Charming Kitten
Country: Islamic Republic of Iran Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) Objective: Espionage, Intelligence collection (Page last updated December 25, 2024)
Aliases:
- APT42 (Mandiant)
- APT35 (Check Point Research, Google Threat Analysis Group, ThreatBook)
- Ballistic Bobcat (ESET)
- CALANQUE (Google Threat Analysis Group)
- CharmingCypress (Volexity)
- Charming Kitten (Clearsky, CERT-FA, Bitdefender)
- COBALT ILLUSION (Secureworks)
- ITG18 (IBM)
- Magic Hound (MITRE, Unit 42, Cyble)
- Mint Sandstorm (Microsoft)
- PHOSPHORUS (previously used by Microsoft, The DFIR Report, Deep Instinct, Cybereason)
- TAG-56 (previously used by Recorded Future)
- TA453 (Proofpoint)
- TunnelVision or Tunnel Vision (eSentire, SentinelOne)
- Yellow Garuda (PwC)
Sub-group:
- Nemesis Kitten (CrowdStrike)
- Storm-0270 (Microsoft, formerly tracked as DEV-0270)
- TA455 (Clearsky)
Identified Members
- Seyyed Ali Aghamiri (سید علی آقامیری): FBI Most Wanted
- Yasar Balaghi (یاسر بلاغی): FBI Most Wanted
- Masoud Jalili (مسعود جلیلی): FBI Most Wanted
General Information:
Vulnerabilities Exploited
- CVE-2022-47966 (9.8 critical) Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability Source: Microsoft
- CVE-2023-27350 (9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability Source: Microsoft Threat Intelligence
- CVE-2022-47986 (9.8 critical) IBM Aspera Faspex Code Execution Vulnerability. Source: Microsoft
- Log4Shell:
- CVE-2021-44228 (10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Check Point Research, Microsoft
- CVE-2021-45046 (9.0 critical) Apache Log4j2 Deserialization of Untrusted Data Vulnerability Source: Microsoft
- CVE-2018-13379 (9.8 critical) Fortinet FortiOS SSL VPN Path Traversal Vulnerability. Source: Microsoft, SentinelOne
- ProxyLogon (Source: Microsoft):
- CVE-2021-26855 (9.8 critical) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26857 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26858 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-27065 (7.8 high) Microsoft Exchange Server Remote Code Execution Vulnerability
- ProxyShell (Source: The DFIR Report):
- CVE-2021-34473 (9.1 critical) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34523 (9.8 critical)
Microsoft Exchange Server Privilege Escalation Vulnerability
- CVE-2021-31207 (6.6 medium) Microsoft Exchange Server Security Feature Bypass Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK
Known Tools Used
External link: MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- December 20, 2024 – Kaspersky: BellaCPP: Discovering a new BellaCiao variant written in C++
- November 28, 2024 – ThreatBook: APT35 Forges Recruitment Sites, Launches Attacks on Aerospace and Semiconductor Industries in Multiple Countries
- November 12, 2024 – ClearSky: Iranian “Dream Job” Campaign 11.24 (subgroup)
- September 27, 2024:
- FBI: Iranian Cyber Actors Targeting Personal Accounts to Support Operations (PDF)
- U.S. Department of Justice: Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election
- U.S. Treasury: Treasury Sanctions Iranian Regime Agents Attempting to Interfere in U.S. Elections
- U.S. State Department: United States Sanctions Iran-Backed Malicious Cyber Actors That Have Attempted to Influence U.S. Elections
- Rewards for Justice: IRGC Hackers
- August 28, 2024 – Mandiant: I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (note: weak overlap)
- August 23, 2024 – Meta: Taking Action Against Malicious Accounts in Iran
- August 20, 2024 – Proofpoint: Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
- August 20, 2024 – Recorded Future: GreenCharlie Infrastructure Linked to US Political Campaign Targeting, available as PDF
- August 19, 2024 – CISA: Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts (Note: not explicitly identified)
- August 14, 2024 – Google Threat Analysis Group (TAG): Iranian backed group steps up phishing campaigns against Israel, U.S.
