Threat Groups

TA406 / Phosphorus

1. Overview

TA406, also tracked as Phosphorus, Charming Kitten, or APT35 in overlapping campaigns, is an Iranian-linked cyber espionage group that has been active since at least 2015. While TA406 shares infrastructure and methodology with other Iranian threat actors, it is uniquely focused on long-term intelligence gathering through persistent spear-phishing campaigns, credential theft, and surveillance of individuals in strategic policy, defence, human rights, and academia.

TA406 operates under the apparent direction of Iran’s Islamic Revolutionary Guard Corps (IRGC) and targets individuals and institutions that are politically, militarily, or ideologically significant to Iran’s national interests. The group is known for highly targeted campaigns and impersonation of journalists, diplomats, academics, and NGO officials.

2. Origin and Evolution

TA406 began as part of broader Iranian cyber operations, but it has since matured into a distinct threat group with its own infrastructure, tactics, and victim profile. The group became more widely recognised in 2020 when US and UK authorities attributed phishing campaigns against politicians, think tanks, and media organisations to Iranian actors operating under the alias Phosphorus.

In 2022 and 2023, TA406 campaigns expanded to include UK-based academic and government institutions, often tied to foreign policy, nuclear non-proliferation, sanctions enforcement, and diaspora surveillance. TA406’s operations are characterised by persistence, with some phishing campaigns continuing over several months and using personalised lures.

3. Tactics, Techniques, and Procedures (TTPs)

TA406’s operations rely heavily on human manipulation and cloud credential theft. Its TTPs include:

  • Initial Access
    Highly tailored spear-phishing emails (T1566.001) using spoofed identities, often impersonating journalists, academics, or conference organisers. These emails typically include malicious links to fake login portals or malicious documents.
  • Credential Harvesting
    Cloned login pages for Google, Microsoft, and government services are used to capture credentials. OAuth abuse and token theft are common in Microsoft 365 environments (T1556.002).
  • Malware Deployment
    Less frequent, but TA406 has deployed malware such as PowerShell-based backdoors, macro-enabled Office files, and trojans like PowerLess, NokNok, and BrowserBookmark.
  • Cloud Exploitation
    Once credentials are captured, the group exploits access to webmail, calendars, and cloud drives for passive surveillance (T1114.002).
  • Infrastructure
    TA406 uses short-lived phishing domains and C2 infrastructure, often mimicking legitimate services such as Outlook, Google Docs, or Zoom.

4. Targeting Profile

TA406 targets reflect Iranian strategic interests. Primary victim categories include:

  • Government officials and foreign policy advisers
  • Military analysts and defence contractors
  • Academics and researchers specialising in Middle East policy
  • Journalists and human rights activists
  • Iranian diaspora communities and dissidents
  • NGOs and intergovernmental organisations

UK-based think tanks, government contractors, and academic institutions have been among TA406’s confirmed targets, particularly those involved in research or policy advising on Iran, sanctions, or nuclear negotiations.

5. Notable Campaigns and Victims

TA406 is often responsible for quietly persistent campaigns. Key operations include:

  • 2021 targeting of UK and US foreign policy researchers via spoofed Outlook and Google Docs pages
  • 2022 campaign impersonating Middle East-focused journalists to compromise journalists and academics in the UK, France, and Canada
  • 2023 phishing of UK university faculty under the guise of international conference invitations, leading to compromise of personal and institutional email accounts
  • Surveillance of Iranian exiles, human rights groups, and dissident communities using stolen credentials and long-term email access

The group rarely deploys ransomware or public leak threats; it prioritises silent access and strategic information gathering.

6. Technical Indicators

TA406 infrastructure rotates frequently, but common traits include:

  • Phishing domains mimicking Microsoft, Outlook, Google, and academic institutions
  • Use of free email accounts (often Gmail, Yahoo, ProtonMail) to initiate contact
  • Payloads such as malicious LNK files, macro-enabled documents, and PowerShell scripts
  • Indicators of data exfiltration via IMAP or third-party cloud storage

IOC and domain lists are maintained and shared via UK Cyber Defence Ltd’s threat intelligence feeds.

7. Defensive Measures and Recommendations

Organisations targeted by TA406 should implement the following:

  • Enforce multi-factor authentication for all cloud services and user accounts
  • Monitor for unusual login locations and OAuth application activity
  • Train staff to recognise spear-phishing and impersonation attempts
  • Limit access to sensitive systems for high-risk users, including external researchers and diplomats
  • Use DLP and CASB tools to monitor data flows in cloud environments
  • Establish incident response plans for account takeovers and cloud-based surveillance

8. Attribution and Alliances

TA406 is attributed to the IRGC Intelligence Organisation and is one of several Iranian threat groups operating in parallel. Its campaigns are often attributed in conjunction with APT35 and APT42, though TA406 maintains a distinct operational profile focused on human targeting and long-term espionage rather than infrastructure attacks.

Public attribution has been made by Microsoft, the UK’s National Cyber Security Centre, and the US Department of Justice. Unlike many APTs, TA406 appears to operate with both strategic and ideological motivations, including surveillance of dissidents and suppression of political opposition.

9. Conclusion

TA406 represents a highly focused threat actor with a long history of targeting individuals and organisations aligned with Iranian strategic interests. Its emphasis on credential theft, email surveillance, and the targeting of researchers and policy experts makes it a particular risk to academic and government-linked institutions in the UK.

Unlike malware-heavy actors, TA406 operates quietly and persistently, requiring defenders to focus on identity security, cloud monitoring, and user awareness to detect and mitigate its activity.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 20 Views

you may also like

Detection Advisory: ProjectRelic and Low-Noise Threat Actors in the UK and EU

A detection-focused advisory for research institutions and local governments concerned with low-noise threat actors such as ProjectRelic, including a technical bulletin on persistence, credential theft, and passive data exfiltration in academic and civic networks.

Everest Group Alleged to have hit Kaefer

On 8 May 2025 at approximately 05:49 BST, the Everest Ransomware Group purportedly claimed responsibility for a cyber‐intrusion against Kaefer, one of the world’s leading industrial insulation and access specialists.

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

An insights post exploring the stealthy methods of state-aligned threat actors, including Silent Ransom (Silk Typhoon), and how defenders can detect slow exfiltration and cloud-based command and control in enterprise environments.
Continuous Threat Exposure Management

Continuous Threat Exposure Management

In an era where cyber attacks are not a question of if but when, Continuous Threat Exposure Management has emerged as a crucial strategy for staying one step ahead. For IT directors and C-suite executives, CTEM offers a little easier sleep at night.
Open Source Security Tools

Open-Source Tools for SOC Analysts

PCI-DSS-4.0

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence