Hubbry Logo
Charming KittenCharming KittenMain
Open search
Charming Kitten
Community hub
Charming Kitten
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Charming Kitten
Charming Kitten
Charming Kitten
View on Wikipedia
from Wikipedia

Charming Kitten, also called APT35 (by Mandiant), Phosphorus or Mint Sandstorm (by Microsoft),[1] Ajax Security (by FireEye),[2] and NewsBeef (by Kaspersky[3][4]), is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat (APT).

Key Information

The United States Cybersecurity and Infrastructure Security Agency (CISA) has identified Charming Kitten as one of several Iranian state-aligned actors that target civil society organizations, including journalists, academics, and human rights defenders, in the United States, Europe, and the Middle East, as part of efforts to collect intelligence, manipulate discourse, and suppress dissent.[5]

The group is known to conduct phishing campaigns that impersonate legitimate organizations and websites, using fake accounts and domains to harvest user credentials.[6]

History

[edit]

Witt defection (2013)

[edit]

In 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica Witt defected to Iran[7] knowing she might incur criminal charges by the United States for doing so.[citation needed] Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.[citation needed]

HBO cyberattack (2017)

[edit]

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched on the grounds that confidential information was being leaked. A conditional statement by a hacker going by alias Sokoote Vahshat (Persian سکوت وحشت lit. 'Silence of Fear') said that if money was not paid, scripts of television episodes, including episodes of Game of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.[8] HBO has since stated that it would take steps to make sure that they would not be breached again.[9]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information.[10]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The Iranian government denied any involvement.[11][12]

Second indictment (2019)

[edit]

A federal grand jury in the United States District Court for the District of Columbia indicted Witt on espionage charges (specifically "conspiracy to deliver and delivering national defense information to representatives of the Iranian government"). The indictment was unsealed on February 19, 2019. In the same indictment, four Iranian nationals—Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar—were charged with conspiracy, attempting to commit computer intrusion, and aggravated identity theft, for a campaign in 2014 and 2015 that sought to compromise the data of Witt's former co-workers.[13]

In March 2019, Microsoft took ownership of 99 DNS domains owned by the Iranian government-sponsored hackers, in a move intended to decrease the risk of spear-phishing and other cyberattacks.[14]

Media impersonation campaign (2019-2020)

[edit]

In 2020, Reuters reported that Charming Kitten targeted critics of the Iranian government, academics, and journalists, such as Erfan Kasraie and Hassan Sarbakhshian, who received fake interview requests designed to harvest email credentials. The emails impersonated reporters from outlets like The Wall Street Journal, CNN, and Deutsche Welle, sometimes asking recipients to enter Google passwords or sign bogus contracts. Cybersecurity firms Certfa, ClearSky, and Secureworks attributed the operation to Charming Kitten based on tactics, infrastructure, and targeting.[15]

2020 election interference attempts (2019)

[edit]

According to Microsoft, in a 30-day period between August and September 2019, Charming Kitten made 2,700 attempts to gain information regarding targeted email accounts.[16] This resulted in 241 attacks and 4 compromised accounts. Although the initiative was deemed to have been aimed at a United States presidential campaign, none of the compromised accounts were related to the election.

Microsoft did not reveal who specifically was targeted, but a subsequent report by Reuters claimed it was Donald Trump's re-election campaign.[17] This assertion is corroborated by the fact that only the Trump campaign used Microsoft Outlook as an email client.

Iran denied any involvement in election meddling, with the Iranian Foreign Minister Mohammad Javad Zarif stating "We don’t have a preference in your election [the United States] to intervene in that election," and "We don’t interfere in the internal affairs of another country," in an interview on NBC's "Meet The Press".[18]

Cybersecurity experts at Microsoft and third-party firms such as ClearSky Cyber Security maintain that Iran, specifically Charming Kitten, was behind the attempted interference, however. In October 2019, ClearSky released a report supporting Microsoft's initial conclusion.[19] In the report, details about the cyberattack were compared to those of previous attacks known to originate from Charming Kitten. The following similarities were found:

  • Similar victim profiles. Those targeted fell into similar categories. They were all people of interest to Iran in the fields of academia, journalism, human rights activism, and political opposition.
  • Time overlap. Verified Charming Kitten activity was ramping up within the same timeframe that the election interference attempts were made.
  • Consistent attack vectors. The methods of attack were similar, with the malicious agents relying on spear-phishing via SMS texts.

Operational exposure (2020)

[edit]

In 2020, IBM’s X-Force IRIS team uncovered over 40GB of data from Charming Kitten, including training videos showing operatives hacking email and social media accounts. The footage included access to accounts of US and Hellenic Navy personnel, failed phishing attempts on US officials, and use of tools like Zimbra to manage stolen credentials. Researchers described the discovery as a rare insight into the group’s methods and suggested it showed limited ability to bypass multi-factor authentication.[20]

HYPERSCRAPE data theft tool (2022)

[edit]

On August 23, 2022, a Google Threat Analysis Group (TAG) blog post revealed a new tool developed by Charming Kitten to steal data from well-known email providers (i.e. Google, Yahoo!, and Microsoft).[21] This tool needs the target's credentials to create a session on its behalf. It acts in such a way that using old-style mail services looks normal to the server and downloads the victim's emails, and does some changes to hide its fingerprint.

