use of sophisticated tactics, techniques, and procedures (TTPs), such as enhan
Yellow Garuda
1
Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, and various other aliases, is a malware associated with an Iranian state-sponsored threat operation. It has been active since at least 2011, operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The malware is des
Newscaster
1
APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
Tortoiseshell
1
Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
Ballistic Bobcat
1
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
ITG18
1
ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various webs
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Apt
Proofpoint
Macos
Backdoor
Exploit
Vpn
Windows
Outlook
Espionage
Reconnaissance
Android
Dropper
NCSC
Uk
Medical
Iran
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GorjolEchoUnspecified
2
GorjolEcho is a malicious software, or malware, linked to the Iranian group TA453 and identified by Proofpoint researchers. This sophisticated backdoor malware is designed to infiltrate computer systems, establish persistence, and exfiltrate information to command-and-control servers. The stealthy n
NoknokUnspecified
2
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
PowerLessUnspecified
1
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SeaborgiumUnspecified
2
Seaborgium, also known as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor linked to suspected Russian threat activity groups. Open-source reporting has enabled Insikt Group to profile the infrastructure used by this group, revealing significant overlaps with other known malic
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Seaborgium CallistoUnspecified
1
None
Source Document References
Information about the TA453 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
2 months ago
Threat intelligence to protect vulnerable communities
CERT-EU
8 months ago
Pro-Palestinian hacking group evolves tactics amid war
CERT-EU
10 months ago
Cyber Security Week in Review: September 15, 2023
CERT-EU
10 months ago
‘Scan-and-exploit’ campaign snares unpatched Exchange servers
CERT-EU
10 months ago
Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU
10 months ago
Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor
BankInfoSecurity
10 months ago
Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity
10 months ago
Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU
a year ago
Les dernières cyberattaques détectées | 11 juillet 2023
DARKReading
a year ago
APT35 Develops Mac Bespoke Malware
CERT-EU
a year ago
Security Affairs newsletter Round 427 by Pierluigi Paganini – International edition | IT Security News
CERT-EU
a year ago
L’hebdo cybersécurité | 8 juillet 2023
CERT-EU
a year ago
Iran-linked APT TA453 targets Windows and macOS systems | IT Security News
Securityaffairs
a year ago
Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU
a year ago
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
BankInfoSecurity
a year ago
Breach Roundup: Iranian Group Targets Nuclear Experts
CERT-EU
a year ago
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Charming Kitten
MITRE
a year ago
BadBlood: TA453 Targets US & Israel in Credential Phishing | Proofpoint US
MITRE
a year ago
Operation SpoofedScholars: A Conversation with TA453 | Proofpoint US