TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Denominations (known aliases by vendor) The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax…
