apt35

APT35 / Charming Kitten

also known as: Magic Hound Phosphorus Mint Sandstorm TA453 COBALT ILLUSION Newscaster Ballistic Bobcat ITG18 CharmingCypress Educated Manticore Yellow Garuda Ajax Security (FireEye) NewsBeef (Kaspersky) G0059

APT35 is an Iranian state-sponsored cyber espionage group assessed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC), active since at least 2013. The group is defined by patient, high-touch social engineering against journalists, academics, dissidents, policy researchers, and government personnel — building rapport over weeks or months before harvesting credentials or deploying malware.

attributed origin Iran

suspected sponsor Islamic Revolutionary Guard Corps (IRGC)

first observed ~2013

primary motivation Intelligence collection / espionage

primary targets Journalists, Academics, Dissidents, Government, Defense, Civil Society

known campaigns 10+ confirmed

mitre att&ck group G0059

target regions USA, UK, Israel, Middle East, Europe

threat level HIGH

Overview

APT35, tracked by MITRE as G0059, is a long-running Iranian state-sponsored threat group that conducts intelligence collection operations broadly aligned with the strategic and geopolitical priorities of the Islamic Revolutionary Guard Corps. The group has been active since at least 2013 and has been documented targeting European, U.S., and Middle Eastern government and military personnel, academics, journalists, and civil society organizations.

Unlike many nation-state actors that rely heavily on novel malware or zero-day exploitation, APT35's defining characteristic is operational patience. Operators frequently spend weeks or months building fake online personas — impersonating journalists, conference organizers, researchers, or recruiters — to establish trust before attempting credential theft or payload delivery. This human-centric approach allows the group to reach targets through personal webmail accounts and social platforms that sit outside the visibility of enterprise security controls.

Microsoft tracks overlapping activity under the designation Mint Sandstorm (previously PHOSPHORUS) and has assessed a direct link to the IRGC. Check Point Research tracks overlapping activity as Educated Manticore — particularly the subgroup conducting high-trust persona-based targeting of Israeli journalists and security researchers. A mature subgroup within the ecosystem has demonstrated accelerating technical tradecraft, including rapid weaponization of public proof-of-concept exploits for internet-facing applications, bespoke backdoors, and cross-platform tooling targeting both Windows and macOS environments. The broader cluster is widely assessed to represent a coherent IRGC intelligence collection capability rather than a single monolithic unit.

In October 2025, an anonymous actor published APT35's internal operational documents on GitHub under the alias "KittenBusters." The leak — analysed by CloudSEK, DomainTools, Gatewatcher, and multiple independent researchers — exposed an unprecedented window into the group's internal structure and active campaigns. The documents, largely in Farsi, confirm that APT35 functions not as a loose hacking collective but as a bureaucratised, quota-driven cyber-intelligence unit operating within a military chain of command. Operators work from a centralized facility with badge-in entry systems and fixed work schedules. Monthly performance reports enumerate phishing success rates, exploitation metrics, completed tasks, and hours worked — with supervisors filing aggregate campaign summaries and annotating operator output. The leak covers at least two years of operations, with file names referencing the Persian calendar year 1403 (corresponding to 2024 Gregorian) and earlier materials dating to May 2022. The leak's credibility has been assessed as high by CloudSEK and DomainTools based on linguistic, calendrical, and operational alignment with known APT35 patterns.

analyst note

APT35 (G0059) and APT42 (G1044) are distinct MITRE-tracked groups that share the "Charming Kitten" common name in vendor reporting, which causes frequent confusion. APT35 is assessed as IRGC-affiliated with a broader intelligence collection mandate; APT42 is specifically attributed to the IRGC Intelligence Organization (IRGC-IO) with a stronger focus on dissident surveillance and population-scale tracking. This profile covers G0059 / APT35 only.

Target Profile

APT35 prioritizes individuals and organizations with intelligence value to the Iranian state. Targeting decisions appear driven by proximity to Iranian foreign policy concerns — nuclear negotiations, regional geopolitics, dissident networks, and Western defense posture in the Middle East.

