Menu
Browse

Cyber Threat Actor: APT35

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
3 incidents
Profile

The threat actor is publicly referenced under the aliases THE0TIME, Charming Kitten and APT35 and has been associated with China in available reporting. Their activity has been observed against telecommunications providers in Saudi Arabia, medical technology firms in China and aviation infrastructure in Israel, indicating a pattern of targeting sectors that handle sensitive communications, health‑related intellectual property and critical transportation systems. In the Virgin Mobile KSA incident the actor sought financial gain by offering stolen employee credentials on dark web forums, while the Huiying Medical Technology breach involved the theft and attempted sale of source code and experimental data for an AI‑based COVID‑19 detection system, again motivated by monetary profit. The attempted disruption of flight paths during a high‑profile diplomatic event at an Israeli international airport demonstrates an objective to interfere with aviation operations, showing that the actor’s goals can extend beyond pure financial gain to include operational disruption.

Observed tactics, techniques and procedures include the exploitation of an unpatched Microsoft Exchange vulnerability to gain initial access to a target’s network, as seen in the Virgin Mobile KSA compromise. After establishing a foothold the actor used ADRecon to extract password hashes from Active Directory, deployed PowerShell‑based malware for execution and implanted web shells to maintain persistent presence within the compromised environment. In the Huiying Medical case the actor exfiltrated proprietary source code and research data, indicating a capability for large‑scale data theft and preparation for resale. The airport‑focused activity involved numerous attempted intrusions originating from multiple geographic locations, although specific tools or malware were not detailed in the public reports for that episode.

Attribution to China is derived from the location information supplied in the context, and the actor’s aliases align with previously tracked groups such as Charming Kitten and APT35, which have been linked to state‑nexi in open‑source analyses. No public sources in the provided material describe the actor as part of a criminal consortium or attribute the incidents to a specific governmental agency, so any claim of state sponsorship or criminal affiliation beyond the stated China association would be speculative. The three highlighted operations—the Virgin Mobile KSA breach, the Huiying Medical Technology theft and the attempted aviation disruption—represent the actor’s publicly reported campaigns and illustrate a range of targets, motives and methods that have been documented in open‑source reporting.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source