Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Charming Kitten
Charming Kitten, also known as APT35, Phosphorus, Ajax Security Team, and ITG18, is a sophisticated Iranian cyber-espionage group active since at least 2011. Closely affiliated with the Islamic Revolutionary Guard Corps (IRGC), their activities focus on cyber espionage, surveillance, and geopolitical influence. Utilizing spear-phishing, impersonation, and custom malware to infiltrate high-profile individuals and industries, they remain a persistent and dangerous threat actor.
Threat Actor Profile
Charming Kitten
Country of Origin
Charming Kitten is widely attributed to Iran, with strong connections to the Iranian government and IRGC. Their activities reflect direct alignment with Iranian geopolitical strategies and adversaries.
Members
The exact size and structure of Charming Kitten remain unclear. Open-source intelligence and indictments have identified individual Iranian nationals linked to the group, often operating under pseudonyms and leveraging state resources.
Leadership
Specific leadership within Charming Kitten remains unknown. However, their operations are believed to be state-sponsored with strategic oversight from Iranian intelligence agencies.
Charming Kitten TTPs
Tactics
The group’s primary goals involve intelligence collection on geopolitical adversaries, conducting influence campaigns, and surveillance of dissidents and activists. They often aim to compromise sensitive information for espionage purposes.
Techniques
Charming Kitten employs advanced spear-phishing campaigns, impersonating journalists, academics, or credible organizations to gain the trust of their targets. They mimic legitimate websites, deploy phishing-as-a-service, and use sophisticated social engineering tactics. Additionally, multi-factor authentication (MFA) bypass techniques, such as push fatigue attacks, demonstrate their adaptability.
Procedures
Notable procedures include leveraging PowerShell-based malware, browser extensions for surveillance, and mobile malware. They use fake personas on social media platforms like LinkedIn and Twitter to establish trust and maintain long-term engagement with targets before executing credential theft.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Newscaster Campaign (2014)
Leveraged fake journalist personas to extract sensitive information.
Presidential Campaign Targeting (2020)
Hundreds of phishing attempts against U.S. presidential campaigns.
COVID-19 Research Attacks (2020)
Targeted universities and pharmaceutical firms in the U.S. and U.K. for vaccine research.
MFA-Bypass Campaigns (2023–2025)
Adoption of advanced phishing kits aligned with escalating geopolitical tensions.
Law Enforcement & Arrests
Charming Kitten’s operations have been exposed by cybersecurity firms and government agencies globally. Notably, the U.S. Department of Justice indicted several Iranian nationals in 2019 for their involvement in international hacking and espionage campaigns.
How to Defend Against Charming Kitten
1
Implement Multi-Factor Authentication (MFA): Prevent unauthorized credential use
2
Patch Management: Regularly update software to mitigate zero-day vulnerabilities
3
Endpoint Detection and Response (EDR): Leverage tools to identify malware signatures and anomalous network behavior
4
Segmentation Standards: Limit access between critical systems to contain any lateral movement
5
User Awareness Campaigns: Train employees to recognize phishing attempts and follow cybersecurity best practices
6
Segmentation Standards: Limit access between critical systems to contain any lateral movement
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Charming Kitten threats with enterprise-grade technology.
References