Journalists and Media: News outlets and individual journalists covering Iran, Middle Eastern affairs, or sanctions are routinely targeted. Operators impersonate colleagues or rival media organizations to gain trust before delivering phishing lures.
Academics and Think Tanks: Universities and policy research institutions with expertise in nuclear policy, Middle Eastern geopolitics, and Iran-related analysis are consistently targeted. Israeli academic institutions were specifically targeted in 2025 with malicious LNK files hosted on Google Drive.
Government and Defense: Military personnel, defense industrial base contractors, government agencies, and diplomatic entities across the U.S., UK, Israel, and Gulf nations are targeted for strategic intelligence. A mature Mint Sandstorm subgroup has been documented targeting U.S. critical infrastructure including seaports, energy, and transit systems.
Dissidents and Civil Society: Iranian diaspora, activists, human rights organizations, and NGOs whose work intersects with Iranian state interests are targeted for surveillance and contact mapping rather than data exfiltration.
Energy and Critical Infrastructure: Major oil and energy corporations in Saudi Arabia and the UAE are targeted to collect industrial intelligence and undermine regional energy stability.
Healthcare and Pharmaceutical: The World Health Organization (WHO) and pharmaceutical research institutions have been documented targets, particularly during the COVID-19 period.

Primary target countries include the United States, United Kingdom, Israel, Saudi Arabia, UAE, Germany, France, Canada, Australia, and Iran's own internal dissident communities. The group has demonstrated reach across Europe and the Asia-Pacific when targets of strategic interest are present.

Tactics, Techniques & Procedures

TTPs are drawn from MITRE ATT&CK G0059, NCSC advisory reporting, Microsoft Mint Sandstorm analysis, and Proofpoint TA453 campaign documentation.

mitre id	technique	description
T1566.002	Spearphishing Link	Core initial access technique. Operators send personalized phishing links to credential harvesting pages disguised as Microsoft, Google, or Yahoo login portals after rapport-building via email or social media.
T1566.001	Spearphishing Attachment	Malicious document lures impersonating news outlets, universities, or HR departments used to deliver malware families including PupyRAT and PowerShell toolkits. Increasingly replaced by LNK-based delivery chains.
T1585.001	Establish Accounts: Social Media	Operators build long-term fake personas on LinkedIn, Twitter/X, and professional networks — impersonating journalists, academics, and conference organizers — over weeks or months before introducing malicious content.
T1583.001	Acquire Infrastructure: Domains	Registers look-alike domains mimicking news outlets, cloud services, and trusted brands (e.g., mail-newyorker.com, microsoftcdn.co, outlookdelivery.com) for credential harvesting and payload staging.
T1190	Exploit Public-Facing Application	A mature subgroup rapidly weaponizes public PoC exploits for internet-facing services — Log4Shell (CVE-2021-44228), ProxyShell Exchange chains, Zoho ManageEngine (CVE-2022-47966), and IBM Aspera Faspex (CVE-2022-47986). The October 2025 internal document leak additionally confirmed exploitation of CVE-2024-1709 (ConnectWise ScreenConnect, CVSS 10.0 authentication bypass) within 24 hours of public disclosure — targeting systems across Israel, Saudi Arabia, Turkey, Jordan, UAE, and Azerbaijan in rapid automated scanning campaigns (CloudSEK analysis of KittenBusters leak, October 2025).
T1078	Valid Accounts	Stolen credentials used to authenticate to OWA, Microsoft 365, and VPN portals. Group has granted compromised email accounts delegate access to additional targeted mailboxes, enabling silent long-term collection.
T1098.002	Additional Email Delegate Permissions	After compromising an account, operators add delegate access to additional targeted mailboxes and authenticate to OWA to read email from hundreds of targeted individuals across Middle Eastern organizations.
T1114.003	Email Forwarding Rule	Persistence through mailbox forwarding rules set after initial credential theft, enabling ongoing visibility into target communications without requiring repeated authentication.
T1059.001	PowerShell	Heavily used for execution, discovery, and payload staging. Mature subgroups deploy unmanaged PowerShell (bypassing powershell.exe detection) and custom modules for screenshots, process enumeration, and credential harvesting.
T1003.001	OS Credential Dumping: LSASS Memory	LSASS process memory dumped using Mimikatz or custom tooling; resulting hashes archived with gzip and staged for exfiltration. Domain administrator accounts compromised after LSASS dump in documented intrusions.
T1560.001	Archive Collected Data	RAR and gzip used to compress and stage data prior to exfiltration. Password-protected ZIP archives also used during payload delivery to evade email gateway scanning.
T1567	Exfiltration Over Web Service	Exfiltrated data staged to attacker-controlled cloud storage (Amazon S3, IPFS), Google Drive, and OneDrive — blending with legitimate cloud traffic to evade perimeter detection. RClone used in some campaigns.
T1027	Obfuscated Files or Information	Payloads obfuscated via password-protected archives, base64 encoding, and custom decryptors. POWERSTAR variants use IPFS-hosted C2 to frustrate domain-based blocking and attribution.
T1595.002	Active Scanning: Vulnerability Scanning	Documented widespread scanning for publicly vulnerable internet-facing services including Log4j (CVE-2021-44228), ProxyShell Exchange chains, and Fortinet FortiOS SSL VPN (CVE-2018-13379) before targeted exploitation.

