analyst@nohacky:~/threat-actors$
cat/threat-actors/charming-kitten
analyst@nohacky:~/charming-kitten.html
active threat profile
type Nation-State / APT
threat_level High
status Active
origin Iran (IRGC-IO)
last_updated 2026-03-13
CK
charming-kitten

Charming Kitten (APT42)

also known as: APT42 Mint Sandstorm PHOSPHORUS TA453 Magic Hound Yellow Garuda ITG18 CharmingCypress CALANQUE Newscaster Agent Serpens

An Iranian state-sponsored cyber espionage and surveillance group assessed with moderate confidence to operate on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Active since at least 2012, Charming Kitten specializes in highly targeted social engineering, credential harvesting, and surveillance operations against individuals and organizations deemed opponents of or strategically significant to the Iranian regime — including journalists, dissidents, think tank researchers, diplomats, and foreign government officials.

attributed origin Iran
state sponsor IRGC Intelligence Organization (IRGC-IO)
first observed ~2012 (APT42 tracked since 2015)
primary motivation Espionage / Surveillance / Intelligence Collection
primary targets Think Tanks, Journalists, Dissidents, Government Officials, NGOs, Academia
confirmed operations 30+ confirmed since 2015 (likely far more)
mitre att&ck group G1044 (APT42) / G0059 (Magic Hound)
target regions Middle East, United States, Europe, Israel
threat level High

Overview

Charming Kitten is one of Iran's longest-running and most prolific cyber espionage operations. Mandiant formally designated the group as APT42 in September 2022, distinguishing it from the broader APT35 cluster while acknowledging significant overlap in public reporting. The group's operations are consistent with the mandate of the IRGC Intelligence Organization (IRGC-IO), which is responsible for monitoring and preventing foreign threats to the Islamic Republic and suppressing domestic unrest.

What distinguishes Charming Kitten from other Iranian threat groups is its emphasis on relationship-based access rather than technical exploitation. The group builds trust over days, weeks, or even months of email correspondence before attempting credential theft or malware deployment. Targets are approached by carefully constructed personas impersonating journalists, policy researchers, think tank analysts, and diplomatic contacts. In some campaigns, the group has gone so far as to create entirely fake webinar platforms, requiring victims to install malware-laden VPN applications before gaining access.

APT42's operations fall into three primary categories: credential harvesting (the dominant mode), surveillance operations using Android mobile malware against Iranian dissidents and activists domestically, and periodic malware deployment using custom backdoors when objectives extend beyond credential theft. Mandiant has confirmed over 30 targeted APT42 operations since 2015, but the actual number is assessed to be substantially higher due to visibility gaps from the group's targeting of personal email accounts and domestically focused surveillance efforts.

critical

APT42 remains highly active through 2025 and into 2026, with intensified operations during the Iran-Israel military escalation in June 2025. Proofpoint observed credential phishing against U.S. think tanks in March 2026 using personas impersonating policy researchers and inviting victims to roundtable discussions on Middle East air defense. The group has adopted GenAI for crafting malicious documents and continues expanding its cross-platform capabilities with the SpearSpecter campaign deploying the TameCat PowerShell backdoor with redundant C2 channels over HTTPS, Discord, and Telegram. A December 2025 leak of internal operational records exposed the group's infrastructure, cryptocurrency payments, and direct overlap with the Moses Staff persona.

Naming Complexity

Charming Kitten sits in a crowded naming space within the Iranian APT ecosystem. Mandiant tracks the group as APT42 (MITRE G1044), noting it partially overlaps with public reporting on TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force), Mint Sandstorm/PHOSPHORUS (Microsoft), and CharmingCypress (Volexity). Microsoft states that Mandiant's APT42 corresponds to "modern day" Mint Sandstorm, while MITRE notes that vendor links to Magic Hound may represent distinct entities. The historical Charming Kitten name (CrowdStrike) encompasses the broadest scope of activity. Organizations should be aware that intelligence reports using these different names may describe overlapping but not identical activity clusters.

Target Profile

APT42 primarily targets individuals and organizations deemed opponents or enemies of the Iranian regime, as well as entities relevant to Iran's strategic intelligence priorities. Targeting shifts in response to evolving geopolitical dynamics, with a notable pivot to pharmaceutical and healthcare targets during COVID-19 in 2020.

