Charming Kitten, a hacking group tied to the Iranian government, has been conducting cyber operations targeting individuals and organizations linked to academia, media, human rights, and political campaigns.

Who is behind the attack?

The group is widely believed to be affiliated with the Iranian state and is also known by aliases like APT35 and Phosphorus.

What was the goal of these attacks?

Their primary objective is intelligence gathering—stealing sensitive data, monitoring communications, and accessing credentials from high-value targets.

Targets include U.S. political campaign staff, researchers, journalists, and human rights advocates—especially those involved in Middle Eastern or Iranian affairs.

How were the attacks carried out?

They used phishing emails with malicious Office document attachments, backdoor malware like DownPaper and PupyRAT, and tools to extract passwords and exfiltrate data.

Why would attackers be interested in these targets?

These individuals and institutions often hold politically sensitive or strategic information that can serve Iranian geopolitical interests.

How can people and organizations protect themselves?

By using strong passwords, enabling two-factor authentication, applying software updates, and being cautious of unexpected email attachments or links.

Is this a widespread issue or a targeted one?

The attacks are targeted but global, focusing on specific individuals and groups that intersect with Iranian state interests.

Threats Feed|Charming Kitten|Last Updated 26/05/2025|AuthorCertfa Radar|Publish Date16/11/2022

Charming Kitten's Cyber Arsenal: Tools and Techniques Explained

Actor Motivations: Espionage,Exfiltration
Attack Vectors: DNS spoofing,Backdoor,Downloader,Dropper,Keylogger,RAT,Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The Iranian APT group, Charming Kitten (APT35), targets human rights activities, academia, media organizations, and political entities in the US and Central Eastern countries. Notable attacks include the 2017 HBO hack, which led to leaked unaired TV episodes, and interference attempts in the 2019 US elections, primarily targeting email accounts. Tools used by APT35 include DownPaper, which utilizes PowerShell and registry manipulation, Mimikatz for credential dumping, PsExec for remote execution, and PupyRAT for cross-platform control via phishing techniques.

Reference and Credit: InfinitumIT - November 2022

Charming Kitten (APT35)

Detected Targets

Type	Description	Confidence
Case	HBO Home Box Office is an American pay television network, which is the flagship property of namesake parent-subsidiary Home Box Office, Inc., itself a unit owned by Warner Bros. Discovery. HBO has been targeted by Charming Kitten as the main target.	Verified
Sector	Human Rights	Verified
Sector	Journalists	Verified
Sector	Media	Verified
Sector	Researchers	Verified
Region	United States	Verified
Region	Middle East Countries	Verified

Extracted IOCs

ntg-sa[.]com
itworx.com-ho[.]me
mci.com-ho[.]me
moh.com-ho[.]me
mol.com-ho[.]me
03ea9457bf71d51d8109e737158be888
1b5e33e5a244d2d67d7a09c4ccf16e56
43fad2d62bc23ffdc6d301571135222c
97cb7dc1395918c2f3018c109ab4ea5b
3215021976b933ff76ce3436e828286e124e2527
735f5d7ef0c5129f0574bec3cf3d6b06b052744a
934c51ff1ea00af2cb3b8465f0a3effcf759d866
d20168c523058c7a82f6d79ef63ea546c794e57b
66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b
6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b
8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71
e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6
139[.]59.46.154
45[.]32.186.33
89[.]107.62.39

download

Tip: 20 related IOCs (3 IP, 5 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

Understanding the Charming Kitten Cyber Threat

: Charming Kitten, a hacking group tied to the Iranian government, has been conducting cyber operations targeting individuals and organizations linked to academia, media, human rights, and political campaigns.
: The group is widely believed to be affiliated with the Iranian state and is also known by aliases like APT35 and Phosphorus.
: Their primary objective is intelligence gathering—stealing sensitive data, monitoring communications, and accessing credentials from high-value targets.
: Targets include U.S. political campaign staff, researchers, journalists, and human rights advocates—especially those involved in Middle Eastern or Iranian affairs.
: They used phishing emails with malicious Office document attachments, backdoor malware like DownPaper and PupyRAT, and tools to extract passwords and exfiltrate data.
: These individuals and institutions often hold politically sensitive or strategic information that can serve Iranian geopolitical interests.
: By using strong passwords, enabling two-factor authentication, applying software updates, and being cautious of unexpected email attachments or links.
: The attacks are targeted but global, focusing on specific individuals and groups that intersect with Iranian state interests.

About Affiliation

Charming Kitten

Associate threats