SYMBOLCOMMON_NAMEaka. SYNONYMS

APT35  (Back to overview)

aka: APT 35, Newscaster Team

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.

Associated Families
win.pupy win.syskit
References
2022-06-20Infinitum ITinfinitum IT
@online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver
2022-03-30Recorded FutureInsikt Group
@techreport{group:20220330:social:e36c4e5, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf}, language = {English}, urldate = {2022-04-05} } Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2021-07-28ProofpointJoshua Miller, Michael Raggi, Crista Giering
@online{miller:20210728:i:23e9aad, author = {Joshua Miller and Michael Raggi and Crista Giering}, title = {{I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona}}, date = {2021-07-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media}, language = {English}, urldate = {2021-07-29} } I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
Liderc SysKit
2021-07-15FacebookMike Dvilyanski, David Agranovich
@online{dvilyanski:20210715:taking:10d945f, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Iran}}, date = {2021-07-15}, organization = {Facebook}, url = {https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/}, language = {English}, urldate = {2021-07-20} } Taking Action Against Hackers in Iran
Liderc SysKit
2020-01-23Recorded FutureInsikt Group
@techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-25Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190925:apt35:b6b82f0, author = {Andrew Thompson}, title = {{Tweet on APT35 activity}}, date = {2019-09-25}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1176861114535165952}, language = {English}, urldate = {2020-01-08} } Tweet on APT35 activity
SysKit
2019-09-24DARKReadingKelly Jackson Higgins
@online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } Iranian Government Hackers Target US Veterans
SysKit Tortoiseshell
2019-09-24Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20190924:how:ac2b53e, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{How Tortoiseshell created a fake veteran hiring website to host malware}}, date = {2019-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html}, language = {English}, urldate = {2019-12-02} } How Tortoiseshell created a fake veteran hiring website to host malware
Liderc SysKit
2019-09-18SymantecSecurity Response Attack Investigation Team
@online{team:20190918:tortoiseshell:4881fc1, author = {Security Response Attack Investigation Team}, title = {{Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks}}, date = {2019-09-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain}, language = {English}, urldate = {2020-01-13} } Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
SysKit Tortoiseshell
2019-08-22Github (n1nj4sec)n1nj4sec
@online{n1nj4sec:20190822:pupy:a822ccd, author = {n1nj4sec}, title = {{Pupy RAT}}, date = {2019-08-22}, organization = {Github (n1nj4sec)}, url = {https://github.com/n1nj4sec/pupy}, language = {English}, urldate = {2020-01-07} } Pupy RAT
pupy pupy pupy
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2018-12-21FireEyeGeoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
2018FireEyeFireEye
@techreport{fireeye:2018:mtrends2018:f07ca60, author = {FireEye}, title = {{M-TRENDS2018}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf}, language = {English}, urldate = {2020-01-08} } M-TRENDS2018
APT35 OilRig
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20170215:magic:e0b1b72, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2019-09-22} } Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
@online{team:20170215:iranian:004ec5a, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Iranian PupyRAT Bites Middle Eastern Organizations}}, date = {2017-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations}, language = {English}, urldate = {2019-10-23} } Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2017-02-10JPCERT/CCShusei Tomonaga
@online{tomonaga:20170210:malware:4f2c9aa, author = {Shusei Tomonaga}, title = {{Malware that infects using PowerSploit}}, date = {2017-02-10}, organization = {JPCERT/CC}, url = {https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/}, language = {Japanese}, urldate = {2020-01-08} } Malware that infects using PowerSploit
pupy
Credits: MISP Project