Introduction
APT35 is one of Iran’s most persistent, adaptive, and visible state-backed cyber actors. The group has been attributed an extensive list of names including Charming Kitten, Phosphorus, Mint Sandstorm, and COBALT MIRAGE and has been active for more than a decade. The actor uses espionage, surveillance, and disinformation to achieve Iran’s strategic goals.
Campaigns associated with the actors reveal that they maintain a sustained interest in intelligence collection for political purposes, indicators of interest in monitoring dissidents, and activities that yield geopolitical intelligence, a tactic often used by all actors associated with the Iranian government. To illustrate, to collect intelligence, APT35 targets governments, academics, non-governmental organizations concerned with human rights, and media organizations. Recently, APT35 has expanded its tactics to include AI-assisted disinformation and exploit vulnerabilities found in enterprise technologies.
Identity & Motivation
APT35 is directly attributable to the Islamic Revolutionary Guards Corps (IRGC) as an elite security and intelligence cohort.
- Active Since: At least 2011
- Motivation: Espionage, influence, and disruption aligned with Iran’s foreign policy goals, silencing dissent, and spreading propaganda
- Aliases: CharmingCypress, Group 83, TunnelVision, COBALT MIRAGE, TA455, Mint Sandstorm, Phosphorus, Smoke Sandstorm, NewsBeef, Charming Kitten, G0058, G0059, BOHRIUM, iKittens, Magic Hound, Newscaster, Newscaster Team, Parastoo, Yellow Dev13.
The diverse array of acronyms used by APT35 reflects the group’s longevity and the spectrum of operations observed by different security vendors.
Tactics, Techniques, and Procedures (TTPs)
Initial Access
APT35 is highly dependent on social engineering and phishing, including:
- Fake news and media websites.
- Impersonating journalists, academics or NGOs.
- Sending malicious links via e-mail, LinkedIn or WhatsApp.
These social engineering tactics often entice the targets into fake log-in portals designed to capture their credentials.
Persistence & C2
APT35 maintains its access through a mix of custom malware and legitimate cloud-based services:
- Malware: POWERSTAR, CHAINSHOT, Tickler, DustySky, HookStick.
- C2 Infrastructure: The use of Google Drive, OneDrive, and other “Software as a Service” tools enable exfiltration of data or to maintain persistence.
Techniques
Occasionally, destructive capabilities have been included, so the line between espionage and disruption becomes blurred.
Credential harvesting continues to be a hallmark of APT35.
Watering hole attacks and VPN abuse has also been identified.
Fake personas and disinformation campaigns on social media have been employed.
Target Profile
APT35 targeting suggests Iran’s geopolitical interests:
- Sectors: Government, defense, academia, NGOs, think tanks, technology, human rights organizations, and media.
- Geographies: Billions of dollars have been spent on targeting. Countries of focus are the United States, Israel and the Gulf States, but operations including targeting, have also spread to Europe and global dissident communities.
Targets are frequently policy experts, journalists and researchers because of their influence on foreign policy discussions and debates.
Notable Operations
• 2014-2015: Newscaster Campaign
APT35 impersonated journalists through fabricated online personas and websites to engage and phish their political and defense targets.
• 2018: University Credential Theft:
Thousands of United States and Middle East university accounts were breached to facilitate intelligence collection.
• 2020: COVID-19 Espionage
Utilizing the pandemic, APT35 targeted pharmaceutical firms and health organizations to acquire valuable medical research.
• 2021: DustySky & CHAINSHOT Campaigns
Targeted Israeli defense and technology companies with cutting-edge malware payloads.
• 2022-2023: Activists and Journalists
A global spear phishing campaign directed against dissidents and Human Rights advocates including efforts to gain access to email and social media accounts.
• 2024: U.S. Election Operations
APT35 conducted phishing and influence operations against policy experts, think tanks, and journalists associated with U.S. elections.
• 2025: POWERSTAR & Tickler Campaigns
APT35 continued intrusions against Universities and research firms showing sustained interest in the academic setting.
Evolution & Recent Developments
APT35 has also evolved its tradecraft consistently:
• Transitioned from basic phishing activity to compromises targeting the supply chain.
• Leveraged AI-assisted generated content and deepfakes to lend credibility to disinformation.
• Increased its toolkit with malware families specifically developed to act alongside commodity tools.
• Actively sought to target global NGOs and policy organizations to influence narratives of foreign policy.
APT35’s evolution is representative of a larger Iranian strategic objective: to blend espionage with psychological operations in skilled efforts to degrade adversaries methodologically, both technically and politically.
Conclusion
APT35 is not the most technically advanced threat actor, but the tenacity and flexibility of its operations in alignment with Iranian strategic objectives make it a credible and persistent threat. Its operations illustrate a wider evolution of cyber operations beyond espionage and profit, but as influence and control of narratives.
Key takeaways for the defensive community include:
- Awareness: Phishing and impersonation training is still paramount.
- Cloud Security Monitoring: Watch for misuse of legitimate applications such as Google Drive or OneDrive.
- Election and Policy Security: Protect political organizations, NGOs, and research institutions – clear targets for APT35.
APT35’s trajectory indicates that as geopolitical tensions continue to rise, operations will increase as well – making it a prevalent threat actor to monitor in the coming years.
You can download and review the sheet for all the details!