Per the report, the tool is developed on the windows platform but not for the victim's machine. It uses both command line and GUI to enter credentials or other required resources like cookies.

Activist targeting in Europe (2023)

[edit]

In September 2023, Germany’s domestic intelligence agency issued a public warning about “concrete spying attempts” by the Iranian-linked hacker group Charming Kitten, according to The Guardian. The report followed incidents documented across several European countries in which Iranian activists experienced hacking attempts, cyberattacks, online harassment, and threats of physical harm. Activists in Germany, France, the UK, and Spain were reportedly warned by local authorities about threats allegedly linked to Iranian cyber actors.[22]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Charming Kitten

View on Grokipedia
from Grokipedia
Charming Kitten, also designated as APT35, Phosphorus, and Magic Hound, is an Iranian state-sponsored cyber espionage group linked to the Islamic Revolutionary Guard Corps (IRGC), active since at least 2013 and focused on intelligence gathering against perceived adversaries of the regime. The group employs sophisticated tactics including spear-phishing campaigns disguised as professional networking or meetings, custom malware deployment, and exploitation of software vulnerabilities to infiltrate targets. Its primary targets encompass government agencies, defense contractors, journalists, activists, academics, and critical infrastructure in sectors such as energy, finance, and healthcare, with operations spanning the Middle East (including Israel, Saudi Arabia, UAE, and Jordan), the United States, and Asia. Notable tools include the PowerLess backdoor for persistent access and data extraction, alongside techniques like DNS manipulation across hundreds of routers and supply-chain compromises for broader network infiltration. Leaked internal documents from 2025 expose an organized structure with dedicated teams for malware development, social engineering, and penetration testing, underscoring the group's operational maturity and state backing. Attributions rely on technical indicators such as infrastructure overlaps, Persian-language artifacts, and consistent targeting of regime critics, though definitive state control remains inferred from patterns rather than public confessions.

Background and Attribution

Charming Kitten, also tracked as APT35 and , has been attributed to ian state sponsorship by leading cybersecurity firms, with operations aligning closely to the geopolitical interests of the ian regime, such as against nuclear negotiators and regime critics. assesses the group as having a suspected to the (IRGC), 's primary military and intelligence apparatus responsible for external operations, based on consistent targeting patterns, use of Farsi-language tools, and infrastructure overlaps with other IRGC-linked actors since at least late 2013. similarly links to ian hackers, noting spear-phishing campaigns against U.S. political figures and infrastructure that mirror state-directed intelligence gathering. Attributions stem from forensic analysis of samples, command-and-control servers hosted in or using Iranian proxies, and operational focus on high-value targets like Israeli defense personnel and U.S. officials involved in sanctions enforcement. In June 2025, reports detailed APT35's use of AI-generated lures in spear-phishing against Israeli tech experts, tactics consistent with IRGC-backed cyber units aimed at stealing proprietary for strategic advantage. U.S. indictments provide further corroboration; for instance, in 2019, former U.S. officer was charged with defecting to and aiding an IRGC-linked espionage ring involving Charming Kitten's tactics against her former colleagues. Similarly, Iranian national Behzad Mesri's 2017 indictment for the breach revealed ties to Charming Kitten's custom tools and social engineering methods. While Iran denies official involvement, dismissing attributions as Western fabrications, the consistency across independent analyses from firms like FireEye (now ) and ClearSky—drawing on shared indicators of compromise and post-exploitation behaviors—supports state orchestration rather than independent criminal activity. These links underscore Charming Kitten's role in Iran's asymmetric cyber strategy, enabling deniable intelligence collection without kinetic escalation, though the group's technical maturity lags behind peers like Russian APTs. No direct financial sponsorship details are public, but operational scale and persistence indicate regime resourcing through IRGC cyber divisions.

Discovery, Aliases, and Initial Analysis

Charming Kitten, an (APT) group, was first publicly detailed under that designation in a December report by ClearSky Cyber Security, which analyzed campaigns targeting Israeli defense entities and linked the operations to Iranian actors through shared and tactics. Prior to this naming, the group had been tracked by FireEye (now ) as APT35 since at least 2014, based on observed cyber-espionage activities including spear- and credential theft against Middle Eastern targets. independently identified similar operations under the name Charming Kitten, attributing initial activity to late 2013 with a suspected connection to Iran's (IRGC). The group operates under multiple aliases assigned by various cybersecurity firms, reflecting overlapping attributions based on technical indicators like malware samples and command-and-control domains. These include , Phosphorus and later , Magic Hound (Symantec), Cobalt Illusion, Ajax Security (FireEye), and NewsBeef (Kaspersky). Such naming conventions arise from independent clusterings of intrusions, with cross-correlations established over time through shared tools like custom backdoors and kits. Early analyses characterized Charming Kitten as a state-sponsored Iranian actor emphasizing social engineering over zero-day exploits, with initial campaigns focusing on via fake personas on and lures impersonating recruiters or journalists. Attribution to stemmed from linguistic artifacts in (Farsi comments), IP geolocation to Iranian infrastructure, and alignment with geopolitical targets such as nuclear negotiators and regime critics, though some researchers noted potential overlaps with other Iranian clusters like APT39, urging caution against over-attribution without multi-source validation.