Known Campaigns

Confirmed and highly attributed operations linked to APT35 / Magic Hound / TA453.

BadBlood 2021

Proofpoint-documented TA453 credential phishing campaign targeting U.S. and Israeli medical research personnel. Operators used spoofed email addresses and lookalike domains — including 1drv[.]casa and variants — to deliver credential harvesting links posing as OneDrive file-sharing notifications. Focused on oncologists, infectious disease researchers, and individuals connected to COVID-19 vaccine development.

Proofpoint: BadBlood report

SpoofedScholars 2021

Proofpoint-documented campaign in which TA453 operators compromised the legitimate website of the University of London's School of Oriental and African Studies (SOAS) to host a credential harvesting page. Operators impersonated scholars and invited targets to a fake online conference on U.S. foreign policy and nuclear issues, using the SOAS domain to lend legitimacy to the lure.

Proofpoint: SpoofedScholars report

Log4j Exploitation Wave 2021–2022

Following public disclosure of CVE-2021-44228 (Log4Shell), Check Point documented APT35 conducting widespread scanning and exploitation of vulnerable public-facing services within days of the vulnerability becoming known. The group distributed a new modular PowerShell toolkit via compromised Log4j servers, demonstrating the group's capacity to rapidly pivot from social engineering to opportunistic infrastructure exploitation.

Check Point: Log4j exploitation report

ProxyShell Exchange Intrusions 2022

DFIR Report documented APT35 automating initial access through ProxyShell vulnerabilities (CVE-2021-26855, CVE-2021-34473, CVE-2021-34523) in on-premises Exchange servers. Post-exploitation involved DefaultAccount activation, LSASS credential dumping with Mimikatz, lateral movement via Impacket, and in at least one documented case, domain-wide ransomware deployment — highlighting the escalation risk when APT35 subgroups achieve deep enterprise access.

DFIR Report: ProxyShell analysis

Best Laid Plans (BlackSmith / AnvilEcho) 2024

Proofpoint documented TA453 deploying the BlackSmith malware framework to deliver AnvilEcho — a PowerShell-based trojan — via a podcast-themed lure. Targets were invited to participate in a fake podcast on Middle Eastern affairs; the invitation included a malicious ZIP containing LNK files that triggered a multi-stage infection chain. The campaign used the domain understandingthewar[.]org and staged components on d75[.]site and deepspaceocean[.]info. AnvilEcho supports keylogging, screenshot capture, and credential access.

