The APT35 (Advanced Persistent Threat) is a hacking group that is believed to originate from Iran. This hacking group is also known under several other aliases – Newscaster Team, Phosphorus, Charming Kitten and Ajax Security Team. The APT35 hacking group is usually involved both in politically motivated campaigns, as well as financially motivated ones. The APT35 hacking group tends to concentrate their efforts against actors involved in human rights activism, various media organizations, and the academic sector mainly. Most of the campaigns are carried out in the United States, Israel, Iran and the United Kingdom.
Popular APT35 Campaigns
One of the most notorious APT35 operations is the one carried out against HBO that took place in 2017. In it, the APT35 leaked over 1TB of data, which consisted of staff personal details and shows, which were yet to be aired officially. Another infamous APT35 campaign that put them on the map is the one that also involved a U.S. Air Force defector. The individual in question aided APT35 in getting access to classified government data. In 2018, the APT35 group built a website that was meant to mimic a legitimate Israeli cybersecurity company. The only difference was that the fake website had a slightly altered domain name. This campaign helped the APT35 get the login details of some of the company’s clients. The latest infamous campaign involving the APT35 was carried out in December 2018. In this operation, the APT35 group operated under the Charming Kitten alias. This operation targeted various political activists who had influence in the economic sanctions, as well as military sanctions placed on Iran at the time. The APT35 group posed as high-ranking professionals involved in the same fields as their targets. The attackers used tailored phishing emails carrying fake attachments, as well as bogus social media profiles.
APT35’s DownPaper Malware
The DownPaper tool is a backdoor Trojan, which is mostly used as a first-stage payload and has the capabilities to:
- Establish a connection with the attacker’s C&C (Command & Control) server and receive commands and harmful payloads, which are to be executed on the infiltrated host.
- Gain persistence by tampering with the Windows Registry.
- Gather information about the compromised system, such as hardware and software data.
- Execute CMD and PowerShell commands.
The APT35 hacking group is a very persistent group of individuals, and it is unlikely that they plan on halting their activities any time soon. Keeping in mind that the political climate around Iran has been heating up for a while, it is likely that we will keep hearing about the APT35 group’s campaigns in the future.