TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Denominations (known aliases by vendor) The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax…
TLP:CLEAR | CTI Analysts | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: APT33 (Mandiant/FireEye, reference designation), Elfin / Elfin Team (Broadcom/Symantec), Refined Kitten (CrowdStrike), Peach Sandstorm (Microsoft, formerly HOLMIUM), MAGNALLIUM (Dragos), COBALT TRINITY (SecureWorks), ATK35, TA451, G0064 (MITRE ATT&CK) (1)(2)(3)(4).…
TLP:CLEAR | General Public | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: Handala, Handala Hack, Handala Hack Team, Void Manticore (Check Point Research), Storm-0842 / Storm-842 (Microsoft), BANISHED KITTEN (CrowdStrike), Dune (other vendors) (1)(2). Associated operational personas include Karma (alias…
