SYMBOLCOMMON_NAMEaka. SYNONYMS

Charming Kitten  (Back to overview)

aka: Newscaster, Parastoo, iKittens, Group 83, Newsbeef, NewsBeef, G0058

Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.

Associated Families
win.unidentified_073 apk.little_looter win.chairsmack win.downpaper win.telegram_grabber win.stonedrill
References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-22PWC UKKrystle Reid
@online{reid:20220722:old:6fb4943, author = {Krystle Reid}, title = {{Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors}}, date = {2022-07-22}, organization = {PWC UK}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html}, language = {English}, urldate = {2022-07-25} } Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors
TelegramGrabber
2022-06-20Infinitum ITinfinitum IT
@online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2021-08-20YouTube (Black Hat)Allison Wikoff, Richard Emerson
@online{wikoff:20210820:kitten:3234e60, author = {Allison Wikoff and Richard Emerson}, title = {{The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker}}, date = {2021-08-20}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=nilzxS9rxEM}, language = {English}, urldate = {2021-09-02} } The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker
LittleLooter
2021-08-04BlackHatRichard Emerson, Allison Wikoff
@techreport{emerson:20210804:kitten:7033b95, author = {Richard Emerson and Allison Wikoff}, title = {{The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker}}, date = {2021-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf}, language = {English}, urldate = {2021-08-23} } The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker
LittleLooter
2021-08-04Security IntelligenceAllison Wikoff, Richard Emerson
@online{wikoff:20210804:itg18:f2f125f, author = {Allison Wikoff and Richard Emerson}, title = {{ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group}}, date = {2021-08-04}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/}, language = {English}, urldate = {2021-08-23} } ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group
LittleLooter
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-12-12Twitter (MalwareHunterTeam)MalwareHunterTeam
@online{malwarehunterteam:20201212:itg18:953bd6a, author = {MalwareHunterTeam}, title = {{Tweet on ITG18 android implant}}, date = {2020-12-12}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1337684036374945792}, language = {English}, urldate = {2021-08-23} } Tweet on ITG18 android implant
LittleLooter
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-01-30Certfa LabCertfa Lab
@online{lab:20200130:fake:8ef4342, author = {Certfa Lab}, title = {{Fake Interview: The New Activity of Charming Kitten}}, date = {2020-01-30}, organization = {Certfa Lab}, url = {https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/}, language = {English}, urldate = {2020-03-03} } Fake Interview: The New Activity of Charming Kitten
Unidentified 073 (Charming Kitten)
2019-07-09WikipediaVarious
@online{various:20190709:operation:114fafe, author = {Various}, title = {{Operation Newscaster}}, date = {2019-07-09}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Operation_Newscaster}, language = {English}, urldate = {2020-01-09} } Operation Newscaster
Charming Kitten
2019-03-27MicrosoftTom Burt
@online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } New steps to protect customers from hacking
Charming Kitten Cleaver
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-02-13Department of JusticeOffice of Public Affairs
@online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues
Charming Kitten
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:newscaster:96f9778, author = {Cyber Operations Tracker}, title = {{Newscaster}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/newscaster}, language = {English}, urldate = {2019-12-20} } Newscaster
Charming Kitten
2019MITREMITRE ATT&CK
@online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } Group description: Charming Kitten
Charming Kitten
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13CertfaCertfa Lab
@online{lab:20181213:return:786b4e0, author = {Certfa Lab}, title = {{The Return of The Charming Kitten}}, date = {2018-12-13}, organization = {Certfa}, url = {https://blog.certfa.com/posts/the-return-of-the-charming-kitten/}, language = {English}, urldate = {2020-01-13} } The Return of The Charming Kitten
Charming Kitten