Tactics, Techniques, and Procedures

Social Engineering and Phishing Operations

Charming Kitten, an Iranian state-sponsored group also known as APT35, primarily employs social engineering and as initial access vectors to target individuals with access to sensitive information on Iran-related topics. These operations involve crafting fake personas on platforms such as , , and to establish rapport over days or weeks, often impersonating journalists, academics, or professionals to exploit targets' professional interests. Lures typically include invitations to virtual meetings, webinar participation, or document reviews tied to geopolitical issues like Iran-Israel relations or professional collaborations, progressing to malicious links or attachments hosted on compromised domains. In a July 2020 campaign, the group impersonated journalists from and the Jewish Journal, sending personalized spear-phishing emails to Israeli scholars at universities including and , offering speaker roles in fabricated webinars such as "Iran and , Change or Stability?" with promised honorariums. These emails directed victims to malicious links on subdomains of legitimate sites like akademie.dw[.]de, while supporting infrastructure included well-developed fake profiles and communications from German numbers (+49 prefix), involving Persian-speaking actors to conduct voice calls and sustain engagement for up to 10 days. Attachments, such as password-protected ZIP files, were delivered via these channels to deploy credential-harvesting . By June 2023, Charming Kitten refined these tactics in attacks targeting experts publishing on , posing as an Israeli reporter to request document reviews, which contained an updated variant of the POWERSTAR backdoor designed for credential theft and system pivoting, such as via VPNs. Broader patterns include emotive or opportunity-based lures, such as fake surveys in Excel files or collaborations from personas like a British photographer named Mia Ash, aimed at sectors including defense, , and academia to elicit clicks on spoofed or compromised email links. These methods prioritize human manipulation over technical exploits, enabling access to personal accounts for against dissidents, journalists, and policy influencers.

Malware and Custom Tools

Charming Kitten, an Iranian state-sponsored group also tracked as APT35, deploys custom malware primarily designed for , credential theft, and persistent access rather than destruction. These tools are often modular, PowerShell-based, or dropper-style implants customized per victim, reflecting the group's focus on targeted operations against high-value individuals and organizations. Delivery typically occurs via spear-phishing lures disguised as legitimate documents or links, exploiting user interaction to fetch payloads from or decentralized networks like IPFS. The POWERSTAR backdoor (also known as CharmPower) exemplifies the group's toolkit, functioning as a versatile implant for command execution, establishment, and . It collects system information, downloads additional modules for tasks such as enumeration, screenshot capture, file searching, and monitoring mechanisms, while incorporating cleanup routines to delete traces and registry artifacts. An updated variant observed in May 2023 enhances operational security with separate encryption for components and IPFS-based command-and-control (C2) retrieval for resilience against takedowns. POWERSTAR is deployed through password-protected RAR archives containing LNK files that trigger payload downloads from services like Backblaze, attributed to Charming Kitten by cybersecurity firm Volexity based on code overlaps and infrastructure patterns. BellaCiao represents another bespoke implant, acting as a dropper that disables endpoint protections like Defender, creates persistent services, and deploys secondary payloads such as the IIS-Raid webshell for compromise. It facilitates credential exfiltration, file upload/download, and arbitrary command execution, with C2 communication masked via DNS resolution to evade detection; samples include hardcoded victim details like company names and IP addresses, indicating per-target customization. Attributed to Charming Kitten through tactical similarities and shared infrastructure with prior campaigns, BellaCiao has been linked to exploits like ProxyShell on Exchange servers, targeting entities in the , , , and beyond since at least April 2023. Additional tools include HYPERSCRAPE, a data extraction utility for harvesting content and user post-compromise, and the Sponsor backdoor, which supports against at least 34 victims in regions like , , and the UAE. These align with Charming Kitten's emphasis on stealthy, human-centric intrusions over widespread commodity , as evidenced by overlaps in and evasion techniques across reports from firms like and SOC Prime.

Persistence and Exfiltration Strategies

Charming Kitten maintains persistence through a combination of registry modifications, scheduled tasks, and account manipulations on Windows systems. In deployments of the POWERLESS backdoor, the group establishes by altering the HKCU\Software\[Microsoft](/page/Microsoft)\Windows [NT](/page/Windows_NT)\CurrentVersion\Winlogon\Shell registry key to execute malicious payloads on user logon, alongside hijacking the COM handler for MsCtfMonitor to ensure continued access. Similarly, emulations of APT35 operations reveal the creation of scheduled tasks via the schtasks utility, using XML and batch files for periodic execution of and backdoor components. The group also modifies local accounts, such as elevating the DefaultAccount to Administrators and Remote Desktop Users groups, providing alternate entry points for re-access. Advanced persistence involves malware-specific mechanisms and evasion tactics. The POWERSTAR backdoor, a core tool in Charming Kitten's arsenal, incorporates dynamic configuration updates and monitoring of existing methods to adapt and reinforce footholds, often leveraging private infrastructure like IPFS nodes to avoid detection from public cloud takedowns. BASICSTAR, delivered via LNK files in RAR archives, achieves through command loops executed via NirCmd, with supporting VBS and scripts for sustained operations. Broader techniques include DLL hijacking with obfuscated payloads to bypass endpoint detection, deployments (e.g., custom PHP or ), and compromise of domain admin accounts or backup systems like for embedded longevity. For exfiltration, Charming Kitten prioritizes stealthy, high-volume data transfer aligned with goals. dumps from LSASS processes, obtained via rundll32.exe invoking comsvcs.dll, are transmitted outbound using HTTP POST requests to external command-and-control servers. The custom HYPERSCRAPE tool targets webmail services, scraping contents from , Yahoo, and accounts to extract sensitive communications without direct network traversal from victim machines. In escalated operations, the group dumps databases via tools like , accesses cloud backups for bulk retrieval, and exfiltrates email archives, VoIP recordings, and data, with documented instances involving over 74 GB of stolen material from targeted entities. These methods often rely on living-off-the-land binaries for lateral movement and staging, minimizing custom artifacts while maximizing yield through compromised VPNs and file upload portals.