Proofpoint: Best Laid Plans report

MediaPl University & Research Targeting 2023–2024

Microsoft documented a Mint Sandstorm subgroup deploying a custom backdoor named MediaPl against universities and research organizations in Belgium, France, the UK, the U.S., and Israel. Initial access combined stolen credentials with social engineering; MediaPl provided persistent command-and-control over encrypted HTTPS. The campaign demonstrated the group's continued targeting of academic institutions focused on nuclear policy and international security research.

Microsoft: Mint Sandstorm MediaPl report

Educated Manticore — Israeli Journalist & Academic Targeting Mid-2025

Amid heightened Iran–Israel geopolitical tensions, APT35 (tracked by Check Point Research as Educated Manticore) launched a highly targeted spear-phishing campaign against Israeli journalists, cybersecurity professionals, and academics. Operators posed as research assistants, analysts, or conference coordinators via email and WhatsApp, sending fake meeting invitations and collaboration requests tailored to the target's field. Victims were directed to phishing sites mimicking Google Login and Google Meet, including pages hosted on legitimate Google Sites infrastructure to add authenticity — a significant defensive evasion advancement over earlier self-hosted phishing infrastructure. The campaign demonstrated APT35's adaptation to geopolitical escalation cycles and its continued investment in platform-specific trust exploitation.

KittenBusters Internal Leak — Unprecedented Operational Exposure October 2025

In October 2025, an anonymous actor published thousands of APT35's internal operational documents on GitHub under the alias "KittenBusters." Analysed extensively by CloudSEK, DomainTools, Gatewatcher, and independent researchers, the leak revealed APT35's bureaucratic military structure with distinct teams for penetration testing, malware development, social engineering, and infrastructure management — and documented two active named campaigns: Operation Desert Breach (Jordan, 2024–present), targeting the Ministry of Justice, academic institutions, and law firms, resulting in 74GB of judicial records, defense contracts, civil aviation files, and government communications exfiltrated; and Operation Afghan Infiltration (2021), targeting Afghan telecom systems and government ministries to map citizen movements. The leak also exposed rapid-response exploitation of CVE-2024-1709 (ConnectWise ScreenConnect) within 24 hours of disclosure, mass DNS manipulation of 580+ routers, and EDR evasion lab testing against Sophos, Trend Micro, SentinelOne, and CrowdStrike. Operators are documented attending IRGC ideological events, including a 2023 conference titled "Israel: The Fragile Mirror," confirming the unit's integration into the broader IRGC command structure.

CloudSEK: KittenBusters APT35 leak analysis

Tools & Malware

Known custom and commodity tools associated with APT35 / Magic Hound across documented campaigns.

POWERSTAR (CharmPower): PowerShell backdoor with modular capability for screenshot capture, file enumeration, keylogging, and persistence. Later variants use IPFS and legitimate cloud services for C2, replacing hardcoded domains to frustrate takedown and attribution. Referenced as S0674 in MITRE ATT&CK.
AnvilEcho: PowerShell trojan delivered by the BlackSmith framework. Supports keylogging, screenshot capture, process and system enumeration, and credential access. Documented in Proofpoint's 2024 Best Laid Plans campaign report.
BlackSmith: TA453 malware delivery framework used to stage and execute AnvilEcho via ZIP/LNK infection chains. Described by Proofpoint as a multi-stage dropper with DLL components.
MediaPl: Custom backdoor documented by Microsoft in 2023–2024 Mint Sandstorm campaigns against universities. Provides persistent encrypted C2 access and is deployed after initial credential theft.
BellaCiao / BellaCPP: Windows dropper family; BellaCPP is a C++ successor to BellaCiao with SSH-tunneling support for covert communications, payload delivery, and persistence. Active in 2023–2024 targeting.
GorjolEcho / NokNok: Cross-platform implants for Windows and macOS, enabling espionage and data exfiltration across mixed operating system environments. Indicative of the group's adaptation to non-Windows targets.
Sponsor: Windows backdoor documented by ESET (2021–2022) deployed against 34 organisations across government, healthcare, financial services, engineering, and technology sectors in Israel, Brazil, and the UAE. Notable for storing configuration files as otherwise-innocuous files on disk, deployed by malicious batch scripts, to evade detection.
RTM Project (custom RAT): A custom Remote Access Trojan revealed in the October 2025 KittenBusters internal document leak. Provides remote shell and binary execution, Active Directory share enumeration, and system harvesting — developed internally and not previously publicly documented.
PowerLess Trojan: PowerShell-based backdoor documented by Cybereason (2022). Notable for using unmanaged PowerShell — invoking the PowerShell runtime without executing powershell.exe — to bypass process-name-based detection. Referenced as S1012 in MITRE ATT&CK.
Hyperscrape: Email-harvesting tool designed to extract messages from compromised Gmail, Yahoo, and Microsoft accounts, enabling targeted intelligence collection without requiring full mailbox delegate access.
Mimikatz: Used post-compromise for LSASS credential dumping and subsequent lateral movement via pass-the-hash and Kerberoasting techniques.
Impacket: Open-source Python framework used for SMB relay, NTDS dumping, and remote execution in mature subgroup intrusions documented by DFIR Report.
PupyRAT: Open-source cross-platform RAT used in earlier APT35 campaigns for persistence, credential access, and remote control. Referenced as S0192 in MITRE ATT&CK.

