Our Approach

Definitive Guide to Ransomware

Threat Actor Profile Charming Kitten

Charming Kitten, also known as APT35, Magic Hound, and Phosphorus, is a cyber-espionage group believed to be operating out of Iran. They have been active since at least 2014 and have been known to target a wide range of sectors and individuals, including biotech, energy, technology, government agencies, journalists, human rights activists, and dissidents. The threat actor has gained attention for their sophisticated and persistent cyber-espionage campaigns. What they lack in technological sophistication, they make up for with comprehensive social engineering campaigns, gaining the trust of their targets before taking over their accounts. As Charming Kitten clearly shows, sophistication comes in more than one flavour.  

The Kitten is a versatile actor, with campaigns aimed at espionage, ransomware, and even suspected kidnapping. Their modus operandi is typical of Iranian APTs, who overcome their lack of technological or financial resources by employing novel strategies. However, the threat actor has recently stepped up its game, developing custom tools and showing the ability to quickly weaponize vulnerabilities, making it an even more dangerous adversary. This APT profile should be regarded as a small peek into the world of Iranian APTs and their preferred ways of targeting their victims.

Request a free membership to access our full research insights

  • Aliases: Charming Kitten, APT35, Phosphorus, Ajax Security, News Beef, Magic Hound, UNC788, APT42, Parastoo, Newscaster
  • Strategic motives: Espionage, financial
  • Affiliation: Islamic Revolutionary Guard Corps (IRGC)
  • Cyber capabilities: ★★☆☆☆
  • Target sectors: Military, Government, Media, Energy, Defense Industrial Base, Engineering, Telecommunications, Dissidents
  • Observed countries: 11

Origins, Motivations & Targets

Charming Kitten came into the spotlight in 2014 through a campaign on social media. There are, however, signs they have been active since 2011 or 2012. In 2011, an Iranian-backed operation named Newscaster targeted US military personnel with the goal of conducting espionage. In 2012, a group self-named Parastoo hacked an old server of the International Atomic Energy Agency. Later, both Newscaster and Parastoo were linked to Charming Kitten due to significant overlap in their use of Tactics, Techniques and Procedures (TTPs).

Charming Kitten has been associated with the Iranian government and military bodies, particularly the Islamic Revolutionary Guard Corps (IRGC). The APT’s goals often align with those of the IRGC, as has been recognized by the US government as well. Since 2020, parts of the cyber-branch of the IRGC have been sanctioned by the US Department of Treasury, including individuals who are linked to Charming Kitten.

Not uncommon for APTs, Charming Kitten seems to have a taste for targeting individuals, through whom access to an organization or sensitive information is obtained. Extensive, complex spear-phishing and social engineering operations comprise an important part of their modus operandi. Charming Kitten often reaches out to military personnel, diplomats, and other government officials through social media in attempts to establish trusted relationships with their targets. Journalists, (academic) researchers and dissidents abroad have also been targeted by the group. Their victims are often selected based on their line of work or political stance towards the Iranian regime. Most operations targeted people abroad, but a few instances of domestic espionage have also been noted.

Since 2021, the group has evolved beyond relying solely on their ability to mislead and deceive, although this remains their specialty. In the last few years, new skills and custom developed tools have been added to their toolbox, making them more dangerous than they have ever been. The scope of their targeting has also broadened, including much more high-value targets, such as critical infrastructure and international organizations. For this reason, Hunt & Hackett closely tracks the group in order to stay ahead. 

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • IRGC backing
  • Social Engineering and spear-phishing capabilities
  • No fear from criminal prosecution
  • Steep learning curve present in recent years

Weaknesses

  • Unable to find zero-days (so far), making use only of N-days
  • Low success rate for their known campaigns
  • Unable to conduct long-term espionage activities

Opportunities

  • Increasing priority for the IRGC
  • Continuing to develop new tools and tactics
  • Attracting more specialized personnel

Threats

  • Increased attention on Iranian activity in general
  • Further worsening of the Iranian economy due to international sanctions

More detailed information about this actor?

