Advanced Persistent Threats

🇮🇷 APT35. Charming Kitten

Global Institute for National Capability

Global Institute for National Capability

— 4 min read
🇮🇷 APT35. Charming Kitten
đź’ˇ
Advanced Persistent Threats (APTs) are updated regularly. Check our APT GuideCybersecurity Guide and National Cybersecurity Strategies. Contribute and share feedback with contribute@ginc.org

Overview

APT35, also known as Charming Kitten, Phosphorus, Newscaster Team, or Ajax Security Team, is a state-sponsored Iranian cyber threat group active since at least 2013. Unlike other Iranian APT groups focused on disruptive cyberattacks (e.g., APT33) or financial operations (e.g., APT38), APT35 specializes in cyber espionage, credential theft, surveillance, and influence operations.

APT35 primarily targets government entities, dissidents, media organizations, and nuclear policy experts. The group is notorious for its use of spear-phishing, social engineering, and credential-harvesting techniques to infiltrate networks and collect intelligence on individuals of interest to Iran’s government and security agencies.

APT35 operates under the direction of the Islamic Revolutionary Guard Corps (IRGC) and Iran’s intelligence agencies, engaging in cyber-enabled espionage campaigns that align with Iran’s geopolitical interests, particularly in the Middle East, the United States, and Europe.

Despite sanctions and defensive countermeasures, APT35 remains a persistent threat, expanding its targeting scope, improving its operational security, and adapting to evolving cybersecurity defenses.

Background and Attribution Indicators

APT35 was first identified in 2013 when cybersecurity firms such as FireEye (Mandiant), Microsoft, and ClearSky linked its activities to Iranian government operations. The group has evolved over the years, adapting its tactics to remain effective in conducting cyber espionage and political influence campaigns.

Attribution to Iran

APT35 is strongly linked to Iran, with evidence confirming:

• Direct ties to the IRGC: Many of its operations support Iranian intelligence and security policies.

• Targeting patterns that align with Iranian geopolitical objectives, particularly against dissidents, journalists, and nuclear policy experts.

• Infrastructure overlaps with other Iranian cyber operations, including APT33 (Elfin) and APT34 (OilRig).

• Use of Persian-language malware, phishing lures, and decoy content.

APT35’s focus on credential theft and social engineering makes it one of the most active Iranian cyber espionage groups, conducting persistent intelligence-gathering campaigns.

Focus

APT35 primarily targets individuals and organizations involved in Middle Eastern and international security, diplomacy, and nuclear policy. Its key focus areas include:

1. Government and Military Entities

• Espionage against U.S. and European government agencies, intelligence services, and foreign ministries.

2. Nuclear and Energy Sectors

• Monitoring nuclear negotiations, energy research, and non-proliferation experts.

3. Human Rights Organizations and Political Dissidents

• Surveillance of Iranian dissidents, activists, journalists, and academics.

4. Media and Think Tanks

• Infiltrating news agencies, research organizations, and policy think tanks to influence public narratives on Iran’s policies.

5. Healthcare and COVID-19 Research

• Espionage targeting vaccine researchers and public health officials during the pandemic.

APT35’s operations blend cyber espionage with political influence strategies, reinforcing Iran’s strategic goals.

Attack Vectors and Lifecycle

APT35 employs a structured attack methodology, primarily using social engineering, phishing, and malware deployment.

APT35’s Attack Lifecycle

1. Initial Access

• Spear-phishing emails impersonating journalists, policymakers, and academic institutions.

• Fake websites and social media profiles mimicking legitimate platforms.

• Credential theft via malicious login pages for Google, Microsoft, and social media accounts.

2. Establishing Persistence

• Deployment of remote access tools (RATs) and browser hijacking scripts.

• Use of stolen credentials to maintain long-term surveillance on targets.

3. Lateral Movement and Privilege Escalation

• Exploiting cloud services and email accounts to spread malware within organizations.

• Leveraging compromised social media accounts to distribute malicious content.

4. Data Exfiltration and Intelligence Gathering

• Stealing email archives, sensitive documents, and private communications.

• Monitoring activists, journalists, and political figures.

5. Covering Tracks and Evasion

• Frequently changing infrastructure and modifying phishing domains.

• Deploying anti-detection techniques to avoid security scrutiny.

APT35’s reliance on social engineering rather than malware-heavy attacks makes it challenging to detect using traditional cybersecurity tools.

Major Attacks and Impact

APT35 has conducted several high-profile cyber espionage campaigns, influencing diplomatic and security developments.

1. Operation Newscaster (2014-2016)

• APT35 created fake journalist personas and social media accounts to interact with and spy on Western military personnel and policymakers.

2. Credential Theft Campaigns Against U.S. and European Officials (2019-2021)

• APT35 launched phishing attacks impersonating security officials to collect login credentials from U.S. and European government staff.

3. Espionage on Nuclear Negotiations (2015-Present)

• The group targeted nuclear policy experts, diplomats, and think tanks involved in Iran nuclear deal discussions.

4. Cyber Attacks on Dissidents and Journalists (2018-Present)

• APT35 has infiltrated opposition groups and human rights activists, leading to surveillance, arrests, and censorship of dissenting voices.

These attacks have impacted political discourse, intelligence operations, and diplomatic relations between Iran and Western nations.

Strategic Responses

U.S. and European Countermeasures

• Sanctions against Iranian cyber entities, restricting access to international financial systems.

• Indictments against APT35 members for cyber espionage activities.

• Public attribution of Iranian cyber threats to deter future attacks.

Private Sector and Cybersecurity Firms

• Enhanced AI-driven phishing detection systems to counter APT35’s social engineering attacks.

• Collaboration between tech companies (Google, Microsoft) and intelligence agencies to neutralize fake APT35 domains.

Iran’s Response

• Iran denies state involvement, framing cybersecurity accusations as politically motivated.

• Iran continues to develop domestic cybersecurity policies, enhancing its offensive and defensive cyber capabilities.

Despite increased countermeasures, APT35 remains highly active, continuously refining its tactics to evade detection and maintain operational effectiveness.

Outlook

APT35 is expected to:

1. Expand its espionage operations into artificial intelligence and quantum computing research.

2. Increase disinformation campaigns to manipulate public narratives in international media.

3. Target cloud-based and decentralized networks to bypass traditional security defenses.

4. Strengthen influence operations, using deepfake technology and AI-generated phishing.

As Iran faces geopolitical tensions with the U.S., EU, and Middle Eastern adversaries, APT35 will remain a key cyber tool for espionage, surveillance, and influence operations.

Read more