{ "id": "235fcb9d-2b20-4674-8b71-6be1ab774dee", "created_at": "2026-04-06T00:06:49.204143Z", "updated_at": "2026-04-10T13:12:38.317321Z", "deleted_at": null, "sha1_hash": "344331effa6fafb53e0ffb238e44599051bdf16c", "title": "TA453 Uses Impersonation to Capitalize on FOMO | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1051605, "plain_text": "TA453 Uses Impersonation to Capitalize on FOMO | Proofpoint US\r\nBy September 13, 2022 Joshua Miller, Kyle Eaton and Alexander Rausch\r\nPublished: 2022-09-11 · Archived: 2026-04-05 18:08:41 UTC\r\nKey Takeaways\r\nIn mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single\r\nemail thread to convince targets of the legitimacy of the campaign.\r\nThis is an intriguing technique because it requires more resources be used per target—potentially burning\r\nmore personas—and a coordinated approach among the various personalities in use by TA453.\r\nThis is the latest in TA453's evolution of its techniques and can be mitigated in large part by potential\r\ntargets, such as those specializing in Middle Eastern affairs or nuclear security, by being cautious when\r\nthey receive outreach from unexpected sources, even those that appear legitimate.\r\nOverview\r\nAs a great songwriter once penned, \"everyone needs a friend.\" No APT this year has been taking this sentiment\r\nmore to heart than the Iran-aligned espionage threat actor TA453. Throughout late 2021 and through 2022,\r\nProofpoint researchers have observed TA453, which overlaps with activity tracked as Charming Kitten,\r\nPHOSPHORUS, and APT42, continually innovating its approach in a quest to fulfill its intelligence priorities. In\r\nlate June 2022, this evolution resulted in campaigns utilizing what Proofpoint informally calls Multi-Persona\r\nImpersonation (MPI), a subset of Impersonation noted in Proofpoint's Email Fraud Taxonomy framework. In MPI,\r\nTA453 takes their targeted social engineering to a new level, targeting researchers with not just one actor-controlled persona but multiple. This technique allows TA453 to leverage the psychology principle of social\r\nproof to prey upon its targets and increase the authenticity of the threat actor's spear phishing. Proofpoint has\r\npreviously observed this technique from advanced business email compromise actors such as TA2520 (Cosmic\r\nLynx).\r\nIt is important to note that for the purposes of this blog, Proofpoint refers to each of the TA453 personas by the\r\nsender name. While Proofpoint has previously observed TA453 using compromised email accounts to send\r\nphishing emails, Proofpoint has no specific indication that these spoofed individuals were victimized by TA453.\r\nAdditionally, Proofpoint regularly sees TA453 pair the same spoofed person with different actor-controlled email\r\naddresses. \r\nTypical TA453 Activity\r\nIn what Proofpoint researchers consider a standard TA453 campaign, the threat actor masquerades as an\r\nindividual, such as a journalist or policy adjacent individual, working to collaborate with the intended target.\r\nHistorically, TA453 has targeted academics, policymakers, diplomats, journalists, and human rights workers.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 1 of 7\n\nBenign conversations that eventually lead credential harvesting links are hallmarks of TA453 activity. Proofpoint\r\nhas observed limited instances of TA453 deploying malware.\r\nIn almost all cases, TA453 would engage in one-to-one conversations with their targets but this changed in mid-2022.\r\nTimes are Changing: TA453's Multiple Personalities\r\nProofpoint researchers observed a shift in TA453's approach starting in June 2022. In this first campaign (Figure\r\n1), TA453 started the conversation masquerading as \"Aaron Stein, Director of Research at FRPI.\" The actor\r\nincluded a variety of questions intended to generate a dialogue about Israel, the Gulf States, and the Abraham\r\nAccords. While these questions are generally meant to establish a pretext for sending a follow-up credential\r\nharvesting link or to deliver a malicious document, it is also possible they represent intelligence questions tasked\r\nto TA453. \r\nIn the email, TA453's \"Aaron Stein\" launched the threat actor's use of Multi-Persona Impersonation (MPI) by\r\nreferring to and including a \"Richard Wike, director of global attitudes research at PEW Research Center\" on the\r\nCC line.\r\nFigure 1. TA453 email posing as an \"Aaron Stein, Director of Research at FRPI.\"\r\nA day after the initial email, \"Richard Wike\" responded (Figure 2) to the email thread likely in an attempt to\r\nestablish the veracity of the request and solicit a response from the target. In this case, no malicious documents or\r\nlinks were observed. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 2 of 7\n\nFigure 2. TA453 follow-up email using another persona.\r\nBringing Up BadBlood: In late June 2022, TA453 reached out to a target specializing in genome research as\r\n\"Harald Ott\" and cc'd two other actor-controlled accounts, \"Claire Parry, Assistant Director at the Centre for\r\nUniversal Health in Chatham House's Global Health Programme\" and \"Dr. Andrew Marshall, chief editor of\r\nNature Biotechnology,\" which made this impersonation attempt a three to one MPI using organ regeneration as a\r\nlure. When the target replied to the initial email, \"Harald\" delivered a OneDrive link that downloaded a malicious\r\nWord doc named Ott-Lab 371.docx. The SHA256 for the file is\r\nf6456454be8cb77858d24147b1529890cd06d314aed70c07fc0b5725ac84542b. Proofpoint assesses this document\r\nrepresents the latest iteration of TA453's exploitation of Remote Template Injection previously reported by PwC.\r\nThe template and its macros, dubbed Korg by Proofpoint, will be discussed later in this report. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 3 of 7\n\nFigure 3. Screenshot of TA453 using one of its cc'd personas to further the ruse targeting a medical researcher.\r\nWhile the targeting of medical personnel, specifically those involved in genome research, is not a frequent area of\r\nfocus for TA453, it is not the first time this actor has demonstrated an interest in this type of research. In\r\nDecember 2020, TA453 conducted a phishing campaign targeting medical researchers, as detailed in Proofpoint's\r\nBadBlood blog.