Targets and Strategic Motivations

Government Officials and Nuclear Negotiators

Charming Kitten has persistently targeted government officials involved in sanctions enforcement and nuclear policy, particularly those linked to the 2015 (JCPOA). In November 2018, following the withdrawal from the JCPOA and reimposition of sanctions, the group launched phishing attacks against over 77 personal email accounts, including those of nuclear experts overseeing the nuclear arsenal, at least 13 officials such as the director and the Office of Foreign Assets Control's licensing chief, and employees at think tanks focused on nuclear issues. These operations used fake security alerts to harvest credentials, reflecting 's interest in monitoring enforcement mechanisms amid heightened tensions. The group's espionage extended to diplomats and negotiators through spear-phishing at international forums. In October 2020, Charming Kitten impersonated organizers of the and Think 20 Summit, sending over 100 fake invitations embedded with malicious PDF links that directed recipients to credential-harvesting sites. Targets included former ambassadors, senior policy experts, and officials engaged in nuclear discussions, resulting in several compromises that enabled intelligence collection on geopolitical stances toward . Earlier, in August-September , the group probed more than 2,700 email accounts associated with current and former government officials, alongside a presidential campaign, using to exploit password recovery features, though no official accounts were confirmed breached. These campaigns underscore strategic motivations rooted in Iran's need to anticipate and counter Western nuclear containment efforts. By compromising negotiators and policymakers, Charming Kitten sought insights into sanction strategies, JCPOA revival prospects, and diplomatic alignments, enabling to calibrate its nuclear advancements and evasion tactics without direct confrontation. The focus on and nuclear personnel highlights a priority on economic pressure points, as sanctions have historically constrained Iran's program more effectively than military threats.

Activists, Journalists, and Regime Critics

Charming Kitten, an Iranian state-sponsored cyber espionage group, has conducted operations targeting activists, journalists, and critics of the Iranian regime to gather intelligence and disrupt opposition activities. These efforts often involve spear-phishing and social engineering tailored to individuals vocal against government policies, including advocates and exiled dissidents. Attribution to Charming Kitten relies on technical indicators such as signatures and overlap with prior Iranian-linked campaigns, as identified by firms like ClearSky and . In December 2022, Iranian government-backed hackers, linked to (also tracked as Phosphorus), attempted to compromise staff and at least 18 other prominent journalists, researchers, activists, and politicians critical of . The phishing emails impersonated trusted contacts and used lures related to professional collaborations, aiming to install for . Victims included figures reporting on Iran's abuses and protest movements, with campaigns peaking amid domestic unrest following Mahsa Amini's death in September 2022. European-based Iranian dissidents faced heightened targeting by Charming Kitten in 2023, particularly in , where the Federal Office for the Protection of the Constitution (BfV) issued warnings to affected individuals. The group employed multi-stage social engineering, initiating contact via seemingly innocuous personal or professional interactions on platforms like or email to build rapport before deploying malicious links or attachments. This approach exploited victims' isolation abroad, focusing on those organizing anti-regime protests or media coverage of Iranian affairs, with goals of monitoring movements and leaking to intimidate supporters. Domestically and among communities, Charming Kitten's tactics extend to impersonating journalists or fellow activists to infiltrate networks, as observed in campaigns documented by (tracking as APT42, overlapping with APT35). These operations align with broader Iranian efforts to neutralize regime critics, prioritizing intelligence over disruption, though source biases in Western cybersecurity reports—often reliant on U.S. and allied attributions—warrant scrutiny against independent forensic evidence like IP traces to Iranian infrastructure.

Defense, Tech, and Private Entities

Charming Kitten has conducted spear-phishing and social campaigns targeting employees in the (DIB), which includes private defense contractors and aerospace firms involved in development. In spring 2023, the group used personas impersonating legitimate contacts to target DIB company employees based on their professional affiliations, aiming to deliver for . Earlier, in 2020, Iranian actors linked to Charming Kitten executed a PTSD-themed social operation against defense contractors and officials, distributing phishing links disguised as resources to exfiltrate credentials and data. The group's "" campaign, active since at least September 2023, impersonates recruiters offering fabricated high-paying positions in and other critical sectors to deploy custom like SnailResin, facilitating persistent access for stealing proprietary defense-related technologies and . These efforts focus on U.S. and allied private entities in and , motivated by Iran's need for insights into advanced military hardware and countermeasures against its regional adversaries. In the technology sector, Charming Kitten has spear-phished cybersecurity experts and computer science professionals, particularly in Israel, to compromise networks handling threat intelligence and software vulnerabilities. Such operations extend to private tech firms and research organizations, where the group seeks source code, R&D data, and tools to enhance its own capabilities or disrupt adversaries' cyber defenses. Overall, these private sector intrusions prioritize economic and technological espionage over disruption, aligning with Iran's asymmetric strategy to acquire dual-use technologies without direct confrontation.

