APT35 Expands Its Horizon – Password Spray Attacks Across Global Sectors

Since February 2023, APT35, a notorious Iranian-backed threat actor, has been intensifying its cyber operations with a series of global password spray attacks. These attacks represent a strategic shift in the group’s focus, targeting vital sectors and expanding their geographical scope.

Scope and Targets of the Campaign

The campaign, as reported by Microsoft researchers, primarily targets sectors such as satellite, defense, and pharmaceuticals, with a heightened focus on organizations in the United States, Saudi Arabia, and South Korea. These attacks demonstrate APT35’s adaptability and determination to infiltrate high-value targets across different industries.

Attack Methodology

Password spraying differs from traditional brute-force attacks by using a few commonly used passwords against a large number of accounts, thereby minimizing the chances of detection. This technique allows APT35 to maximize attack success while reducing the likelihood of triggering security alerts. The group’s strategic use of both publicly available and custom tools in these attacks exemplifies their evolving tactics and resourcefulness.


APT35’s password spray attacks align with several tactics and techniques listed in the MITRE ATT&CK framework, including:

Targeted CVEs

APT35’s campaign also involved attempts to exploit known vulnerabilities, including:

  • CVE-2022-47966 – A remote code execution flaw in Zoho ManageEngine.
  • CVE-2022-26134 – A remote code execution flaw in Confluence Server and Data Center.

Organizations are encouraged to implement multi-factor authentication, regularly update passwords, and educate employees on secure password practices. Monitoring network traffic for anomalies and employing advanced threat detection tools are also crucial in identifying and mitigating such sophisticated attacks.

APT35’s password spray campaign highlights the group’s continuous evolution and the expanding complexity of cyber threats. Organizations must maintain heightened vigilance and robust cybersecurity measures to protect against these sophisticated and dynamic threats.

Further Reading