Exploring APTs – #2

Charming Kitten

Another week, another APT to discuss!

Who is Charming Kitten?

APT35 is a cyber-espionage group also known as Charming Kitten, NewsBeef, and Ajax Security Team (ironically, of course!). It is believed to be a state-sponsored hacking group based in Iran and is known for targeting political and human rights activists, academics, and journalists in the Middle East and around the world. As of today, no arrests have been made. 

The group has been active since at least 2014 and is known for using a range of sophisticated techniques to conduct their attacks, including social engineering, spear-phishing, and malware implants. Some attacks from early 2013 have been speculatively attributed to Charming Kitten, but nothing concrete has been established. APT35 has been linked to a number of high-profile attacks, including the targeting of senior officials in the U.S. government and the hacking of email accounts belonging to several prominent figures in the Middle East. 

APT35 is considered a significant threat to global cybersecurity due to its sophisticated tactics and state-sponsored backing. Organizations that are at risk of being targeted by APT35 are encouraged to take appropriate measures to safeguard their digital assets and networks, including implementing strong security measures and staying up to date with the latest threat intelligence. 

Who has Charming Kitten attacked? 

As with most high profile APTs, there is a long list of victims in their wake. This extends to political enemies of Iran (hence the strong suspicion that Charming Kitten is related to the Iranian government in some way), universities, and tech companies. Some of the most high-profile attacks attributed to APT35 include: 

  • U.S. government officials: APT35 has been known to target senior officials in the U.S. government, including former U.S. Secretary of State John Kerry and former Deputy National Security Advisor Ben Rhodes. 
  • Journalists: APT35 has been known to target journalists who report on Middle Eastern affairs, including those working for major news organizations such as the Associated Press and Al Jazeera. 
  • Academic institutions: APT35 has targeted academic institutions around the world, including universities in the United States and Europe. 
  • Technology companies: APT35 has targeted technology companies, including those in the telecommunications sector, in order to gain access to sensitive data and intellectual property. 

There have also been attacks against journalists who have protested human rights violations in Iran. 

2020 Election interference 

In the mad rush before the 2020 US election, Microsoft released a statement about findings from their Digital Crimes Unit. Although there are few details which are readily available to this day, only the Trump administration used Outlook as their email client. With that in mind, the spear-phishing and other social engineering attacks seem to have been launched at Donald Trump’s team. 

If you are interested in seeing the seized websites, they are available here


As identified by Google’s TAG, Charming Kitten also has some hefty artillery on their side. In particular, the HYPERSCRAPE tool. Discovered in late 2021, the tool has been used to exfiltrate data from Gmail, Yahoo!, and Outlook accounts.  

To find a short breakdown on how the HYPERSCRAPE tool works, check out this article from Google

Am I safe from APT35?

As with all advanced persistant threats, the answer is “probably not”. Sorry for the bad news. As Charming Kitten seems to be an adaptive and versatile adversary, all we can do is try to stay ahead of the game. However, best practices tend to do most of the hard work. If you are concerned with your cybersecurity posture, use the following 7-point checklist to get your systems up to scratch: 

  1. Implement strong access controls and authentication mechanisms: Use strong, unique passwords for all accounts and enable two-factor authentication (2FA) wherever possible to prevent unauthorized access. 
  1. Educate users about phishing and social engineering: APT35 is known to use phishing emails to trick victims into divulging sensitive information or downloading malware. Train employees to recognize phishing attacks and suspicious messages, and to report them to IT or security teams. 
  1. Keep software and systems up to date: Ensure all software, systems, and devices are updated with the latest security patches and updates to help protect against known vulnerabilities. 
  1. Use security tools to detect and prevent attacks: Deploy advanced endpoint protection, intrusion detection and prevention systems, and security information and event management (SIEM) solutions to detect and respond to security threats in real time. 
  1. Conduct regular security assessments and penetration testing: Perform regular security assessments and penetration testing to identify vulnerabilities and address security weaknesses. 
  1. Implement a comprehensive incident response plan: Develop and implement an incident response plan to quickly detect and respond to security incidents, minimize the impact of a breach, and help ensure a speedy recovery. 
  1. Monitor threat intelligence sources: Keep up to date with the latest threat intelligence, such as reports from cybersecurity vendors, government agencies, and other trusted sources, to help identify and respond to emerging threats. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.