Operational History

Early Espionage and Witt Defection (2013)

In 2013, Monica Elfriede Witt, a former United States Air Force counterintelligence officer with expertise in Iranian operations, defected to Iran after attending conferences sponsored by the Islamic Revolutionary Guard Corps (IRGC). Witt, who had served in the Air Force from 1997 to 2008 and later worked as a defense contractor until 2010, provided Iranian intelligence with sensitive details on a classified U.S. program aimed at recruiting Iranian assets and the true identity of at least one U.S. intelligence officer working undercover in Iran. Witt's defection enabled Iranian cyber actors, later attributed to the group known as Charming Kitten (also designated APT35 or ), to launch targeted campaigns against her former U.S. colleagues. These early operations involved spear-phishing attacks using fabricated personas, such as fake academic or professional contacts, to infiltrate email accounts of U.S. personnel and defense contractors involved in Iran-related . The attacks exploited Witt's insider knowledge of operational vulnerabilities, including specific targeting of individuals she had previously worked with, to steal classified data and compromise networks. Charming Kitten's activities in marked an initial phase of state-sponsored cyber espionage linked to Iran's IRGC, focusing on intelligence gathering to counter U.S. efforts against Iranian interests. The group, operational since at least late , leveraged social engineering tactics informed by from defectors like Witt to enhance efficacy, setting a pattern for subsequent operations against Western targets. In 2019, the U.S. Department of indicted Witt and four Iranian nationals—members of the cyber unit—for these conspiracies, highlighting the defection's role in bridging traditional with digital intrusions.

HBO Breach and Mid-Decade Escalation (2017)

In May 2017, Iranian hacker Behzad Mesri, affiliated with through shared infrastructure and operational overlaps, breached 's networks, exfiltrating approximately 1.5 terabytes of data including unreleased episodes of , , and , as well as executive emails and scripts. Mesri, who operated under the alias "Gonzalo Shapps" and had ties to Iran's military, demanded a $6 million ransom to withhold further leaks, marking a shift toward alongside . U.S. authorities indicted Mesri on November 21, 2017, for conspiracy to commit wire fraud, unauthorized computer access, and aggravated , highlighting his use of spear-phishing and credential theft tactics consistent with the group's methods. Cybersecurity firm ClearSky linked Mesri to Charming Kitten via evidence including his membership in the Turk Black Hat forum, domain registrations tied to group-associated emails like [email protected], and social media connections to identified operatives such as Mohammad Rasoul Akbari. The breach utilized custom tools for persistence, including backdoors akin to the group's DownPaper malware, which facilitated credential harvesting and lateral movement. This operation exposed vulnerabilities in media sector defenses and demonstrated the group's evolution from targeted espionage to high-profile disruptions potentially aimed at financial gain or propaganda. The HBO incident exemplified Charming Kitten's mid-decade escalation, as the group intensified campaigns against a broader array of targets including U.S., Israeli, and UK-based academics, journalists, and activists in , employing over 240 malicious domains and fake personas mimicking legitimate entities like news outlets or corporations. Tactics expanded to include attacks and impersonation of organizations such as , reflecting resource sharing with related actors like Rocket Kitten and a strategic pivot amid Iran's post-JCPOA cyber posture. These activities, tracked across more than 85 IP addresses, underscored the group's focus on intelligence gathering to suppress regime critics while probing for economic leverage, though the overt HBO drew rare public scrutiny to otherwise covert operations.

Indictments, Media Campaigns, and Election Meddling (2019-2020)

In February 2019, the unsealed an indictment charging four Iranian nationals—identified as members of Charming Kitten—with to unlawfully access protected computers, access device , and related offenses. The charges stemmed from spear-phishing campaigns targeting U.S. intelligence community members, facilitated by information from defected former officer , whom the group had recruited. These operations involved deploying via lures and fake websites mimicking legitimate entities, consistent with Charming Kitten's established tactics of credential theft and . During the same period, Charming Kitten intensified media impersonation campaigns as a core social engineering vector, creating fraudulent online personas of journalists, researchers, and media outlets to target high-value individuals. These efforts, observed in emails and interactions from to , aimed to build trust and extract sensitive data, often leveraging domains registered to mimic news organizations like or . The group's attribution to Iran's underscores the campaigns' alignment with state-directed influence and intelligence gathering, though success rates remained variable due to improved target awareness and defenses. In the context of the 2020 U.S. presidential , Charming Kitten—tracked by as —executed spear-phishing attempts against personnel associated with the Trump campaign starting in mid-. On October 4, 2019, reported four specific incidents where the group sent malicious emails designed to steal login credentials, using newly registered domains to evade detection and impersonate trusted contacts. Although no breaches were confirmed, the operations reflected intent to access internal communications for potential disruption or leaks, paralleling broader Iranian interference patterns without evidence of widespread dissemination by this actor. U.S. officials attributed these actions to Iranian government-linked actors, prompting heightened cybersecurity alerts but no immediate arrests tied directly to the attempts.

