Charming Kitten / APT35 (also known as APT35, Phosphorus, TA453, Mint Sandstorm, ITG18) is a state-sponsored advanced persistent threat group attributed to Iran (IRGC), active since 2014. The group primarily targets academics, journalists, dissidents, defense, government sectors. It is tracked by MITRE ATT&CK as G0059.
Overview & Attribution
Iranian IRGC-affiliated APT conducting sophisticated social engineering and credential harvesting campaigns against academics, journalists, and government officials worldwide.
Charming Kitten has been active since 2014, attributed to Iran (IRGC). The group is known for targeting academics, journalists, dissidents, defense, government using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: Iran (IRGC)
- Active since: 2014
- Primary targets: academics, journalists, dissidents, defense, government
- Also known as: APT35, Phosphorus, TA453, Mint Sandstorm, ITG18
Arsenal & Tools
Charming Kitten employs a diverse arsenal of custom and shared tooling:
- HYPERSCRAPE: Custom/shared tooling used in operations
- PowerStar: Custom/shared tooling used in operations
- BellaCiao: Custom/shared tooling used in operations
- BASICSTAR: Custom/shared tooling used in operations
- MediaPl: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on academics, journalists, dissidents, defense, government sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Charming Kitten is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.002 Phishing Link | Social engineering via email/social media |
| Credential Access | T1556 Modify Authentication | Credential phishing pages |
| Persistence | T1505.003 Web Shell | Web shell deployment |
| Collection | T1114.002 Remote Email Collection | Email exfiltration |
| Defense Evasion | T1027.002 Software Packing | Payload obfuscation |
| C2 | T1102 Web Service | Cloud-based C2 |
Notable Campaigns
Charming Kitten has been linked to multiple significant campaigns targeting academics, journalists, dissidents, defense, government organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Charming Kitten IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with HYPERSCRAPE and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Charming Kitten TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Charming Kitten
Mjolnir Security provides specialized capabilities to detect and respond to Charming Kitten operations.
- APT Threat Hunting Proactive hunting for Charming Kitten TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Charming Kitten campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts