| SYMBOL | COMMON_NAME | aka. SYNONYMS |
FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.
| 2025-05-07
⋅
Palo Alto Networks Unit 42
⋅
Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation APT35 |
| 2024-08-14
⋅
cyble
⋅
Cryptocurrency Lures and Pupy RAT: Analysing the UTG-Q-010 Campaign pupy UTG-Q-010 |
| 2024-01-17
⋅
Microsoft
⋅
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs MediaPI |
| 2023-04-18
⋅
Microsoft
⋅
Nation-state threat actor PHOSPHORUS refines tradecraft to attack high-value targets Drokbk |
| 2023-01-04
⋅
K7 Security
⋅
Pupy RAT hiding under WerFault’s cover pupy |
| 2022-12-12
⋅
SOCRadar
⋅
Dark Web Profile: APT42 – Iranian Cyber Espionage Group PINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR SILENTUPLOADER TAG-56 |
| 2022-12-09
⋅
Secureworks
⋅
Drokbk Malware Uses GitHub as Dead Drop Resolver Drokbk |
| 2022-09-26
⋅
CrowdStrike
⋅
The Anatomy of Wiper Malware, Part 3: Input/Output Controls CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
| 2022-08-12
⋅
CrowdStrike
⋅
The Anatomy of Wiper Malware, Part 1: Common Techniques Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
| 2022-07-22
⋅
PWC UK
⋅
Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors TelegramGrabber |
| 2022-06-20
⋅
⋅
Infinitum IT
⋅
Charming Kitten (APT35) LaZagne DownPaper MimiKatz pupy |
| 2022-06-15
⋅
Volexity
⋅
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach pupy Sliver DriftingCloud |
| 2022-05-23
⋅
Trend Micro
⋅
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
| 2022-05-12
⋅
Secureworks
⋅
COBALT MIRAGE Conducts Ransomware Operations in U.S. CobaltMirage FRP APT35 |
| 2022-04-28
⋅
Fortinet
⋅
An Overview of the Increasing Wiper Malware Threat AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare |
| 2022-04-27
⋅
Trendmicro
⋅
IOCs for Earth Berberoka - Linux Rekoobe pupy Earth Berberoka |
| 2022-03-30
⋅
Recorded Future
⋅
Social Engineering Remains Key Tradecraft for Iranian APTs Liderc pupy |
| 2022-03-09
⋅
eSentire
⋅
Exploitation of VMware Horizon Servers by TunnelVision Threat Actor Drokbk |
| 2022-03-08
⋅
Cylera
⋅
The link between Kwampirs (Orangeworm) and Shamoon APTs DistTrack Kwampirs |
| 2022-02-17
⋅
SentinelOne
⋅
Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon APT35 |
| 2022-01-11
⋅
Check Point
⋅
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit APT35 |
| 2021-11-16
⋅
Microsoft
⋅
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 APT35 Gray Sandstorm |
| 2021-08-20
⋅
YouTube (Black Hat)
⋅
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker LittleLooter |
| 2021-08-05
⋅
Symantec
⋅
Attacks Against Critical Infrastructure: A Global Concern BlackEnergy DarkSide DistTrack Stuxnet |
| 2021-08-04
⋅
Security Intelligence
⋅
ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group LittleLooter |
| 2021-08-04
⋅
BlackHat
⋅
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker LittleLooter |
| 2021-07-28
⋅
Proofpoint
⋅
I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona Liderc SysKit |
| 2021-07-15
⋅
Facebook
⋅
Taking Action Against Hackers in Iran Liderc SysKit |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2020-12-12
⋅
Twitter (MalwareHunterTeam)
⋅
Tweet on ITG18 android implant LittleLooter |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-02-13
⋅
Qianxin
⋅
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2020-02-10
⋅
ZDNet
⋅
FBI warns about ongoing attacks against software supply chain companies DistTrack Kwampirs |
| 2020-01-23
⋅
Recorded Future
⋅
European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019 pupy pupy pupy |