Charming Kitten in the Netherlands

There is no account yet of Charming Kitten being active in the Netherlands. However, Iranian actors have set their sights on the Netherlands in the past, and due to the increasing versatility of Charming Kitten, it is possible that an attack will occur eventually. Iranian actors are nothing new in the Netherlands, as they were responsible for one of the country's most notorious hacks, at DigiNotar. Also, in 2020, PwC published a report saying that Iranian hackers had tried to compromise Dutch universities and colleges, seeking to obtain knowledge to use in their own educational system.

Due to Charming Kitten’s recent step-up in sophistication, and in addition to the change in motivation (retaliation attack in 2023 and targeting critical infrastructure), the group constitutes a realistic threat to organizations in the Netherlands. The General Intelligence & Security Agency (AIVD) has been issuing warnings for years about Iran’s offensive activities in Dutch cyberspace, describing it as one of the biggest digital threats to the Netherlands.

Country distribution of IoCs based on IPs(1)

 

Figure 5 – The Netherlands is the second most used IP address supplier for Charming Kitten’s attacks 

 

Another angle where the Netherlands shows up when looking into Charming Kitten, is that they often make use of Dutch IPs for their attacks. In an investigation into Indicators of Compromise (IoC) of the threat actor, IP addresses from the Netherlands were featured prominently. After the US, the Netherlands is the second most used country for IP addresses (see Figure 5). A plausible reason for this is the high-quality ICT infrastructure in the Netherlands, which is reliable, stable and accessible.

 

Trends

For years, Charming Kitten was best known for their extensive spear-phishing and social engineering campaigns. With tricks and persistence, they were able to breach the email accounts of their targets. This remains a core component of their approach to breaching targets to this day. However, since 2021 there are a few clear changes in the way the Kittens operate, and the targets they choose. From attacking dissidents and scholars, they have expanded their activities to ransomware attacks and attacking critical infrastructure. This new range of targeting was accompanied by the development of custom tools, such as BELLACIAO and HYPERSCRAPER, and they gained ability to quickly weaponize known vulnerabilities (N-days), sometimes within the first day of going public.  

This trend coincided with a simultaneous decrease in ransomware and wiper attacks from threat actors associated with the IRGC, indicating that after a few forays into financial and sabotage-motivated attacks, Charming Kitten returned to the espionage track. The shift in tactics also aligns with faster adoption of newly reported vulnerabilities, the use of compromised websites for command and control (C2) purposes to obscure the source of attacks, and in some cases, the development of customized tools and advanced techniques. These developments collectively indicate that although Iranian threat groups may not possess the same level of technical sophistication as their Russian and Chinese counterparts, they are improving their ability to gain access to specific targets of interest, maintain persistence, and evade detection.

Their rapid development implies that Charming Kitten is benefiting from the uptick in priority that the IRGC has been receiving from Tehran; the IRGC is pocketing larger portions of Iran’s state budget every year, at the cost of the traditional military. For example, in 2023, the IRGC received 31% of the military budget, compared to the 11% that went to the army. Through these statistics, Tehran’s priorities are becoming clear, especially when considering that the army employs 2.5 times more personnel than the IRGC. With the new funds, the IRGC is able to modernize its operations and equipment. The increasing priority for the IRGC is indicating that Iran is stepping up its irregular warfare capabilities and focusing less on traditional military forces. With the IRGC as its omnipotent tool, Iran hopes to establish regional power, and counter its stronger adversaries globally, like the US.

The advancement of the group is worrying, as their activities become harder to predict. Who knows when they will resort to ransomware again? Or focus all their attention on developing new tools? Over the timeframe 2021-2023, Charming Kitten has shown great versatility in modus operandi, targeting, and motivation. With their expanding activities and their overarching benefactor’s growing funds, the future of the group remains shrouded in mystery. 

Learn more about our threat research?

Get in touch