threatintel
actor tracker
All actors

APT35

apt35 · primary source: MITRE · first observed 2013
IR · IranState-sponsoredModerate confidencelast cited Jan 10, 2022 · 4y ago

Iranian state-sponsored actor associated with the IRGC. Conducts long-term espionage and credential-phishing operations against journalists, dissidents, U.S. and Israeli government targets, and academic researchers working on Middle East policy. Known for elaborate social-engineering personas sustained over months.

Aliases

Charming KittenCrowdStrikeMint SandstormMicrosoftPHOSPHORUSMicrosoft

Motivations

espionage

Target sectors

governmentacademiajournalismdissidentsenergy

Target countries

USILGBSAAEDE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • APT35
  • Iran
  • espionage
Capability
Infrastructure
Victim
  • government
  • academia
  • journalism
  • US
  • IL
  • +1 more

MITRE ATT&CK techniques

T1566.003T1056.003T1539T1204.001

Timeline

2 events
  1. AdvisoryHigh2022-01-11·Check Point Research

    APT35 weaponizes Log4Shell against unpatched targets

    Check Point Research observed APT35 actively exploiting Log4Shell (CVE-2021-44228) within a week of public disclosure, deploying a modular PowerShell toolkit ('CharmPower') against vulnerable VMware Horizon and similar Java-stack targets.

    log4shellcve-2021-44228powershell
  2. IndictmentHigh2018-03-23·U.S. Department of Justice

    DOJ indicts nine IRGC-affiliated actors for academic phishing

    DOJ indicted nine Iranians associated with the Mabna Institute for a multi-year credential-phishing campaign against more than 300 universities worldwide, the U.S. Department of Labor, the FERC, and the United Nations — overlapping with APT35 / Charming Kitten activity.

    indictmentcredential-phishingacademia

Indicators of compromise

2 indicators
csv
TypeValueFirst seenSource
Name
MischiefTut
family · MischiefTut
PowerShell reconnaissance backdoor named by Microsoft in the January 2024 Mint Sandstorm advisory; deployed post-intrusion alongside MediaPl to write recon output to documentLoger.txt and pull additional tools onto victim hosts at Middle East research organizations.
Oct 31, 2023Microsoft
SHA-256
f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f
family · MediaPl
MediaPl custom backdoor (MediaPl.dll) masquerading as Windows Media Player, attributed by Microsoft in January 2024 to a Mint Sandstorm subgroup (APT35 / Charming Kitten / Phosphorus) targeting Middle East affairs researchers at universities in BE, FR, IL, UK and US. Communicates with C2 via AES-CBC encrypted, Base64-encoded channels.
Oct 31, 2023Microsoft

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). APT35 — actor profile. Retrieved from https://threatintel.local/actors/apt35

latest cited activity · 2022-01-11 · 2 cataloged indicators