| 2019-12-21
⋅
MalwareInDepth
⋅
Shamoon 2012 Complete Analysis DistTrack |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-09-25
⋅
Twitter (@QW5kcmV3)
⋅
Tweet on APT35 activity SysKit |
| 2019-09-24
⋅
Cisco Talos
⋅
How Tortoiseshell created a fake veteran hiring website to host malware Liderc SysKit |
| 2019-09-24
⋅
DARKReading
⋅
Iranian Government Hackers Target US Veterans SysKit Tortoiseshell |
| 2019-09-18
⋅
Symantec
⋅
Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks SysKit Tortoiseshell |
| 2019-08-22
⋅
Github (n1nj4sec)
⋅
Pupy RAT pupy pupy pupy |
| 2019-03-27
⋅
Symantec
⋅
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
| 2019-03-27
⋅
Symantec
⋅
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
| 2019-03-27
⋅
Microsoft
⋅
New steps to protect customers from hacking APT35 Charming Kitten Cleaver |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
Magic Hound APT35 Cleaver |
| 2019-01-01
⋅
MITRE
⋅
Group description: Magic Hound APT35 Cleaver |
| 2018-12-21
⋅
FireEye
⋅
OVERRULED: Containing a Potentially Destructive Adversary POWERTON PoshC2 pupy |
| 2018-12-14
⋅
Symantec
⋅
Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail DistTrack Filerase StoneDrill OilRig |
| 2018-12-13
⋅
Palo Alto Networks Unit 42
⋅
Shamoon 3 Targets Oil and Gas Organization DistTrack |
| 2018-01-01
⋅
Council on Foreign Relations
⋅
APT 35 APT35 |
| 2018-01-01
⋅
FireEye
⋅
M-TRENDS2018 APT35 OilRig |
| 2017-12-05
⋅
Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets DownPaper |
| 2017-12-01
⋅
ClearSky
⋅
Charming Kitten DownPaper Charming Kitten |
| 2017-03-26
⋅
Palo Alto Networks Unit 42
⋅
Shamoon 2: Delivering Disttrack DistTrack |
| 2017-03-14
⋅
FireEye
⋅
M-Trend 2017: A View From the Front Lines DistTrack Powersniff FIN8 |
| 2017-03-07
⋅
Kaspersky Labs
⋅
FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond StoneDrill |
| 2017-02-27
⋅
Symantec
⋅
Shamoon: Multi-staged destructive attacks limited to specific targets DistTrack MimiKatz Rocket Kitten |
| 2017-02-16
⋅
SecurityAffairs
⋅
Iranian hackers behind the Magic Hound campaign linked to Shamoon pupy APT35 |
| 2017-02-15
⋅
Palo Alto Networks Unit 42
⋅
Magic Hound Campaign Attacks Saudi Targets Leash MPKBot pupy Rocket Kitten |
| 2017-02-15
⋅
Palo Alto Networks Unit 42
⋅
Magic Hound Campaign Attacks Saudi Targets APT35 Cleaver |
| 2017-02-15
⋅
Secureworks
⋅
Iranian PupyRAT Bites Middle Eastern Organizations pupy Cleaver |
| 2017-02-10
⋅
⋅
JPCERT/CC
⋅
Malware that infects using PowerSploit pupy |
| 2017-02-05
⋅
VinRansomware
⋅
Detailed threat analysis of Shamoon 2.0 Malware DistTrack |
| 2017-01-23
⋅
Symantec
⋅
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug |
| 2017-01-23
⋅
Symantec
⋅
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon DistTrack ISMDoor Greenbug |
| 2017-01-09
⋅
Palo Alto Networks Unit 42
⋅
Second Wave of Shamoon 2 Attacks Identified DistTrack |
| 2016-12-03
⋅
Coding and Security
⋅
"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis DistTrack |
| 2016-11-30
⋅
Symantec
⋅
Shamoon: Back from the dead and destructive as ever DistTrack OilRig |
| 2016-11-30
⋅
Palo Alto Networks Unit 42
⋅
Shamoon 2: Return of the Disttrack Wiper DistTrack |
| 2015-11-01
⋅
Check Point
⋅
ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES FireMalv MPKBot Woolger Cleaver Rocket Kitten |
| 2012-08-17
⋅
Contagiodump Blog
⋅
Shamoon or DistTrack.A samples DistTrack |
| 2012-08-16
⋅
Kaspersky Labs
⋅
Shamoon the Wiper – Copycats at Work DistTrack |
| 2012-08-16
⋅
Symantec
⋅
The Shamoon Attacks DistTrack OilRig |