- August 14, 2024 – Harfang Lab: Cyclops: a likely replacement for BellaCiao
- August 08, 2024 – Microsoft Threat Analysis Center Iran Targeting 2024 US Election
- May 22, 2024 – Cyble: Threat Actor Profile: Magic Hound
- May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell (NJ-CCIC): Recent Observed Iranian State-Sponsored Cyber Threat Group Activity (ATTRIBUTION to IRGC-IO)
- May 1, 2024 – Mandiant: Uncharmed: Untangling Iran's APT42 Operations
- February 13, 2024 – Volexity: CharmingCypress: Innovating Persistence
- January 17, 2024 – Microsoft: New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
2023
- November 09, 2023 – Microsoft: Microsoft shares threat intelligence at CYBERWARCON 2023
- September 11, 2023 – ESET: Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
- June 28, 2023 – Volexity: Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
- July 06, 2023 – Proofpoint: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware
- April 26, 2023 – Bitdefender: Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
- April 18, 2023 – Microsoft: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
- March 09, 2023 – Secureworks: COBALT ILLUSION Masquerades as Atlantic Council Employee
2022
- December 14, 2022 – Proofpoint: Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
- December 12, 2022 – SOCRadar: Dark Web Profile: APT42 – Iranian Cyber Espionage Group
- November 29, 2022 – Recorded Future: Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank, available as PDF
- September 27, 2022 – Avertium: An In-Depth Look at APT35 aka Charming Kitten
- September 14, 2022 – U.S. Treasury: Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (ATTRIBUTION to IRGC, links “Tunnel Vision” to Charming Kitten)
- September 13, 2022 – Proofpoint: Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
- September 09, 2022 – CERT-FA: Charming Kitten: “Can We Have A Meeting?”
- September 07, 2022 – Mandiant: APT42: Crooked Charms, Cons, and Compromises, available as PDF
- September 07, 2022 – Microsoft: Profiling DEV-0270: PHOSPHORUS’ ransomware operations
- August 23, 2022 – Google Threat Analysis Group (TAG): New Iranian APT data extraction tool
- July 22, 2022 – PwC: Old cat, new tricks, bad habits
- June 01, 2022 – Deep Instinct: Iranian Threat Actor Continues to Develop Mass Exploitation Tools
- March 30, 2022 – Recorded Future: Social Engineering Remains Key Tradecraft for Iranian APTs, available as PDF
- March 21, 2022 – The DFIR Report: PHOSPHORUS Automates Initial Access Using ProxyShell
- March 09, 2022 – eSentire: Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
- February 17, 2022 – SentinelOne: Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
- February 01?, 2022 – Cybereason: PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
- January 11, 2022 – Check Point Research: APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
2021
- November 16, 2021 – Microsoft: Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021
- November 15, 2021 – The DFIR Report: Exchange Exploit Leads to Domain Wide Ransomware
- October 14, 2021 – Google Threat Analysis Group (TAG): Countering threats from Iran
- August 04, 2021 – IBM: ITG18: Operational security errors continue to plague sizable Iranian threat group
- July 13, 2021 – Proofpoint: Operation SpoofedScholars: A Conversation with TA453
- March 30, 2021 – Proofpoint: BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
- January 08, 2021 – CERT-FA: Charming Kitten’s Christmas Gift
2020
- October 28, 2020 – Microsoft: Cyberattacks target international conference attendees
- August 27, 2020 – Clearsky: The Kittens Are Back in Town 3, available as PDF
- July 16, 2020 – IBM: New Research Exposes Iranian Threat Group Operations
- January 30, 2020 – CERT-FA: Fake Interview: The New Activity of Charming Kitten
2019
- October 07, 2019 – Clearsky: The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
- October 04, 2019 – Microsoft: Recent cyberattacks require us all to be vigilant
- September 15, 2019 – Clearsky: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers
- March 17, 2019 – Microsoft: New steps to protect customers from hacking
2018
- December 13, 2018 – CERT-FA: The Return of The Charming Kitten
2017
- December 05, 2017 – Clearsky: Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets available as a PDF (PDF)
- February 06, 2017 – Iran Threats: iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)
2016
- November 11, 2016 – Iran Threats: Fictitious Profiles and WebRTC’s Privacy Leaks Used to Identify Iranian Activists
- April 27, 2016 – Kaspersky: Freezer Paper around Free Meat