  • Think Tanks, NGOs & Policy Research: The primary and most consistent target category. Western think tanks, research institutions, and NGOs focused on Middle Eastern affairs, nuclear security, and Iranian policy are targeted through elaborate impersonation of peer researchers. Researchers at RAND, RUSI, and various international policy organizations have been specifically targeted.
  • Journalists & Media: Journalists covering Iranian affairs, Middle Eastern geopolitics, and nuclear security are both targeted for intelligence collection and impersonated as lures. The group crafts fake personas tied to real media organizations and research institutions.
  • Iranian Dissidents & Diaspora: Former Iranian government officials, opposition group leaders, environmental activists, and members of the Iranian diaspora are targeted with credential phishing and Android surveillance malware (PINEFLOWER, VINETHORN). These domestic-focused operations align directly with the IRGC-IO's mandate to suppress internal dissent.
  • Government Officials & Diplomats: Current and former Western government officials, diplomats, and military personnel with knowledge of Middle Eastern affairs. In 2024, Google TAG blocked attempts to compromise personal email accounts of individuals affiliated with both the Biden and Trump presidential campaigns.
  • Academia & Legal Services: University researchers, professors, and legal professionals engaged in topics of Iranian strategic interest. Fake Google Books pages and spoofed university portals are used for credential harvesting.
  • Israel & U.S. Targets (Geopolitical Escalation): Since October 2023, approximately 60% of APT42's known geographic targeting has focused on the U.S. and Israel. High-profile military and political targets in Israel have been pursued with increasing intensity during periods of conflict escalation.

Tactics, Techniques & Procedures

APT42 prioritizes an identity-first operational posture, preferring credential harvesting and social engineering over technical exploitation. Malware deployment is selective and typically reserved for targets where deeper access is required beyond email compromise.

mitre idtechniquedescription
T1598 Phishing for Information Core technique. Engages targets in prolonged email conversations to build trust and rapport, often spanning weeks. Impersonates journalists, policy analysts, think tank employees, and embassy staff. Sometimes extracts intelligence through conversation alone without any malware delivery.
T1566 Phishing Delivers malicious links via benign-looking PDF attachments, direct email links, or messaging platforms (Signal, Telegram, WhatsApp). Links redirect to credential harvesting pages spoofing Google, Microsoft 365, Okta, or VPN portals. Also delivers macro-enabled documents and LNK files for backdoor deployment.
T1056.003 Web Portal Capture Operates extensive credential harvesting infrastructure with spoofed login pages impersonating Google, Microsoft, productivity platforms, and institutional portals. Clones legitimate websites to capture credentials and MFA tokens. In some campaigns, successfully bypassed MFA by capturing tokens or sending push notifications to victims.
T1114 Email Collection After successful credential theft, accesses victim email accounts for intelligence collection. Manipulates mailbox rules to create forwarding rules for ongoing collection. Also uses compromised accounts to send further phishing to the victim's contacts.
T1102 Web Service Leverages legitimate cloud platforms including Cloudflare Workers, Firebase, OneDrive, Netlify, and cloud storage services for C2 infrastructure and credential harvesting page hosting. Blends malicious traffic with normal web activity to complicate detection.
T1059.001 PowerShell TAMECAT backdoor operates as a PowerShell toehold capable of executing arbitrary PowerShell or C# content. SpearSpecter campaign deploys TameCat with AES-256 encryption and redundant C2 channels across HTTPS, Discord, and Telegram.
T1204 User Execution Fake webinar platforms require victims to install malware-laden VPN applications. Malicious LNK files masquerade as interview feedback forms or policy documents. GenAI-enhanced PDFs impersonate RAND and other research organizations.
T1437 Application Layer Protocol (Mobile) PINEFLOWER and VINETHORN Android malware conduct mobile surveillance: tracking GPS location, monitoring communications, reading SMS, accessing contacts and call history, recording audio/video, and exfiltrating data. Deployed against Iranian dissidents and activists.
T1036 Masquerading Creates elaborate fake personas using real individuals' identities. Registers typo-squatted domains mimicking legitimate organizations (e.g., spoofing rasanah-iiis.org). Builds fake Google Books pages for credential harvesting. Crafts fake webinar and conference invitation platforms.
T1588.004 Obtain Capabilities: Digital Certificates Registers numerous domains with stolen PII and cryptocurrency payments. December 2025 leaked operational records revealed structured spreadsheets tracking domain registrations, European VPS hosting, and Bitcoin/Cryptomus payments.

Known Campaigns

Confirmed or highly attributed operations linked to Charming Kitten / APT42.

Operation Saffron Rose / Newscaster 2013 – 2014

One of the earliest identified campaigns. Created fake social media profiles impersonating journalists to target U.S. military contractors and defense personnel. The operation was connected to former U.S. Air Force technical sergeant Monica Witt, who defected to Iran in 2013 and provided intelligence that enabled the targeting.

Iranian Opposition & Diaspora Surveillance 2015 – PRESENT

Ongoing surveillance operations targeting Iranian dissidents, opposition groups, environmental activists, and diaspora communities using Android mobile malware (PINEFLOWER, VINETHORN). In May 2017, targeted senior leadership of an Iranian opposition group in Europe and North America with fake Google Books credential harvesting pages. The "Kashef" national mass surveillance database used by the IRGC was reportedly hacked in 2025.