Indicators of Compromise

Publicly reported IOCs from Proofpoint BadBlood (2021), Proofpoint Best Laid Plans (2024), and Dark Atlas APT35 reporting (2025). Verify currency before operational use — many domains and IPs are burned after public disclosure.

warning

IOCs may be stale or burned after public disclosure. Cross-reference with live threat intel feeds before blocking in production. All domains below are defanged.

indicators of compromise — domains (defanged)

domain 1drv[.]casa

domain understandingthewar[.]org

domain d75[.]site

domain deepspaceocean[.]info

domain microsoftcdn[.]co

domain outlookdelivery[.]com

domain sharepointnotify[.]com

domain linkedinz[.]me

indicators of compromise — file hashes (sha-256)

sha-256 (LNK) 5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf

sha-256 (ZIP) 5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36

sha-256 (AnvilEcho) 8a47fd166059e7e3c0c1740ea8997205f9e12fc87b1ffe064d0ed4b0bf7c2ce1

sha-256 03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369

sha-256 35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208

indicators of compromise — ip addresses

ipv4 54.37.164.254

ipv4 109.202.99.98

ipv4 134.19.188.242

ipv4 185.23.214.188

indicators of compromise — behavioral patterns (from October 2025 KittenBusters leak)

webshell m0s.php / m0s.* naming pattern — webshell deployed on compromised Exchange servers for persistent access; flag any .php file matching this pattern in Exchange directories

phishing infra Phishing pages hosted on legitimate Google Sites (sites.google.com) infrastructure — standard domain allow-listing no longer sufficient; inspect page content and redirect chains even for Google-hosted URLs

vuln (exploited) CVE-2024-1709 — ConnectWise ScreenConnect authentication bypass (CVSS 10.0); any unpatched on-premise ScreenConnect instance is an APT35 target; patch to version 23.9.8 or later immediately

network Unexpected DNS configuration changes on SOHO/edge routers — APT35 documented manipulating DNS settings on 580+ devices across targeted campaigns for traffic interception and persistence

evasion tools EDR bypass testing confirmed for Sophos, Trend Micro, SentinelOne, CrowdStrike — APT35 maintains active evasion lab capability; DLL obfuscation and hijacking documented as standard evasion methods

Sources: Proofpoint BadBlood IOC list — Proofpoint Best Laid Plans IOC list — Dark Atlas APT35 report (2025) — CloudSEK KittenBusters leak analysis (2025)

Mitigation & Defense

APT35's primary attack surface is identity and human trust rather than unpatched infrastructure. Defensive priority should reflect this.