2018-07-03CywareSamantha Black
@online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns
Charming Kitten
2017-12-05ClearSky Research Team
@online{team:20171205:charming:064ca51, author = {ClearSky Research Team}, title = {{Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets}}, date = {2017-12-05}, url = {http://www.clearskysec.com/charmingkitten/}, language = {English}, urldate = {2019-12-17} } Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets
DownPaper
2017-12ClearSkyClearSky Research Team
@techreport{team:201712:charming:49a8e0c, author = {ClearSky Research Team}, title = {{Charming Kitten}}, date = {2017-12}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf}, language = {English}, urldate = {2019-12-04} } Charming Kitten
DownPaper Charming Kitten
2017-11-19Arab NewsELISE KNUTSEN
@online{knutsen:20171119:iranian:654e55f, author = {ELISE KNUTSEN}, title = {{Iranian agents blackmailed BBC reporter with ‘naked photo’ threats}}, date = {2017-11-19}, organization = {Arab News}, url = {http://www.arabnews.com/node/1195681/media}, language = {English}, urldate = {2019-12-17} } Iranian agents blackmailed BBC reporter with ‘naked photo’ threats
Charming Kitten
2017-08-08SC MagazineDoug Olenick
@online{olenick:20170808:hbo:dbb42ba, author = {Doug Olenick}, title = {{HBO breach accomplished with hard work by hacker, poor security practices by victim}}, date = {2017-08-08}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/}, language = {English}, urldate = {2020-01-13} } HBO breach accomplished with hard work by hacker, poor security practices by victim
Charming Kitten
2017-07-27ForbesThomas Brewster
@online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook
Charming Kitten
2017-03-07Kaspersky LabsGReAT
@techreport{great:20170307:from:3af6ed0, author = {GReAT}, title = {{FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-15} } FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond
StoneDrill
2017-03-07Kaspersky LabsKaspersky
@techreport{kaspersky:20170307:from:2d853ae, author = {Kaspersky}, title = {{From Shamoon to Stonedrill}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-09} } From Shamoon to Stonedrill
Charming Kitten
2017-02-06Iran ThreatsClaudio Guarnieri, Collin Anderson
@online{guarnieri:20170206:ikittens:b5486bb, author = {Claudio Guarnieri and Collin Anderson}, title = {{iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)}}, date = {2017-02-06}, organization = {Iran Threats}, url = {https://iranthreats.github.io/resources/macdownloader-macos-malware/}, language = {English}, urldate = {2020-01-09} } iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)
MacDownloader Charming Kitten
2016-04-27Kaspersky LabsGReAT
@online{great:20160427:freezer:bec7033, author = {GReAT}, title = {{Freezer Paper around Free Meat}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/freezer-paper-around-free-meat/74503/}, language = {English}, urldate = {2019-12-20} } Freezer Paper around Free Meat
Charming Kitten
2016-04-27Kaspersky LabsGReAT
@online{great:20160427:freezer:13a8a66, author = {GReAT}, title = {{Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/}, language = {English}, urldate = {2019-10-18} } Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)
Charming Kitten
2016-04Bundesamt für VerfassungsschutzVarious
@techreport{various:201604:bfv:2f64764, author = {Various}, title = {{BfV Cyber-Brief: Hinweis auf aktuelle Angriffskampagne}}, date = {2016-04}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf}, language = {German}, urldate = {2020-01-08} } BfV Cyber-Brief: Hinweis auf aktuelle Angriffskampagne
Charming Kitten
2014-05-29The Washington TimesCheryl K. Chumley
@online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } Iranian hackers sucker punch U.S. defense officials with creative social-media scam
Charming Kitten
2014-05-28iSIGHT Partners (FireEye)iSIGHT Partners
@techreport{partners:20140528:newscaster:cc8ba66, author = {iSIGHT Partners}, title = {{NEWSCASTER: An Iranian Threat Within Social Networks}}, date = {2014-05-28}, institution = {iSIGHT Partners (FireEye)}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf}, language = {English}, urldate = {2019-10-15} } NEWSCASTER: An Iranian Threat Within Social Networks
Charming Kitten
2012-11-25CryptomeCryptome
@online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } Parastoo Hacks IAEA
Charming Kitten
Credits: MISP Project