{ "id": "d0225578-38c2-42f4-9db1-6246f457801c", "created_at": "2026-04-06T00:14:45.571546Z", "updated_at": "2026-04-10T03:35:28.825177Z", "deleted_at": null, "sha1_hash": "7aad1109e5c75958ae260a43cf59b44fd864d650", "title": "The not-so-Charming Kitten working for Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104048, "plain_text": "The not-so-Charming Kitten working for Iran\r\nBy Dina Temple-Raston\r\nPublished: 2023-01-09 · Archived: 2026-04-05 20:42:26 UTC\r\nThe protests that have swept Iran over the past four weeks have become the biggest challenge to the ruling regime\r\nsince 2009. Demonstrators took to the streets after 22-year-old Mahsa Amini, a Kurdish woman who was arrested\r\nfor allegedly violating Iran's hijab policy, died in police custody.\r\nProtesters Click Here podcast spoke with last week say Iranian authorities have throttled the internet and are\r\ntrying to knock demonstrators offline. But the authorities’ cyber offensive goes beyond Iran’s borders, and its roots\r\nwere in place long before protests overtook the country last month.\r\nWe spoke with Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, about Iran’s\r\nefforts to target the Iranian diaspora. The interview was edited for length and clarity.\r\nClick Here: Are you seeing any change in the way Iranian authorities are using digital tools to silence\r\npeople outside the country? \r\nSherrod DeGrippo: We haven't seen a change, and that actually tracks with what we've seen from Iran in the\r\npast. In January 2020, the United States sent a drone strike to kill Iranian General [Qassim] Suleimani. And the\r\nquestion was, now that we've seen this kinetic warfare attack against an Iranian general, will we now see cyber\r\nespionage to match it? And the reality was, we did not see a change in the operations, projects, and targets that\r\nIran cyber espionage groups had already been pursuing. They have their targets, they have their focus, and they\r\ntend to remain on track regardless of what's happening out in the world. \r\nCH: Can you tell us about some of those hacking groups coming out of Iran like TA453 or — our favorite\r\nname — Charming Kitten?\r\nSD: So what we refer to as Threat Actor 453 is often referred to in the intelligence community as Charming\r\nKitten. And the reason for that designation, which is incredibly adorable, is it refers to Persian cats. \r\nWe see this group operating in support of the IRGC or Iran's Islamic Revolutionary Guard Corps, so you can think\r\nof them as sort of a quasi-military cyber espionage organization. Their main targets are diplomats, academics,\r\nhuman rights workers, journalists, and government agencies. \r\nThey pretend to be someone looking into issues around the Middle East, and a lot of times they offer to get on a\r\nZoom call. There's almost this idea that they're associates or they're in the same industry or they're working on\r\nsimilar projects. \r\nNow, you might think, why would a cyber espionage actor out of Iran be able to easily get on a Zoom? Well,\r\ngenerally they don't actually follow through with the call. They offer it and then send some kind of credential\r\nharvesting link, an attempt to get the username and password of their target. \r\nhttps://therecord.media/the-not-so-charming-kitten-working-for-iran/\r\nPage 1 of 3\n\nCH: So are they actually getting their targets to download malware? \r\nSD: For these credential harvestings, typically you click the link and it looks like a login to Zoom. But in fact it's a\r\nlogin to a threat actor's landing page.\r\nCH: Given the depths of the protests rocking Iran now, are you seeing Charming Kitten branch out and\r\nattack more targets? \r\nSD: So I think what's going on in Iran now in terms of the social unrest, the civil demonstrations, all of those\r\nthings will not necessarily impact changes into the operations. But the previously obtained access that this threat\r\nactor has could easily be leveraged in service of the state's agenda today because of those things.\r\nIf these attacks have worked in the past, they already have access into, say, someone's email inbox that might be\r\ncovering this. [Someone] that might have sources on the ground that are part of the demonstrations. The Iranian\r\ngovernment, if they've been successful with these attacks against others in the past, they're able to see all that. And\r\nof course they will leverage that for their own agenda. \r\nCH: How has the government used this cyber surveillance to push back against the demonstrations that are\r\nhappening now?\r\nSD: Iran has put a lot of work into making sure that their telecom systems are controlled by the state. They have\r\nreportedly turned on and off 5G cell service, so you’re only able to make phone calls, only able to call for\r\nemergency services. So we've seen reports of that.\r\nSomething that’s interesting to remember is Iran has one of the most well-developed and visible citizen hacker\r\ncapabilities that we've seen. We're hearing a lot of talk about it with the Ukraine IT Army. Iran is the OG when it\r\ncomes to citizens doing hacking on behalf of the government, both outwardly and inwardly.\r\nCH: The IT army in Ukraine is focused specifically on Russia in response to the war, but you're saying that\r\nthere are Iranian hackers who are ordinary people who are dispatched by the Iranian government to do\r\ntheir bidding?\r\nSD: I would clarify that they're not necessarily dispatched by the Iranian government. They feel an alignment and\r\nan allegiance to the Iranian government, and they're a bit rogue, but they say, I'm Iranian. I have allegiance to my\r\ncountry, and I know that my country hates Israel, Saudi Arabia, the United States, and I'm gonna go after them as\r\nmy own choice. And Iran’s government isn’t going to prosecute them.\r\nCH: So it is just like Russia, where there’s been very little punishment for its homegrown ransomware\r\nactors, as long as they were outward facing…\r\nSD: I would completely agree with that, and I would even take it a little further and say, not only is there no\r\npunishment, there might be some aspect of reward. Iran takes those citizen activists and recruits them as a pipeline\r\ninto official IRGC roles or other Iranian cyber espionage group roles. It's almost like a feeder path: Do it for fun,\r\ndo it for yourself, do it for belief in your country and patriotism. And, hey, in the future, we may have a job for\r\nyou.\r\nhttps://therecord.media/the-not-so-charming-kitten-working-for-iran/\r\nPage 2 of 3\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nSource: https://therecord.media/the-not-so-charming-kitten-working-for-iran/\r\nhttps://therecord.media/the-not-so-charming-kitten-working-for-iran/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/the-not-so-charming-kitten-working-for-iran/" ], "report_names": [ "the-not-so-charming-kitten-working-for-iran" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7aad1109e5c75958ae260a43cf59b44fd864d650.pdf", "text": "https://archive.orkl.eu/7aad1109e5c75958ae260a43cf59b44fd864d650.txt", "img": "https://archive.orkl.eu/7aad1109e5c75958ae260a43cf59b44fd864d650.jpg" } }