Tool Exposures and HYPERSCRAPE Theft (2020-2022)

In late 2020, cybersecurity researchers began publicly attributing additional custom tools and infrastructure to Charming Kitten (also tracked as APT35), revealing operational details through and indicator sharing. For instance, overlapping tactics with the ITG18 cluster highlighted persistent use of credential-harvesting implants and command-and-control servers, exposing reused domains and kits that traced back to Iranian state-linked actors. A significant exposure came in December 2021 when Threat Analysis Group (TAG) identified early samples of HYPERSCRAPE, a custom .NET tool for bulk email exfiltration, with origins dating to 2020 and active development through 2022. HYPERSCRAPE enabled the group to scrape inboxes from compromised , Yahoo, and accounts using stolen session tokens or credentials, downloading messages as .eml files while evading detection by resetting read statuses, reverting interface languages, and deleting Google security notifications. Early variants incorporated manual triggers for exports to pull additional data like contacts and calendars, a feature later streamlined but ultimately removed in refined builds. Google observed HYPERSCRAPE deployed against fewer than two dozen accounts, primarily targeting Iranian dissidents and dual nationals, underscoring the group's focus on intelligence gathering despite limited scale. The tool's Windows-specific dependencies and spoofing of outdated browsers for access further evidenced Charming Kitten's adaptation to webmail APIs, but its exposure prompted account re-securing and victim notifications via 's government-backed attacker warnings. Concurrently, in January 2022, Research detailed APT35's exploitation of the vulnerability (CVE-2021-44228) to deploy a new modular toolkit, including backdoors for persistence and data staging, which built on exposed earlier implants but introduced obfuscated loaders to counter defenses. These revelations, culminating in Google's August 23, 2022, public report on HYPERSCRAPE, marked a period of heightened visibility for Charming Kitten's toolkit evolution, driven by defensive analyses rather than internal leaks.

European Activist Targeting and Ongoing Campaigns (2023-2025)

In August 2023, Germany's Federal Office for the Protection of the Constitution (BfV) identified and warned about Charming Kitten's targeting of Iranian dissidents in the country, including human rights activists, journalists, legal practitioners, and other professionals maintaining contacts with Iran. The group, linked to Iran's Islamic Revolutionary Guard Corps, focused on espionage to gather intelligence on dissident networks and suppress regime criticism within the Iranian diaspora. Charming Kitten's tactics involved advanced social engineering, where operatives created false personas to build long-term trust with victims through personalized communications mimicking legitimate contacts. Once rapport was established, attackers sent spear-phishing links disguised as invitations to video chats or meetings, directing users to counterfeit login pages that captured credentials for accounts, , and messaging applications. This approach mirrored prior operations, such as a 2020 incident where the group impersonated journalists to target similar victims. The BfV described these efforts as part of a well-resourced, persistent international campaign by Charming Kitten against Iranian opposition figures, with concrete intrusion attempts observed in during 2023. Victims were advised to verify sender identities independently, avoid clicking unconfirmed links, and report suspicious activity to authorities. No public disclosures detail specific compromises from these 2023 operations, but the warnings underscored the group's focus on European-based activists as vectors for on broader activities. Through 2025, Charming Kitten has maintained its emphasis on and social engineering against regime critics, though targeted European activist campaigns beyond the 2023 German incidents remain less publicly documented in open-source reporting. The group's operational continuity, as tracked by cybersecurity firms, indicates sustained threats to communities in , aligned with Iran's strategic interest in monitoring and disrupting exile networks.

Impacts, Responses, and Geopolitical Context

Espionage Successes and Operational Setbacks

Charming Kitten, also tracked as or , has achieved notable successes through persistent spear-phishing and credential theft campaigns targeting sensitive on Iran's nuclear program and geopolitical adversaries. The group successfully compromised accounts of U.S. officials and negotiators involved in nuclear discussions, enabling the exfiltration of classified communications and policy insights as early as 2014-2015. These intrusions provided Iranian authorities with actionable on diplomatic strategies, contributing to operational advantages in international negotiations. Additionally, the group infiltrated networks of defense contractors and tech firms, stealing proprietary data on and cybersecurity technologies, with confirmed breaches dating to at least 2017. Further successes include influence operations against regime critics and activists, where Charming Kitten deployed fake personas on to gather dossiers on dissidents, leading to real-world and silencing efforts. In , the group harvested credentials from over a dozen nuclear-related academics and organizations in the U.S., yielding personal and professional data used for targeted . High-profile breaches, such as the 2017 HBO hack attributed to an associated actor, resulted in of 1.5 terabytes of unreleased content and executive emails, demonstrating the group's capacity for beyond pure into disruptive effects. Operational setbacks have included repeated tool exposures and international countermeasures that disrupted campaigns and forced tactical adaptations. In 2020, cybersecurity firms publicly detailed Charming Kitten's custom and command-and-control infrastructure, invalidating key implants and prompting the group to pivot to new tooling. U.S. indictments, such as those against nine Iranian nationals in 2021 for hacking U.S. entities, alongside the 2019 charges related to defector Monica Witt's facilitation, heightened operational risks and limited personnel mobility. Most significantly, a massive data leak in September 2025 exposed internal documents detailing the group's , target lists, and custom tools, attributed to an insider breach, which compromised ongoing operations and revealed IRGC linkages. U.S. Treasury sanctions in September 2022 against ten IRGC-affiliated cyber actors further constrained funding and logistics, though the group has shown resilience by refining tactics like password spraying.