HBO Cyberattack Investigation 2017

Following a cyberattack on HBO that leaked confidential information, a joint investigation implicated Charming Kitten-linked actors. The attack demonstrated the group's ability to target major Western media organizations for intelligence value.

COVID-19 Pharmaceutical Targeting 2020

Temporarily pivoted to target pharmaceutical companies and healthcare organizations at the onset of the pandemic, reflecting a shift in Iranian intelligence priorities. Demonstrated the group's ability to rapidly reorient operational focus in response to geopolitical developments.

POWERSTAR / NokNok Cross-Platform Campaign 2023

Shifted payload delivery from document template injections to LNK files and ported the GorjoEcho/POWERSTAR backdoor to macOS as NokNok. Targeted nuclear security experts using personas impersonating RUSI researchers. When one target was found to use macOS, the group followed up a week later with a macOS-specific payload disguised as a VPN client.

CharmingCypress / BASICSTAR Campaign SEP – OCT 2023

Volexity documented spearphishing attacks impersonating the Rasanah International Institute for Iranian Studies using typo-squatted domains. Created a fake webinar platform requiring victims to install malware-laden VPN applications that deployed POWERLESS (Windows) or NOKNOK (macOS) backdoors.

NICECURL & TAMECAT Backdoor Campaigns 2024

Mandiant documented deployment of two custom backdoors: NICECURL (VBScript, HTTPS C2) and TAMECAT (PowerShell, capable of executing arbitrary PowerShell/C# content). Targeted NGOs, government, and intergovernmental organizations worldwide handling Iranian and Middle Eastern issues. Deployed via spear-phishing with malicious macro documents and LNK files.

U.S. Presidential Election Targeting MAY – AUG 2024

Google TAG detected and blocked attempts to compromise personal email accounts of approximately a dozen individuals affiliated with both the Biden and Trump presidential campaigns. Concurrent campaigns targeted Israeli diplomats, academics, NGOs, and political entities. Approximately 60% of APT42's known targeting during this period focused on the U.S. and Israel.

SpearSpecter Campaign 2025

Targeted senior government and defense officials through personalized WhatsApp outreach before guiding victims to malicious infrastructure. Deployed TameCat, a PowerShell backdoor operating almost entirely in memory with redundant C2 channels over HTTPS, Discord, and Telegram, all protected by AES-256 encryption. Represented an evolution toward deeper persistent access beyond credential theft.

GenAI-Enhanced Operations & Think Tank Targeting 2025 – 2026

Palo Alto Unit 42 observed APT42 using generative AI in a malicious PDF masquerading as a RAND Corporation document. In March 2026, Proofpoint detected credential phishing against a U.S. think tank in which the group impersonated a policy researcher inviting the victim to a roundtable on Middle East air defense, ultimately directing them to a OneDrive-themed credential harvesting page hosted on Netlify.

Tools & Malware

APT42 primarily relies on credential harvesting infrastructure over malware, but maintains a growing arsenal of custom backdoors and mobile surveillance tools for when deeper access is required.

  • TAMECAT: PowerShell-based backdoor capable of executing arbitrary PowerShell or C# content. Communicates via HTTP with Base64-encoded data. AES encrypts content with a hardcoded key. SpearSpecter variant uses redundant C2 over HTTPS, Discord, and Telegram. Operates almost entirely in memory to evade endpoint detection.
  • NICECURL: VBScript backdoor communicating over HTTPS. Can download and execute additional modules, providing a data mining capability and arbitrary command execution. Supports "kill" (artifact removal), "SetNewConfig" (sleep modification), and "Module" (download/execute) commands.
  • POWERSTAR / GorjoEcho: Custom backdoor used for espionage module deployment. Delivered via phishing with decoy PDFs. Creates startup persistence entries. Modules provide keylogging, screen capture, and data exfiltration capabilities.
  • NokNok: macOS port of GorjoEcho/POWERSTAR. Deployed as fake VPN clients. Uses bash scripts for exfiltration with encryption and base64 chunking. Modules include process enumeration and persistence analysis.
  • BASICSTAR: Visual Basic malware with limited overlap to POWERSTAR. Observed in late 2023 CharmingCypress campaigns. Part of the group's evolving cross-platform toolkit.
  • POWERLESS: Windows backdoor deployed via fake webinar VPN applications. Establishes VPN connections to attacker-controlled endpoints using OpenVPN configuration files.
  • PINEFLOWER / VINETHORN: Android mobile malware for surveillance operations. Capabilities include GPS tracking, SMS interception, contact and call history access, audio/video recording, and data exfiltration. Primarily deployed against Iranian dissidents and activists.
  • CHAIRSMACK / GHAMBAR / MAGICDROP / DOSTEALER: Additional custom tools in Mandiant's APT42 inventory supporting credential theft, host reconnaissance, and data exfiltration across various campaign stages.
  • TABBYCAT / VBREVSHELL: TABBYCAT is used for initial access; VBREVSHELL is a VBA macro that spawns a reverse shell using Windows API calls for lightweight, immediate interactive access.

