APT35
APT35, also known as Charming Kitten, is a state-sponsored Iranian cyber-espionage group active since at least 2013, known for its sophisticated social engineering campaigns and persistent targeting of geopolitical adversaries across government, academic, and private sectors.
The origin of APT35
APT35, also known as Charming Kitten, Magic Hound, Mint Sandstorm, COBALT ILLUSION, TA453, and PHOSPHORUS, is a cyber-espionage group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, the group focuses on intelligence collection that aligns with Iranian geopolitical priorities. Their primary operational hallmark is the use of social engineering and spear-phishing to target individuals and organizations perceived as adversaries or of strategic interest to Iran.
APT35’s tactics are meticulous, often creating fake personas and leveraging legitimate platforms (e.g., LinkedIn, Google Drive) to conduct credential harvesting and malware distribution. The group is known for its long-term and persistent campaigns against a wide array of global targets.
Countries Targeted by APT35
APT35 primarily targets entities in the United States, United Kingdom, Israel, and Saudi Arabia, but their campaigns have also reached countries like Germany, Iraq, Australia, Iran (internal dissidents), and Albania. These regions are strategically important due to their geopolitical stances, diaspora populations, or hosting of dissidents and journalists critical of the Iranian regime.
Industries Targeted by APT35
APT35’s operations span multiple sectors. High-priority targets include government, defense, military, and intelligence sectors, often to gather strategic insights or exfiltrate sensitive data. They are also active against academic institutions, media outlets, think tanks, and NGOs, aiming to monitor dissident narratives and policy discussions. Industries such as oil and gas, pharmaceutical, aerospace, technology, healthcare, financial services, and energy are also frequently affected, indicating a broad scope of economic and political espionage objectives.
APT35's Victims
Prominent victims include U.S. and European government personnel, Israeli academic institutions, and organizations such as the World Health Organization (WHO). In 2025, an Israeli academic institution was specifically targeted with a malicious LNK file hosted on Google Drive, echoing tactics used in previous intrusions against U.S.-based think tanks.
APT35's attack method
Gained primarily through spear phishing emails and social engineering on platforms like LinkedIn and WhatsApp. Fake personas and legitimate-looking websites are used to deceive targets.
Involves creating or enabling default or administrator accounts, using tools like PowerShell or Mimikatz to escalate privileges.
The group disables antivirus, event logs, and LSA protection; they also use masquerading and obfuscation techniques to avoid detection.
Steals credentials from browsers and VPNs, dumps LSASS memory, and abuses Outlook Web Access (OWA) to gain deeper access.
APT35 performs comprehensive host, network, and account discovery using tools such as WMI, Ping, and nltest.
Uses RDP, scheduled tasks, and copied tools to pivot across the network.
Focuses on email collection, keylogging, screenshot capture, and gathering sensitive .PST files and LSASS dumps.
Executes malicious payloads using PowerShell, VBS, and malicious shortcut (LNK) files.
Uses tools like gzip, RAR, and services like Telegram API and Google Drive for data exfiltration.
While primarily focused on espionage, APT35 has demonstrated data encryption capabilities using BitLocker and DiskCryptor, hinting at a ransomware potential in some operations.
Gained primarily through spear phishing emails and social engineering on platforms like LinkedIn and WhatsApp. Fake personas and legitimate-looking websites are used to deceive targets.
Involves creating or enabling default or administrator accounts, using tools like PowerShell or Mimikatz to escalate privileges.
The group disables antivirus, event logs, and LSA protection; they also use masquerading and obfuscation techniques to avoid detection.
Steals credentials from browsers and VPNs, dumps LSASS memory, and abuses Outlook Web Access (OWA) to gain deeper access.
APT35 performs comprehensive host, network, and account discovery using tools such as WMI, Ping, and nltest.
Uses RDP, scheduled tasks, and copied tools to pivot across the network.
Focuses on email collection, keylogging, screenshot capture, and gathering sensitive .PST files and LSASS dumps.
Executes malicious payloads using PowerShell, VBS, and malicious shortcut (LNK) files.
Uses tools like gzip, RAR, and services like Telegram API and Google Drive for data exfiltration.
While primarily focused on espionage, APT35 has demonstrated data encryption capabilities using BitLocker and DiskCryptor, hinting at a ransomware potential in some operations.
TTPs used by APT35
How to Detect APT35 with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate an APT attack.
FAQs
Who is APT35 affiliated with?
APT35 is tied to Iran’s Islamic Revolutionary Guard Corps (IRGC) and operates under its intelligence mandate.
What makes APT35 different from other Iranian groups?
APT35 is notable for its deep social engineering and creation of fake online personas, often involving multi-step engagement before malicious payloads are delivered.
What are their primary tactics for initial access?
They use spear-phishing links, malicious attachments, drive-by downloads, and social media impersonation.
What malware tools are used by APT35?
Notable tools include PowerWindow, Parastoo RAT, Maelstrom RAT, MediaPl, NICECURL, and custom Android malware.
How does APT35 evade detection?
They use obfuscation, encrypted communication, masquerading, and often exploit trusted cloud services like Google Drive.
Are they known to use zero-days or specific CVEs?
Yes, including CVE-2022-30190 (Follina), ProxyShell, Log4Shell, and Fortinet SSL VPN vulnerabilities.
How can organizations detect APT35 activity?
Look for signs like unusual PowerShell execution, LSASS memory access, RDP sessions via non-standard ports, and suspicious domain access.
What C2 techniques do they use?
APT35 uses legitimate compromised domains, web services, SOAP, IRC, and encrypted HTTP proxies.
How can APT35’s spear-phishing be mitigated?
Deploy email filtering, attachment scanning, and user training, alongside URL rewriting/sandboxing solutions.
What detection tools can help stop APT35?
Network Detection and Response (NDR) solutions are highly effective against APT35’s tactics. Given the group's reliance on command-and-control over web protocols, use of encrypted channels, and data exfiltration via cloud services, NDR platforms provide deep visibility into east-west and outbound traffic.