International Indictments and Counterintelligence

In February 2019, the U.S. Department of Justice unsealed an indictment charging four Iranian nationals—Majid Shahriari, Seyed Mohammad Reza Saberi, Gholamreza Rafiei, and another individual—with conspiracy to commit wire fraud, aggravated identity theft, and access device fraud as part of a cyber campaign targeting former U.S. intelligence officials. This operation was linked to Charming Kitten's efforts to support the defection of Monica Witt, a former U.S. Air Force counterintelligence officer who revealed classified information to Iran, with the hackers deploying malicious software to compromise Witt's colleagues. The charges stemmed from spear-phishing attacks and malware implantation aimed at espionage, highlighting the group's ties to Iran's Islamic Revolutionary Guard Corps (IRGC). Subsequent U.S. actions included Treasury Department sanctions in September 2022 against ten IRGC-affiliated individuals and two entities involved in cyber operations under aliases such as APT35 and Charming Kitten, targeting malicious cyber-enabled activities including and data extortion. These measures aimed to disrupt the group's financial networks and operational capabilities, though no additional criminal indictments specifically naming Charming Kitten members have been publicly detailed beyond the case. International cooperation has been limited, with no reported indictments from other nations, reflecting the challenges in extraterritorial enforcement against Iranian state-sponsored actors. Counterintelligence efforts against Charming Kitten have primarily involved public attributions and operational exposures by cybersecurity firms and researchers. In 2025, leaked internal documents revealed the group's , tools, and IRGC-IO affiliations, leading to disruptions through widespread dissemination by entities like CloudSEK and independent analysts. Earlier, firms such as FireEye (now ) and Proofpoint detailed the group's tactics, including social engineering and deployment, enabling defensive mitigations and preemptive network takedowns. U.S. agencies, including the FBI, have issued alerts and pursued where possible, though Iran's non-cooperation has confined impacts to sanctions and among allies. These exposures have forced tactical adaptations by the group, such as shifting infection methods, but have not halted their activities.

Broader Implications for Cyber Asymmetric Warfare

The operations of Charming Kitten, an Iranian state-sponsored group affiliated with the (IRGC), exemplify how cyber espionage enables weaker states to engage in against technologically superior adversaries like the . By leveraging low-cost tactics such as campaigns and social engineering—active since at least 2014—the group targets high-value assets including dissidents, government officials, and sectors like energy and healthcare, achieving strategic intelligence gains and disruption potential without committing conventional forces. This approach allows to project power and retaliate for perceived aggressions, such as the 2018 U.S. withdrawal from the , through deniable operations that evade direct military escalation. In cyber asymmetric contexts, Charming Kitten's persistence in credential harvesting and deployment of custom tools like HYPERSCRAPE underscores the domain's scalability and , where a small team can impose disproportionate costs on defenders through prolonged infiltration and dormant . These methods prioritize and subtle disruption—such as altering industrial control systems in water utilities—over outright destruction, fostering psychological deterrence by signaling capability to escalate during crises, as seen in IRGC-linked attacks on U.S. infrastructure following the January 2020 killing of Qasem Soleimani. The group's integration into Iran's broader cyber ecosystem, alongside actors like APT33, amplifies this asymmetry by enabling coordinated campaigns that exploit vulnerabilities in under-resourced sectors, challenging the attribution and response timelines of targeted nations. Geopolitically, such operations erode traditional deterrence frameworks, as U.S. countermeasures like indictments and sanctions—imposed in cases tied to Iranian hacking since 2019—fail to curb activities due to the sanctuary provided by state backing and the difficulty in proving causality for retaliatory strikes. This persistence incentivizes emulation by other revisionist actors, contributing to a fragmented international cyber norm where disruption supplants kinetic conflict, heightens risks to global stability amid tensions like those in the , and necessitates enhanced private-public defenses focused on rapid detection over reactive attribution.

