Over the past decade, a cyber-espionage group has conducted a series of ongoing, sophisticated digital spying campaigns. These operations have involved the theft of large amounts of sensitive data, the hijacking of personal email accounts, and the deployment of custom malicious software.

Who was behind the attack?

These campaigns are orchestrated by APT35, an Iranian state-sponsored cyber-espionage group also known as Charming Kitten, Phosphorus, and Mint Sandstorm. Active since at least 2014, the group is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) and carries out operations aligned with the state's interests.

What are the nature and goals of the attack?

The primary goal of APT35 is prolonged espionage and intelligence collection. The attackers aim to establish long-term, hidden access to target networks so they can continually monitor communications, steal confidential documents, and hijack user accounts.

What is the scope or scale of the targeting?

The threat has a global reach but is highly specific in its execution. Historically, their operations have impacted major US entertainment networks, national political campaigns, global conferences, and widely used cloud and email providers.

Were specific industries or people targeted?

Yes. APT35 carefully selects its targets based on geopolitical relevance, access to sensitive systems, or involvement in specific research fields. Frequent targets include current and former government officials, political campaigns, journalists, prominent dissidents, researchers, and major media organizations.

How is the attack carried out from a high-level perspective?

Attackers begin by thoroughly researching their targets and creating fake online personas to build trust. They then send personalized phishing emails or direct messages containing malicious links; once a victim interacts, the attackers steal their passwords and install stealthy monitoring software to maintain control.

Why are the targeted entities attractive to attackers?

These individuals and organizations possess highly sensitive information, such as strategic geopolitical intelligence, unreleased intellectual property, and confidential communications. Accessing this data directly serves the strategic, political, and surveillance objectives of the Iranian government.

What actions should organizations or individuals take to protect themselves?

Organizations should immediately enforce strong Multi-Factor Authentication (MFA) across all accounts and keep all software and VPNs up to date. Additionally, regular employee training to spot phishing attempts and the use of advanced email filtering systems are highly recommended to block initial compromises.

Is this a widespread issue or a targeted one?

This is a highly targeted issue. While the group uses common tactics like phishing and fake login pages, they do not randomly attack the general public; instead, they focus their efforts strictly on individuals and organizations of strategic interest to Iran.

Threats Feed|APT35|Last Updated 24/04/2026|AuthorCertfa Radar|Publish Date07/03/2025

APT35: Iran’s Cyber Espionage Unit Targeting U.S. and Dissidents

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Zero-Day Attack,Session Spoofing,Keylogger,Malicious Macro,Malware,RAT,Phishing,Spear Phishing,Compromised software
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

APT35 (Charming Kitten, Phosphorus, Mint Sandstorm) is an Iranian state-sponsored cyber espionage group linked to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2014, the group has targeted U.S. government officials, political campaigns, journalists, and prominent Iranian dissidents abroad. Their tactics include spear-phishing, credential theft, malware deployment, and persistence techniques. APT35 has been involved in high-profile incidents, including the HBO breach (2017), attacks on a U.S. presidential campaign (2019), and the development of HYPERSCRAPE (2022) for email theft. Their campaigns leverage social engineering, spoofed domains, and cloud-based persistence, with operations focusing on espionage and data exfiltration.

Reference and Credit: SOCRadar - March 2025

Dark Web Profile: APT35

Detected Targets

Type	Description	Confidence
Case	HBO Home Box Office is an American pay television network, which is the flagship property of namesake parent-subsidiary Home Box Office, Inc., itself a unit owned by Warner Bros. Discovery. HBO has been targeted by APT35 as the main target.	Verified
Sector	Defense	Verified
Sector	Dissident	Verified
Sector	Government Agencies and Services	Verified
Sector	Journalists	Verified
Sector	Education	Verified
Sector	Media	Verified
Sector	Telecommunication	Verified
Region	Israel	Verified
Region	United States	Verified
Region	Middle East Countries	Verified
Region	European Countries	Verified

FAQs

Understanding the APT35 Threat Landscape

: Over the past decade, a cyber-espionage group has conducted a series of ongoing, sophisticated digital spying campaigns. These operations have involved the theft of large amounts of sensitive data, the hijacking of personal email accounts, and the deployment of custom malicious software.
: These campaigns are orchestrated by APT35, an Iranian state-sponsored cyber-espionage group also known as Charming Kitten, Phosphorus, and Mint Sandstorm. Active since at least 2014, the group is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) and carries out operations aligned with the state's interests.
: The primary goal of APT35 is prolonged espionage and intelligence collection. The attackers aim to establish long-term, hidden access to target networks so they can continually monitor communications, steal confidential documents, and hijack user accounts.
: The threat has a global reach but is highly specific in its execution. Historically, their operations have impacted major US entertainment networks, national political campaigns, global conferences, and widely used cloud and email providers.
: Yes. APT35 carefully selects its targets based on geopolitical relevance, access to sensitive systems, or involvement in specific research fields. Frequent targets include current and former government officials, political campaigns, journalists, prominent dissidents, researchers, and major media organizations.
: Attackers begin by thoroughly researching their targets and creating fake online personas to build trust. They then send personalized phishing emails or direct messages containing malicious links; once a victim interacts, the attackers steal their passwords and install stealthy monitoring software to maintain control.
: These individuals and organizations possess highly sensitive information, such as strategic geopolitical intelligence, unreleased intellectual property, and confidential communications. Accessing this data directly serves the strategic, political, and surveillance objectives of the Iranian government.
: Organizations should immediately enforce strong Multi-Factor Authentication (MFA) across all accounts and keep all software and VPNs up to date. Additionally, regular employee training to spot phishing attempts and the use of advanced email filtering systems are highly recommended to block initial compromises.
: This is a highly targeted issue. While the group uses common tactics like phishing and fake login pages, they do not randomly attack the general public; instead, they focus their efforts strictly on individuals and organizations of strategic interest to Iran.

About Affiliation

APT35

Associate threats