1. Overview
Charming Kitten, also known as APT35, Phosphorus, Newscaster, and TA453, is a state-sponsored cyber espionage group linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. Active since at least 2014, Charming Kitten is known for its targeted credential harvesting, social engineering, and espionage operations against individuals and organisations in the academic, governmental, defence, human rights, and journalistic sectors.
Unlike many APTs that rely on malware-first strategies, APT35 is highly focused on human targeting, using impersonation, phishing, and fake personas to establish trust before stealing credentials or delivering malware. Their operations are often ideologically motivated, aligning with Iran’s strategic goals and regional influence objectives.
2. Origin and Evolution
Charming Kitten has been publicly tracked since 2014, originally as part of the “Newscaster” campaign, where fake journalist personas were used to socially engineer targets on LinkedIn, Facebook, and email. Since then, the group has grown significantly in scope and sophistication.
In 2020, Microsoft formally attributed multiple attacks to the group under the label Phosphorus, and UK intelligence agencies have since flagged its targeting of academics, researchers, and diplomats in the UK and Europe.
Charming Kitten’s tactics have evolved to include spear-phishing with custom domains, credential phishing pages, and even mobile malware to track Iranian dissidents and Western contacts.
3. Tactics, Techniques, and Procedures (TTPs)
APT35 relies heavily on social engineering, phishing, and credential theft, followed by exploitation of email accounts and cloud services. Key techniques include:
- Initial Access:
Spear-phishing emails with malicious links or attachments (T1566.001), often impersonating trusted contacts, academics, journalists, or NGOs. - Impersonation & Social Engineering:
Creation of fake LinkedIn, Facebook, and email personas, often targeting academics, diplomats, or journalists to build rapport before delivering phishing payloads (T1585.001). - Credential Harvesting:
Cloned login pages for Google, Microsoft, and institutional portals used to collect passwords and session cookies (T1556.002). - Malware Deployment (less frequent):
Tools like PowerShell backdoors, macro-enabled Office documents, and custom implants such as Magic Hound and PowerLess (T1059.001, T1203). - Cloud Abuse:
Access to victims’ email, calendars, Google Drive, and OneDrive accounts (T1114.002), often used for surveillance or lateral phishing.
4. Targeting Profile
Charming Kitten’s targeting reflects Iran’s strategic objectives and focus on regional influence, nuclear negotiations, and regime stability. Primary targets include:
- Academics, researchers, and policy analysts working on Middle East security
- Diplomats and foreign ministry officials
- Journalists covering Iran, nuclear policy, or dissident communities
- NGOs and human rights activists
- Iranian diaspora and exile communities
- Think tanks and international organisations
UK-based think tanks, universities, and government advisors have been among the group’s targets, particularly those involved in foreign policy, non-proliferation, and sanctions.
5. Notable Campaigns and Victims
📌 Newscaster Campaign (2014):
Used fake journalist profiles to socially engineer defence and foreign policy officials.
📌 Operation SpoofedScholars (2021–2023):
Targeted UK and US academics with fake invitations to speak at conferences, designed to collect credentials.
📌 Fake LinkedIn and Zoom Invitations (2022):
Used spoofed invites to legitimate academic panels and webinars to trick users into logging into fake Microsoft 365 or Google accounts.
📌 Credential Harvesting of Politicians (2020):
Attempted to access US presidential campaign accounts and UK political party infrastructure, using spoofed security alerts.
6. Technical Indicators
Common indicators of Charming Kitten activity include:
- Domains spoofing trusted entities (e.g.,
outlook-security[.]com,zoompanel[.]org) - Login pages mimicking Google, Office 365, and academic institutions
- PowerShell-based scripts with C2 over HTTPS or Telegram
- Use of
google-form[.]us,secure-mailaccess[.]comfor phishing - Deployment of tools such as PowerLess, Cheshire, and Magic Hound
UK Cyber Defence Ltd maintains updated IOCs and phishing domain watchlists for this actor.
7. Defensive Measures and Recommendations
To mitigate the threat posed by APT35:
- Enforce multi-factor authentication (MFA) on all accounts—especially cloud platforms
- Monitor for unauthorised OAuth app approvals in Microsoft and Google environments
- Educate staff on social engineering, impersonation, and phishing awareness
- Flag emails using external domains that mimic internal contacts
- Monitor for login attempts from anomalous locations and unusual mail rules
- Apply DMARC, SPF, and DKIM email protections to reduce spoofing risk
8. Attribution and Alliances
APT35 is attributed to the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organisation, supported by multiple western intelligence agencies including:
- UK’s National Cyber Security Centre (NCSC)
- US CISA, NSA, and FBI
- EU intelligence partnerships and CERTs
Charming Kitten occasionally overlaps operationally with other Iranian APTs such as APT33 (Elfin) and APT34 (OilRig), though its focus remains on targeting individuals rather than enterprise systems.
9. Conclusion
Charming Kitten (APT35) remains a persistent and ideologically driven threat, particularly dangerous for individuals in academic, policy, and advocacy spaces. Its emphasis on human targeting, social engineering, and credential compromise—rather than malware—makes it harder to detect through conventional security tooling.
UK-based organisations and individuals working in international affairs, Iran-focused research, or human rights advocacy should adopt strong identity controls, phishing resilience, and cross-platform monitoring to mitigate the risk.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
