APT35 Description

The APT35 (Advanced Persistent Threat) is a hacking group that is believed to originate from Iran. This hacking group is also known under several other aliases – Newscaster Team, Phosphorus, Charming Kitten and Ajax Security Team. The APT35 hacking group is usually involved both in politically motivated campaigns, as well as financially motivated ones. The APT35 hacking group tends to concentrate their efforts against actors involved in human rights activism, various media organizations, and the academic sector mainly. Most of the campaigns are carried out in the United States, Israel, Iran and the United Kingdom.

Popular APT35 Campaigns

One of the most notorious APT35 operations is the one carried out against HBO that took place in 2017. In it, the APT35 leaked over 1TB of data, which consisted of staff personal details and shows, which were yet to be aired officially. Another infamous APT35 campaign that put them on the map is the one that also involved a U.S. Air Force defector. The individual in question aided APT35 in getting access to classified government data. In 2018, the APT35 group built a website that was meant to mimic a legitimate Israeli cybersecurity company. The only difference was that the fake website had a slightly altered domain name. This campaign helped the APT35 get the login details of some of the company’s clients. The latest infamous campaign involving the APT35 was carried out in December 2018. In this operation, the APT35 group operated under the Charming Kitten alias. This operation targeted various political activists who had influence in the economic sanctions, as well as military sanctions placed on Iran at the time. The APT35 group posed as high-ranking professionals involved in the same fields as their targets. The attackers used tailored phishing emails carrying fake attachments, as well as bogus social media profiles.

APT35’s DownPaper Malware

The DownPaper tool is a backdoor Trojan, which is mostly used as a first-stage payload and has the capabilities to:

  • Establish a connection with the attacker’s C&C (Command & Control) server and receive commands and harmful payloads, which are to be executed on the infiltrated host.
  • Gain persistence by tampering with the Windows Registry.
  • Gather information about the compromised system, such as hardware and software data.
  • Execute CMD and PowerShell commands.

The APT35 hacking group is a very persistent group of individuals, and it is unlikely that they plan on halting their activities any time soon. Keeping in mind that the political climate around Iran has been heating up for a while, it is likely that we will keep hearing about the APT35 group’s campaigns in the future.

Do You Suspect Your Computer May Be Infected with APT35 & Other Threats? Scan Your Computer with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide users with in-depth system security analysis, detection and removal of a wide range of threats like APT35 as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover*

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.