\r\nGroup Project: In June 2022, TA453's \"Carroll Doherty\" persona reached out to a prominent academic involved\r\nin nuclear arms control about a possible US versus Russia clash. This campaign ended up representing an\r\nevolution of TA453's MPI technique as the persona did not stop at reaching out to just one target but reached out\r\nto two targets at the same university. \"Carroll\" also cc'd three other TA453 personas on the email: \"Daniel\r\nKrcmaric,\" \"Aaron Stein,\" and \"Sharan Grewal.\"\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 4 of 7\n\nFigure 4. Timeline of TA453's Group Project email campaign.\r\nOne of the targets responded initially to the outreach email but then ghosted \"Carroll.\" After the target failed to\r\nrespond for a little over a week, \"Carroll\" kindly provided a OneDrive link to the article referenced in the original\r\nemail (Figure 5). The link downloaded a document titled “The possible US-Russia clash.docx\" SHA256:\r\n16a961475a88313478bc2406d6b442be9809e64ea9e2a4754debcce9200cf36b. \r\nFigure 5. Screenshots of \"Carroll\" persona sending the target a malicious OneDrive link and password.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 5 of 7\n\n\"Carroll\" sent the password separately and followed up with the target to let them know the document is secure\r\nbecause it cannot be read without the password. Four days later, one of the cc'd TA453 personas, \"Aaron Stein,\"\r\ndropped \"Carroll\" from the email thread, apologized to the target, and resent the same OneDrive link and\r\npassword (Figure 6). \r\nFigure 6. A cc'd TA453 persona attempting to convince a target of the legitimacy of the campaign.\r\nSimilar to the document sent by \"Harald,\" this document also used remote template injection to download Korg. \r\nKorg—TA453's Latest Remote Template Injection \r\nAs noted above, some of TA453's campaigns delivered OneDrive links that hosted malicious documents. The\r\ndocuments are the latest version of the TA453 remote template injection documents discussed by PwC in July\r\n2022. The password protected documents downloaded the macro enabled template documents from\r\n354pstw4a5f8.filecloudonline[.]com. Proofpoint observed multiple campaigns reusing that specific\r\nfilecloudonline[.]com host. The downloaded template, dubbed Korg by Proofpoint, has three macros:\r\nModule1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as username, list of\r\nrunning processes along with the user's public IP from my-ip.io and then exfiltrates that information using the\r\nTelegram API. \r\nAt this time, Proofpoint has only observed the beaconing information and has not observed any follow-on\r\nexploitation capabilities. The lack of code execution or command and control capabilities within the TA453\r\nmacros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the\r\nsoftware identified on their machines. \r\nAttribution\r\nProofpoint continues to assess that TA453 operates in support of the Islamic Revolutionary Guard Corps (IRGC).\r\nThis assessment is based on a variety of evidence, including overlaps in unit numbering between Charming Kitten\r\nreports and IRGC units as identified by PwC, the US Department of Justice indictment of Monica Witt and IRGC-affiliated actors, and analysis of TA453 targeting compared to reported IRGC-IO priorities. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 6 of 7\n\nProofpoint tracks multiple subgroups of TA453 differentiated primarily by victimology, techniques, and\r\ninfrastructure. Some subgroups in their typical campaigns will engage in benign conversations with targets for\r\nweeks before delivering malicious links. Conversely, another subgroup tends to immediately send a malicious link\r\nin the initial email. \r\nWhile the mere presence of specific indicators does not definitively condemn an email as TA453, indicators of a\r\npossible TA453-linked persona include:\r\nUse of Gmail, Outlook, Hotmail, or AOL email address instead of institutional email  \r\nIncluding other \"personal email accounts\" in the conversation\r\nReplying to blank email \r\nAsking to collaborate on research about issues relating to the Middle East\r\nOffering a Zoom call (often resulting in a credential harvesting link)\r\nSending unsolicited collaboration \"draft\" attachments\r\nConclusion \r\nAll threat actors are in constant states of iterating their tools, tactics, and techniques (TTPs), advancing some\r\nwhile deprecating others. The use of MPI by TA453, while the group's latest technique, is likely to continue to\r\nevolve and morph as this group hunts for intelligence in support of the IRGC. Proofpoint researchers have already\r\nstarted to observe this potential next step with TA453 attempting to send a blank email, then respond to the blank\r\nemail all while including all their \"friends\" on the CC line. This is likely the threat actor's attempt at bypassing\r\nsecurity detection. \r\nResearchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear\r\nsecurity, should maintain a heightened sense of awareness when receiving unsolicited emails. For example,\r\nexperts that are approached by journalists should check the journalist’s or their publication’s website to see if the\r\nemail address belongs to them.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo" ], "report_names": [ "ta453-uses-multi-persona-impersonation-capitalize-fomo" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "629af275-d425-4bd1-ac91-0ec3d18ff4e1", "created_at": "2023-01-06T13:46:39.361287Z", "updated_at": "2026-04-10T02:00:03.301766Z", "deleted_at": null, "main_name": "Cosmic Lynx", "aliases": [], "source_name": "MISPGALAXY:Cosmic Lynx", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434009, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/344331effa6fafb53e0ffb238e44599051bdf16c.pdf", "text": "https://archive.orkl.eu/344331effa6fafb53e0ffb238e44599051bdf16c.txt", "img": "https://archive.orkl.eu/344331effa6fafb53e0ffb238e44599051bdf16c.jpg" } }