Menu
Browse

Cyber Threat Actor: APT35

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Iran
18 incidents
Profile

Charming Kitten, also tracked as APT35, Mint Sandstorm and Phosphorus, is an Iran‑based threat actor that operates in support of the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security. Public reporting links the group to Iranian state interests and describes it as a cyber espionage unit that conducts operations against targets in the Middle East, Europe and North America. The actor is known by multiple aliases in threat intelligence feeds, reflecting its evolving tool‑set and infrastructure over time.

The actor’s targeting spans government ministries, critical infrastructure, healthcare facilities, academic institutions and pharmaceutical companies, with observed objectives that include intelligence gathering, disruption of services and enabling follow‑on criminal activity. Incidents have involved the theft of patient medical records from an Israeli hospital, attempts to manipulate water‑treatment systems in Israel, and phishing campaigns aimed at WHO staff and Gilead executives involved in COVID‑19 research. The group has also defaced websites of a Sierra Leone bank and a U.S. government portal, and has been observed exploiting unpatched print‑management servers to gain initial access to networks worldwide.

Typical tactics include the exploitation of pre‑authentication vulnerabilities such as CVE‑2023‑27350 in PaperCut MF/NG servers to establish footholds, the use of spear‑phishing emails that impersonate journalists or scholars to lure victims to credential‑harvesting pages hosted on compromised legitimate websites, and the deployment of defacement messages bearing political imagery. The actor has leveraged legitimate but compromised academic domains, as seen in Operation SpoofedScholars where a SOAS‑hosted site was used to harvest credentials from Middle‑East experts. In addition, the group has employed fake login pages mimicking Google services to steal passwords from personal email accounts.

Representative campaigns illustrate the actor’s range: a 2023 intrusion at Ziv Medical Center that exfiltrated hundreds of gigabytes of patient data, a series of 2022‑2023 exploits of the PaperCut vulnerability that provided initial access for subsequent ransomware deployment by other groups, the 2021 SpoofedScholars operation targeting academics with personalized webinar lures, and the 2020 phishing attempts against Gilead and WHO staff seeking COVID‑19 related information. These activities demonstrate a pattern of combining vulnerability exploitation, social engineering and infrastructure abuse to achieve espionage and disruptive ends. The actor remains active and continues to adapt its methods in line with Iranian strategic priorities.

Incidents
Attributed incidents available to members
18 incidents
Sources
Sources available to members
13 sources