TA453

Threat Actor updated a month ago (2024-10-17T13:02:21.926Z)
Download STIX
Preview STIX
TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear weapons experts to TA453. The group has also been observed targeting entities in Brazil, Israel, and the United Arab Emirates. It's worth noting that TA453's activities overlap with those reported on other groups such as APT35, APT42, Charming Kitten, and Mint Sandstorm. In their most recent campaign, TA453 targeted Macintosh computers using a sophisticated phishing attack involving a PowerShell-based malware toolkit named "BlackSmith." The attackers impersonated the Institute for the Study of War (ISW) and invited victims to a fake podcast via spoofed emails. The malware was delivered through a malicious GoogleDrive link. This BlackSmith malware represents an evolution of previous TA453 toolsets, merging various functions into a single script called "AnvilEcho," which performs tasks like network communication, data encryption, and reconnaissance while evading antivirus software detection. Proofpoint analysts suggest that while direct links between TA453 and individual members of the Islamic Revolutionary Guard Corps (IRGC) are not evident, the group likely operates in support of the IRGC Intelligence Organization (IRGC-IO). This assessment is based on overlaps in unit numbering between Charming Kitten reports and IRGC units. TA453’s campaigns underscore its continued focus on espionage and intelligence gathering, likely in support of the Iranian government. As part of their social engineering techniques, TA453 often poses as reputable individuals or organizations to gain the trust of their targets before deploying their malware.
Description last updated: 2024-10-17T12:00:54.146Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Charming Kitten is a possible alias for TA453. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect
6
Apt42 is a possible alias for TA453. APT42, also known as Charming Kitten, CharmingCypress, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iran-nexus advanced persistent threat (APT) group that has been active in various cyberattacks. The group employs a range of tactics, techniques, and procedures (TTPs), such
4
Phosphorus is a possible alias for TA453. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ
4
APT35 is a possible alias for TA453. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corp
3
Mint Sandstorm is a possible alias for TA453. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
3
COBALT ILLUSION is a possible alias for TA453. Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
3
Yellow Garuda is a possible alias for TA453. Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, Cobalt Illusion, and TA453 among other names, is a threat actor believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been active in various cyber espionage campaigns over the years. I
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Proofpoint
Reconnaissance
Apt
Blacksmith
Outlook
Backdoor
Macos
Vpn
Windows
Espionage
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The GorjolEcho Malware is associated with TA453. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involvingUnspecified
2
The Noknok Malware is associated with TA453. NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactionsUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Seaborgium Threat Actor is associated with TA453. Seaborgium, also known by various names such as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor believed to be linked to Russia's Federal Security Service (FSB). The group has been active since at least 2015, targeting government officials, military personnel, journalists, anUnspecified
2
Source Document References
Information about the TA453 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
3 months ago
InfoSecurity-magazine
3 months ago
DARKReading
3 months ago
SecurityIntelligence.com
6 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago