APT35 Cyber Espionage: From Phishing to Spyware and Beyond
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Malware,Spyware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
APT35 has used multiple tactics to compromise high-value targets. The group has used hijacked websites, such as one affiliated with a UK university, for credential phishing attacks. They have also uploaded spyware disguised as VPN software to app stores and impersonated conference officials to conduct phishing campaigns. Additionally, APT35 has utilized link shorteners and click trackers embedded within PDF files and abused services like Google Drive, App Scripts, and Sites pages. The group has adopted a novel approach by leveraging Telegram for real-time operator notifications, enabling them to monitor visitor information to their phishing sites.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Munich Security Conference The Munich Security Conference is an annual conference on international security policy that has been held in Munich, Bavaria, Germany since 1963. Formerly named the Munich Conference on Security Policy, the motto is: Peace through Dialogue. It is the world's largest gathering of its kind. Munich Security Conference has been targeted by APT35 with abusive purposes. | Verified |
| Case | Think20 (T20) The Think 20 (T20) is an engagement group of the G20 that brings together think tanks from around the world to contribute policy recommendations and advice to the G20 summit. Think20 (T20) has been targeted by APT35 with abusive purposes. | Verified |
| Sector | Pro-Democracy | Medium |
| Sector | Political | Medium |
| Sector | University | Medium |
| Region | Iran | Medium |
| Region | United Kingdom | Medium |
| Region | Middle East Countries | High |
| Region | European Countries | High |
Extracted IOCs
- accessverification[.]online
- cdsa[.]xyz
- communication-shield[.]site
- continuetogo[.]me
- customers-verification-identifier[.]site
- filetransfer[.]club
- identifier-service-review[.]site
- nco2[.]live
- recovery-activity-identification[.]site
- recovery-service-activity[.]site
- review-session-confirmation[.]site
- service-activity-session[.]online
- service-manager-notifications[.]info
- summit-files[.]com
- verify-service-activity[.]site
- digital-email-software.great-site[.]net
- reset-service-identity-mail.42web[.]io
- service-reset-password-moderate-digital.rf[.]gd
- 8a847b0f466b3174741aac734989aa73
- 5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5
Tip: 20 related IOCs (0 IP, 18 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.
Overlaps
Source: Proofpoint - December 2022
Detection (one case): nco2[.]live
Source: Cyware - October 2022
Detection (two cases): 5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5, 8a847b0f466b3174741aac734989aa73
Source: Mandiant - September 2022
Detection (two cases): 5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5, 8a847b0f466b3174741aac734989aa73
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.