SYMBOLCOMMON_NAMEaka. SYNONYMS

APT35  (Back to overview)

aka: COBALT MIRAGE, Charming Kitten, G0059, Magic Hound, Mint Sandstorm, Newscaster Team, Phosphorus, TunnelVision

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.


Associated Families
apk.little_looter win.chairsmack win.disttrack win.downpaper win.drokbk win.leash win.mediapi win.mpkbot win.stonedrill win.syskit win.telegram_grabber win.pupy

References
2024-08-14cybleCyble
Cryptocurrency Lures and Pupy RAT: Analysing the UTG-Q-010 Campaign
pupy UTG-Q-010
2024-01-17MicrosoftMicrosoft Threat Intelligence
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
MediaPI
2023-04-18MicrosoftMicrosoft Threat Intelligence
Nation-state threat actor PHOSPHORUS refines tradecraft to attack high-value targets
Drokbk
2023-01-04K7 SecuritySaikumaravel
Pupy RAT hiding under WerFault’s cover
pupy
2022-12-12SOCRadarSOCRadar
Dark Web Profile: APT42 – Iranian Cyber Espionage Group
PINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR SILENTUPLOADER TAG-56
2022-12-09SecureworksSecureWorks' Counter Threat Unit Research Team
Drokbk Malware Uses GitHub as Dead Drop Resolver
Drokbk
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-22PWC UKKrystle Reid
Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors
TelegramGrabber
2022-06-20Infinitum ITinfinitum IT
Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver DriftingCloud
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-12SecureworksCounter Threat Unit ResearchTeam
COBALT MIRAGE Conducts Ransomware Operations in U.S.
CobaltMirage FRP APT35
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27TrendmicroTrendmicro
IOCs for Earth Berberoka - Linux
Rekoobe pupy Earth Berberoka
2022-03-30Recorded FutureInsikt Group
Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2022-03-09eSentireeSentire Threat Response Unit (TRU)
Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
Drokbk
2022-03-08CyleraCylera
The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2022-02-17SentinelOneAmitai Ben, Shushan Ehrlich
Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
APT35
2022-01-11Check PointCheck Point Research
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
APT35
2021-11-16MicrosoftMicrosoft Threat Intelligence
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021
APT35 Gray Sandstorm
2021-08-20YouTube (Black Hat)Allison Wikoff, Richard Emerson
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker
LittleLooter
2021-08-05SymantecThreat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2021-08-04Security IntelligenceAllison Wikoff, Richard Emerson
ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group
LittleLooter
2021-08-04BlackHatAllison Wikoff, Richard Emerson
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker
LittleLooter
2021-07-28ProofpointCrista Giering, Joshua Miller, Michael Raggi
I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
Liderc SysKit
2021-07-15FacebookDavid Agranovich, Mike Dvilyanski
Taking Action Against Hackers in Iran
Liderc SysKit
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-12Twitter (MalwareHunterTeam)MalwareHunterTeam
Tweet on ITG18 android implant
LittleLooter
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2020-01-23Recorded FutureInsikt Group
European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy
2019-12-21MalwareInDepthMyrtus 0x0
Shamoon 2012 Complete Analysis
DistTrack
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-25Twitter (@QW5kcmV3)Andrew Thompson
Tweet on APT35 activity
SysKit
2019-09-24DARKReadingKelly Jackson Higgins
Iranian Government Hackers Target US Veterans
SysKit Tortoiseshell
2019-09-24Cisco TalosJungsoo An, Paul Rascagnères, Warren Mercer
How Tortoiseshell created a fake veteran hiring website to host malware
Liderc SysKit
2019-09-18SymantecSecurity Response Attack Investigation Team
Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
SysKit Tortoiseshell
2019-08-22Github (n1nj4sec)n1nj4sec
Pupy RAT
pupy pupy pupy
2019-03-27MicrosoftTom Burt
New steps to protect customers from hacking
APT35 Charming Kitten Cleaver
2019-03-27SymantecSecurity Response Attack Investigation Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-01-01MITREMITRE ATT&CK
Group description: Magic Hound
APT35 Cleaver
2019-01-01Council on Foreign RelationsCyber Operations Tracker
Magic Hound
APT35 Cleaver
2018-12-21FireEyeAlex Orleans, Andrew Thompson, Geoff Ackerman, Nick Carr, Rick Cole
OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
Shamoon 3 Targets Oil and Gas Organization
DistTrack
2018-01-01Council on Foreign RelationsCyber Operations Tracker
APT 35
APT35
2018-01-01FireEyeFireEye
M-TRENDS2018
APT35 OilRig
2017-12-05ClearSky Research Team
Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets
DownPaper
2017-12-01ClearSkyClearSky Research Team
Charming Kitten
DownPaper Charming Kitten
2017-03-26Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-03-07Kaspersky LabsGReAT
FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond
StoneDrill
2017-02-27SymantecA L Johnson
Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-16SecurityAffairsPierluigi Paganini
Iranian hackers behind the Magic Hound campaign linked to Shamoon
pupy APT35
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Magic Hound Campaign Attacks Saudi Targets
APT35 Cleaver
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten
2017-02-10JPCERT/CCShusei Tomonaga
Malware that infects using PowerSploit
pupy
2017-02-05VinRansomwareGregory Paul, Shaunak
Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30SymantecA L Johnson
Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2016-11-30Palo Alto Networks Unit 42Robert Falcone
Shamoon 2: Return of the Disttrack Wiper
DistTrack
2015-11-01Check PointCheck Point
ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES
FireMalv MPKBot Woolger Cleaver Rocket Kitten
2012-08-17Contagiodump BlogMila Parkour
Shamoon or DistTrack.A samples
DistTrack
2012-08-16Kaspersky LabsGReAT
Shamoon the Wiper – Copycats at Work
DistTrack
2012-08-16SymantecSymantec Security Response
The Shamoon Attacks
DistTrack OilRig

Credits: MISP Project