APT35 is an Iranian state-sponsored cyber espionage group, also known by aliases such as Charming Kitten, Phosphorus, Newscaster, Magic Hound, Mint Sandstorm, and others. The group is believed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC) and has been active since at least 2014. APT35 is known for conducting long-term, resource-intensive operations aimed at collecting strategic intelligence and supporting Iranian geopolitical interests.
Target Sectors
• Government, military, and diplomatic organizations in the U.S., Western Europe, and the Middle East
• Media, energy, defense industrial base, engineering, business services, and telecommunications sectors
• Academic institutions and medical research organizations
Attack Techniques
• Spear Phishing & Social Engineering: APT35 frequently uses spear-phishing emails, often themed around healthcare, job postings, password policies, or conference invitations, to lure victims into opening malicious attachments or clicking on links.
• Credential Harvesting: The group creates fake login pages mimicking webmail, VPNs, or cloud services to steal credentials.
• Malware Deployment: APT35 deploys custom and open-source malware, including webshells and penetration testing tools, to maintain persistence and exfiltrate data.
• Exploitation of Vulnerabilities: The group scans for and exploits unpatched servers and publicly disclosed vulnerabilities (e.g., Microsoft Exchange ProxyShell).
• Watering Hole & Supply Chain Attacks: Occasionally, APT35 has used watering hole websites and supply chain attacks for initial compromise.
• Use of Social Media: Notably, APT35 has conducted sophisticated espionage campaigns via social media platforms, creating fake personas to engage targets.
Associated Malware and Tools
• Custom Malware: ASPXSHELLSV, BROKEYOLK, PUPYRAT, TUNNA, MANGOPUNCH, DRUBOT, HOUSEBLEND.
• Open Source Tools: Sponsor, Soldier, BellaCiao, DownPaper, Mimikatz, PsExec.
• Recent Tools: HYPERSCRAPE (for stealing emails), exploitation of Telegram for operator notifications.
Group Relationships
• Overlap with APT42: Both groups are IRGC-affiliated and share some techniques, but APT42 focuses more on dissidents and researchers, while APT35 has broader strategic targets.
• Shared Aliases: MITRE ATT&CK and other sources associate APT35 with names like Magic Hound, TA453, COBALT ILLUSION, ITG18, and Imperial Kitten.
Indicators of Compromise (IP Addresses)
APT35 regularly rotates its infrastructure and often uses new or compromised IP addresses and domains for each campaign. For the most up-to-date and comprehensive list, consult current threat intelligence feeds and official advisories.
45.66.230.240 — Identified as a Command & Control (C2) server used by APT35 in recent campaigns targeting Albania.
cortanaservice.com (domain) — Recognized as a known C2 domain for APT35; while not an IP address, this domain has been directly linked to their infrastructure and can be resolved to current or historical IPs for network defense purposes.