References

  1. https://www.avertium.com/resources/threat-reports/in-depth-look-at-apt35-aka-charming-kitten
  2. https://cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations
  3. https://www.stamus-networks.com/blog/the-hidden-claws-of-apt-35-charming-kitten
  4. https://www.crowdstrike.com/adversaries/charming-kitten/
  5. https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/
  6. https://thehackernews.com/2025/06/iranian-apt35-hackers-targeting-israeli.html
  7. https://foreignpolicy.com/2019/02/15/meet-charming-kitten-the-iranian-hackers-linked-to-air-force-defector/
  8. https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
  9. https://www.trellix.com/blogs/research/the-iranian-cyber-capability/
  10. https://malpedia.caad.fkie.fraunhofer.de/actor/apt35
  11. https://attack.mitre.org/groups/G0059/
  12. https://socradar.io/apt-profile-who-is-phosphorus/
  13. https://www.cyber.gc.ca/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns
  14. https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf
  15. https://blog.knowbe4.com/charming-kitten-spear-phishing
  16. https://www.hipaajournal.com/iranian-apt-group-linked-to-spear-phishing-campaign-targeting-senior-staffers-at-medical-research-firms/
  17. https://thehackernews.com/2023/06/iranian-hackers-charming-kitten-utilize.html
  18. https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
  19. https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
  20. https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html
  21. https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
  22. https://socprime.com/blog/hyperscrape-detection-iranian-cyberespionage-group-apt35-uses-a-custom-tool-to-steal-user-data/
  23. https://therecord.media/sponsor-backdoor-charming-kitten-brazil-israel-uae
  24. https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
  25. https://www.attackiq.com/2023/08/18/emulating-apt35/
  26. https://heimdalsecurity.com/blog/charming-kittens-powerstar-malware-boosts-its-techniques/
  27. https://www.secureblink.com/threat-research/magic-hound-apt-35-iranian-state-sponsored-cyber-espionage
  28. https://www.cbsnews.com/news/iran-hacking-charming-kitten-targets-us-nuclear-officials-cybersecurity-certfa-2018-12-13/
  29. https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
  30. https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/
  31. https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
  32. https://www.microsoft.com/en-ca/security/security-insider/mint-sandstorm
  33. https://www.dw.com/en/germany-says-charming-kitten-hackers-target-iran-dissidents/a-66493687
  34. https://securityaffairs.com/149400/breaking-news/charming-kitten-targets-iranian-dissidents.html
  35. https://www.iranintl.com/en/202308116609
  36. https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises
  37. https://cyberscoop.com/iranian-hackers-impersonate-journalists-in-social-engineering-campaign/
  38. https://www.microsoft.com/en-us/security/security-insider/threat-landscape/mint-sandstorm
  39. https://www.cyber.gc.ca/sites/default/files/cyber-iran-social-engineering-spear-phishing-campaigns-e.pdf
  40. https://www.securityweek.com/iranian-hackers-target-aerospace-industry-in-dream-job-campaign/
  41. https://rhisac.org/threat-intelligence/iranian-ta455-initiates-dream-job-campaign-to-target-aviation-and-other-critical-industries-with-malware/
  42. https://www.darkreading.com/threat-intelligence/iran-apt-spying-israeli-cybersecurity-experts
  43. https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
  44. https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten
  45. https://www.justice.gov/archives/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber
  46. https://www.fbi.gov/news/stories/monica-witt-charged-with-espionage-iran-cyber-actors-indicted-021319
  47. https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-charges-against-iranian-national-conducting
  48. https://www.reuters.com/article/technology/us-prosecutors-charge-iranian-in-game-of-thrones-hack-idUSKBN1DL1YT/
  49. https://www.washingtonpost.com/world/national-security/hbo-data-theft-traced-to-iranian-military-hacker/2017/11/21/c8550f7c-ced0-11e7-81bc-c55a220c8cbe_story.html
  50. https://www.anomali.com/blog/weekly-threat-briefing-charming-kitten-hackers-impersonate-journalist-in-phishing-attacks
  51. https://www.nytimes.com/2019/10/04/technology/iranian-campaign-hackers-microsoft.html
  52. https://www.npr.org/2019/10/04/767274042/microsoft-says-iranians-tried-to-hack-u-s-presidential-campaign
  53. https://www.bbc.com/news/world-us-canada-49940657
  54. https://www.ibm.com/think/x-force/itg18-operational-security-errors-plague-iranian-threat-group
  55. https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/
  56. https://www.darkreading.com/endpoint-security/charming-kitten-apt-wields-new-scraper-to-steal-email-inboxes
  57. https://security.googleblog.com/2018/08/a-reminder-about-government-backed.html
  58. https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
  59. https://therecord.media/charming-kitten-iran-targets-dissidents-in-germany
  60. https://thehackernews.com/2023/08/charming-kitten-targets-iranian.html
  61. https://darkatlas.io/blog/inside-apt35-irans-state-sponsored-cyber-espionage
  62. https://www.abc.net.au/news/2018-12-14/group-says-iran-hackers-hunt-nuke-workers%2C-us/10618296
  63. https://home.treasury.gov/news/press-releases/jy0948
  64. https://www.justice.gov/archives/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us
  65. https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware
  66. https://www.fbi.gov/wanted/counterintelligence/monica-elfriede-witt
  67. https://www.darktrace.com/blog/apt35-charming-kitten-discovered-in-a-pre-infected-environment
  68. https://mjolnirsecurity.com/the-asymmetric-battlefield-an-anthropological-and-geopolitical-analysis-of-iranian-cyber-threats-to-north-american-critical-infrastructure/
  69. https://www.cyberdefensemagazine.com/the-hidden-front-iran-cyber-warfare-and-the-looming-threat-to-u-s-critical-infrastructure/
  70. https://repository.digital.georgetown.edu/downloads/0b5f1411-6f15-46af-bacb-d101bdeb5db2
Add your contribution
Related Hubs
User Avatar
No comments yet.