Enforce phishing-resistant MFA: Deploy FIDO2/WebAuthn hardware keys for high-risk users — executives, policy staff, researchers, and journalists who match APT35's targeting profile. SMS/OTP MFA has known weaknesses against credential phishing and SIM swapping. NCSC advisory explicitly recommends phishing-resistant MFA as a primary control against TA453-style tradecraft.
Disable or restrict external email forwarding: Configure mail platforms to block automatic forwarding to external domains and alert immediately on forwarding rule creation. APT35 relies heavily on forwarding rules for persistent mailbox access after initial credential theft.
Monitor for anomalous delegate permissions: Audit OWA and Microsoft 365 for unexpected email delegate grants. The group has been documented adding delegate access across multiple targeted mailboxes from a single compromised account.
Patch ConnectWise ScreenConnect immediately: CVE-2024-1709 (CVSS 10.0, authentication bypass) was weaponized by APT35 within 24 hours of public disclosure in February 2024 and is in CISA's Known Exploited Vulnerabilities catalog. Any on-premise ScreenConnect instance below version 23.9.8 is an active APT35 target. Cloud-hosted instances were auto-patched; on-premise environments require manual update. Given APT35's documented sub-24-hour weaponization cadence, treat any newly disclosed critical CVE in internet-facing remote management software as an immediate patching priority.
Do not trust Google Sites URLs as inherently safe: The mid-2025 Educated Manticore campaign hosted phishing pages on legitimate Google Sites infrastructure (sites.google.com) — meaning the domain itself passes standard allow-lists and browser reputation checks. Train high-risk users to inspect page content, verify redirect destinations, and treat any unexpected login prompt as suspicious regardless of what domain it appears on.
Monitor Exchange infrastructure for m0s.php webshell pattern: The KittenBusters leak documents APT35 deploying webshells with the m0s.php or m0s.* naming pattern on compromised Exchange servers. Alert on any .php file creation in Exchange-related directories that does not correspond to a sanctioned deployment.
Audit edge router DNS configurations: The leaked operational documents confirm APT35 manipulates DNS settings on SOHO and edge routers — 580+ devices documented in campaign materials. Organizations should audit router DNS configurations periodically and alert on unexpected changes, particularly in environments with regional offices or distributed infrastructure.
Apply conditional access policies: Enforce device compliance, geo-velocity anomaly detection, and risky sign-in blocks. Monitor for impossible travel, unusual sign-in hours, and token issuance from unexpected locations.
Patch internet-facing applications aggressively: The mature Mint Sandstorm subgroup has demonstrated same-day or rapid weaponization of public PoCs. Prioritize internet-facing assets: Exchange servers, Fortinet SSL VPN (CVE-2018-13379), Zoho ManageEngine (CVE-2022-47966), IBM Aspera Faspex (CVE-2022-47986), and any Log4j-dependent services.
Executive and high-value user education: Train personnel who match APT35's targeting profile on rapport-building approaches — fake conference invitations, podcast lures, researcher impersonation, and journalist outreach are all documented delivery vectors. UK NCSC advisory documentation is publicly available and appropriate for high-risk user training.
Hunt for unmanaged PowerShell: Alert on abnormal processes loading System.Management.Automation.dll — a key indicator of unmanaged PowerShell used by APT35 to bypass powershell.exe process monitoring. SIGMA rules are available for Alternate PowerShell Hosts and In-Memory PowerShell detection.
Personal account awareness: APT35 frequently targets personal webmail accounts to bypass enterprise controls. Organizations should advise high-risk personnel to apply the same MFA and phishing awareness practices to personal accounts.

note

If a suspected APT35 compromise is identified, NCSC guidance recommends identity-first containment: force password resets, revoke refresh tokens, review MFA enrollments, and audit mailbox forwarding rules and OAuth consents before scoping for lateral movement. Authentication logs, mailbox audit logs, and forwarding rule change history are the highest-value forensic artifacts in most APT35 intrusions.

Sources & Further Reading

Primary sources used to build this profile. All links open in a new tab.

— end of profile