Indicators of Compromise

Publicly available IOCs from Google TAG, Mandiant, Volexity, and government advisories.

warning

APT42's identity-first posture means that traditional IOCs (file hashes, IP addresses) have limited defensive value. The group's greatest threat is social engineering that produces no malware artifacts. Prioritize detection of anomalous authentication events, unexpected MFA registrations, mailbox rule manipulation, and suspicious forwarding — these behavioral indicators are more reliable than infrastructure-based IOCs, which rotate frequently.

known cves exploited
cve CVE-2023-38831 — WinRAR Remote Code Execution (used in recent campaigns)
behavioral indicators
technique Multi-week email rapport building before phishing delivery; impersonation of journalists, policy researchers, and think tank analysts
technique Benign PDF attachments containing shortened URLs redirecting to credential harvesting pages (Google, Microsoft 365, OneDrive themes)
technique Fake webinar and conference platforms requiring VPN application installation for access
technique Multi-channel engagement: initial contact via email, then escalation to Signal, Telegram, or WhatsApp for payload delivery
persistence New MFA method registrations (especially Microsoft Authenticator) following anomalous sign-ins; mailbox forwarding rule creation after credential capture
infrastructure Credential harvesting pages hosted on Netlify, Cloudflare Workers, Firebase, and cloud storage platforms; typo-squatted domains mimicking legitimate research organizations
c2 TAMECAT/SpearSpecter: Redundant C2 over HTTPS, Discord, and Telegram with AES-256 encryption and randomly generated IV in Content-DPR header

Mitigation & Defense

Recommended defensive measures for organizations in Charming Kitten's target profile, based on Mandiant, Google TAG, Volexity, and government advisories.

  • Educate high-risk users on relationship-based social engineering: Researchers, policy experts, journalists, executives, and dual nationals are disproportionately targeted by APT42's long-horizon rapport-building tactics. Train these individuals to verify the identity of unfamiliar correspondents through independent channels and to be suspicious of invitations to webinars, roundtables, or shared document platforms from new contacts.
  • Deploy phishing-resistant MFA: APT42 has demonstrated the ability to capture MFA tokens via cloned websites and successfully bypass MFA by sending push notifications to victims. FIDO2/WebAuthn hardware keys are strongly recommended for high-value personnel. Monitor for unexpected MFA method registrations, especially Microsoft Authenticator, following anomalous sign-in events.
  • Monitor for post-compromise mailbox manipulation: After successful credential harvesting, APT42 creates mailbox forwarding rules for ongoing intelligence collection. Audit email forwarding rules regularly, alert on new rule creation, and review logs for suspicious access patterns to executive and policy-relevant email accounts.
  • Restrict macro execution and LNK file handling: APT42 delivers TAMECAT via macro-enabled documents and NICECURL via malicious LNK files. Disable macros by default across the organization, configure attack surface reduction rules for Office products, and restrict LNK file execution from untrusted sources.
  • Protect mobile devices: APT42 deploys Android surveillance malware against targeted individuals. Ensure mobile device management (MDM) is deployed on devices used by high-risk personnel, restrict sideloading of applications, and monitor for unknown VPN profile installations.
  • Monitor for legitimate cloud service abuse: APT42 hosts credential harvesting infrastructure on Netlify, Cloudflare Workers, Firebase, and cloud storage services. Implement URL filtering that can identify and block newly registered or suspicious subdomains on these platforms.
  • Implement DMARC and email authentication: APT42 spoofs legitimate organizations and individuals in spearphishing campaigns. Strict DMARC, DKIM, and SPF policies help prevent domain impersonation and reduce the success rate of spoofed outreach emails.
  • Cross-reference multi-channel engagement: APT42 escalates initial email contact to Signal, Telegram, and WhatsApp for payload delivery. Treat unsolicited requests to move professional conversations to personal messaging platforms as a potential social engineering indicator, especially when combined with requests to install software or access shared resources.
note

APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting its operations to new targets of interest. The group's operational focus has shifted in response to the COVID-19 pandemic, the 2024 U.S. presidential election, and the ongoing Iran-Israel conflict. Organizations involved in Middle Eastern policy, nuclear security, or Iranian affairs should assume heightened targeting during periods of geopolitical escalation involving Iran. The December 2025 infrastructure leak revealed the operational maturity of the group's domain registration, VPS management, and cryptocurrency payment workflows, confirming long-standing assessments of its organizational sophistication.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile