{ "id": "21ef01a5-f6cf-4dab-a694-556f79224d7b", "created_at": "2026-04-06T00:17:06.795759Z", "updated_at": "2026-04-10T03:34:00.723695Z", "deleted_at": null, "sha1_hash": "a9908b3aa9616bc3d4d69a0d0644262ef5bf63de", "title": "New research exposes Iranian threat group operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1963577, "plain_text": "New research exposes Iranian threat group operations\r\nBy Allison Wikoff, Richard Emerson\r\nPublished: 2020-07-16 · Archived: 2026-04-05 21:55:40 UTC\r\nAuthor\r\nAllison Wikoff\r\nStrategic Cyber Threat Analyst\r\nIBM Security\r\nRichard Emerson\r\nCyber Threat Intelligence Analyst\r\nIBM X-Force Incident Response Intelligence Services (IRIS) has uncovered rare details on the operations of the\r\nsuspected Iranian threat group ITG18, which overlaps with Charming Kitten and Phosphorus. In the past few\r\nweeks, ITG18 has been associated with targeting of pharmaceutical companies and the U.S. presidential\r\ncampaigns. Now, due to operational errors—a basic misconfiguration—by suspected ITG18 associates, a server\r\nwith more than 40 gigabytes of data on their operations has been analyzed by X-Force IRIS analysts.\r\nRarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are\r\nthere recordings the operator self-produced showing their operations. But that is exactly what X-Force IRIS\r\nuncovered on an ITG18 operator whose OPSEC failures provide a unique behind-the-scenes look into their\r\nmethods, and potentially, their legwork for a broader operation that is likely underway.\r\nDuring a three-day period in May 2020, IBM X-Force IRIS discovered the 40 GBs of video and data files being\r\nuploaded to a server that hosted numerous ITG18 domains used in earlier 2020 activity. Some of the videos\r\nshowed the operator managing adversary-created accounts while others showed the operator testing access and\r\nexfiltrating data from previously compromised accounts.\r\nAmong the information IBM X-Force IRIS uncovered were:\r\nIn nearly five hours of videos, an ITG18 operator searching through and exfiltrating data from various\r\ncompromised accounts of a member of U.S. Navy and a personnel officer with nearly two decades of\r\nservice in Hellenic Navy. Using these accounts could allow the operator to obtain other data on military\r\noperations of potential interest to Iran.\r\nFailed phishing attempts targeting the personal accounts of an Iranian-American philanthropist and\r\nofficials of the U.S. State Department.\r\nPersonas and Iranian phone numbers associated to ITG18 operators.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 1 of 10\n\nIBM X-Force IRIS’s longitudinal examination of this threat group’s targeting indicates ITG18 has used its\r\ninfrastructure for multiple, diverse strategic objectives that serve both short and long-term interests. ITG18 has\r\nbeen active since at least 2013. Hallmarks of this group’s activity includes credential harvesting and email\r\ncompromise operations through phishing attacks against numerous targets of strategic interest to the Iranian\r\ngovernment.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nThe video files uncovered by IBM X-Force IRIS were desktop recordings using a tool called Bandicam, ranging\r\nfrom 2 minutes to 2 hours. The timestamps of the files indicated the videos were recorded approximately one day\r\nprior to being uploaded to the ITG18-operated server.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 2 of 10\n\nFigure 1: Image capture of ITG18 operator desktop from Bandicam recording (Source: IBM X-Force IRIS)\r\nIn five of the video files, named “AOL.avi”, “Aol Contact.avi”, “Gmail.avi”, “Yahoo.avi”, “Hotmail.avi”, the\r\noperator uses a Notepad file containing one credential for each platform, and video-by-video copied and pasted\r\nthem into the associated website. The operator moved on to demonstrate how to exfiltrate various datasets\r\nassociated with these platforms including contacts, photos, and associated cloud storage.\r\nAn additional action the operator took was to modify settings within the account security section of each account\r\nin order to add the account to Zimbra, a legitimate email collaboration platform that can aggregate numerous\r\nemail accounts into one interface. Through the use of this platform, the operator was able to monitor and manage\r\nvarious compromised email accounts simultaneously.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 3 of 10\n\nFigure 2: Image capture of ITG18 operator syncing their persona account to Zimbra (Source: IBM X-Force IRIS)\r\nSome of the accounts were likely threat actor personas—designed to appear as real people to victims.\r\nSome of the operator-owned accounts observed in the training videos provided additional insight into personas\r\nassociated to ITG18, such as phone numbers with Iranian country codes. IBM X-Force IRIS observed the\r\n“Yahoo.avi” video displayed profile details for a fake persona, which we will reference as “Persona A” including a\r\nphone number with a +98 country code, the international country code for Iran. (See Figure 3)\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 4 of 10\n\nFigure 3: Persona A has an Iranian phone number (+98) associated with the account (Source: IBM X-Force IRIS)\r\nOther suggestions of an Iranian operator behind Persona A included unsuccessful attempts to send emails to an\r\nIranian American philanthropist, and potentially two personal email accounts for U.S. State Department officials\r\nin April 2020, including one account that was associated with the U.S. Virtual Embassy to Iran. The recording\r\nappeared to show bounce-back emails in the operator’s inbox, notifying them that these possible spear phishing\r\nemails did not go through, though we do not know the theme. The targeting of these individuals is in line with\r\nprior ITG18 operations.\r\nThree of the video files discovered reveal that ITG18 had successfully compromised several accounts associated\r\nwith an enlisted member of the United States Navy as well as an officer in the Hellenic Navy. Specifically, ITG18\r\nhad credentials for a number of what appear to be their personal email and social media accounts – a common\r\ncharacteristic of ITG18, as observed in previous operations.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 5 of 10\n\nThe videos show the operator following a similar playbook to the training videos involving the persona accounts.\r\nOnce successful access to victims’ accounts was gained, the ITG18 operator actively deleted notifications sent to\r\nthe compromised accounts suggesting suspicious logins, presumably as to not alert the victims.\r\nThe operator exported all account contacts, photos, documents from associated cloud storage sites, such as Google\r\nDrive, before adding the webmail account credentials to Zimbra, presumably for monitoring. The operator was\r\nalso able to sign into victims’ Google Takeout (takeout.google.com), which allows a user to export content from\r\ntheir Google Account, to include location history, information from Chrome, and associated Android devices.\r\nThis included gaining access to associated other accounts owned by the victims, illustrating the breadth of\r\ninformation that ITG18 was able to collect on the two military members. Amongst the personal files exfiltrated on\r\nthe U.S. Navy enlisted member were details on the military unit they were associated with including the Naval\r\nbase they were affiliated with. The operator collected a significant amount of personal information about this\r\nvictim including presumed residence, personal photos including numerous selfies and a video of a home being\r\nstaged, tax records and the contents of a personal cloud storage site (See Figure 4). Similar information was\r\nexfiltrated for the Hellenic Navy officer, including information from a Gmail account, an account associated with\r\na Greek university and a Hellenic Navy payroll site.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 6 of 10\n\nFigure 4: Screenshot of some of the folders on the ITG18 server. These folders contained exfiltrated data from the\r\naccounts of a victim (Source: IBM X-Force IRIS)\r\nFor non-email accounts, the operator validated credentials no matter how trivial seeming the website may have\r\nbeen. Some of the categories of the websites the operator validated credentials for included video and music\r\nstreaming, pizza delivery, credit reporting, student financial aid, municipal utility, banks, baby products, video\r\ngames, and mobile carriers, to name a few. The operators appear to have been meticulously gathering trivial social\r\ninformation about the individuals. In total, the operator attempted to validate credentials for at least 75 different\r\nwebsites across the two individuals.\r\nIf the credentials were successful, the operator frequently visited the account details page first, presumably to\r\nreview sensitive information available there. Also of note, the operator, who only used the Chrome browser to\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 7 of 10\n\nvalidate credentials, frequently used the built-in translation feature to translate websites in the Greek language to\r\nEnglish when checking the credentials associated with the Hellenic Navy member.\r\nIBM X-Force IRIS did not find evidence of the two military members’ professional network credentials being\r\ncompromised, and no professional information appears to have been included. However, it’s possible that the\r\nthreat actor was searching for specific information within the military members’ personal files that would allow\r\nITG18 to extend their cyber espionage operation further into the U.S. and Greek Navy.\r\nDuring the videos where the operator was validating victim credentials, if the operator successfully authenticated\r\nagainst a site that was set up with multifactor authentication (MFA) they paused and moved on to another set of\r\ncredentials without gaining access.\r\nThe compromise of personal files of members of the Greek and U.S. Navy could be in support of espionage\r\noperations related to numerous proceedings occurring in the Gulf of Oman and Arabian Gulf. It is also worth\r\nnoting that the U.S. and Greece are strategic allies, with a nearly eight-decade mutual defense cooperation\r\nagreement. Greece hosts a U.S. naval base in Crete in the Eastern Mediterranean.\r\nSome target types of ITG18 have remained consistent over the past three years while others appear associated\r\nwith specific geopolitical events. For instance, while ITG18 has consistently targeted individuals with an Iranian\r\nconnection over the past three years, in 2018 the group targeted individuals associated with the U.S. Office of\r\nForeign Assets Control, a group that implements economic sanctions. This timing aligned with new sanctions the\r\nU.S. was developing as global concessions to extend sanctions on Iran expired. More recently, ITG18’s April 2020\r\ntargeting of a pharmaceutical executive aligns with Iran’s COVID-19 outbreak, which spiked at the end of March\r\n2020.\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 8 of 10\n\nFigure 5: Timeline of ITG18 targeting demonstrating its blended objectives (Source: IBM X-Force IRIS)\r\nRegardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights\r\ninto how this group might accomplish action on its objectives and otherwise train its operators. IBM X-Force IRIS\r\nconsiders ITG18 a determined threat group with a significant investment in its operations. The group has shown\r\npersistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and\r\nbroad reporting on its activity.\r\nITG18 has demonstrated it performs operations to serve multiple, distinct long-term objectives that align to\r\nIranian strategic interests. It is highly likely the group has been successful in these efforts as its operational\r\ncadence for harvesting credentials has not significantly changed over several years.\r\nThe discovery also emphasizes the need to follow certain important security hygiene practices, including:\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 9 of 10\n\nUse multifactor authentication (MFA) – Multifactor authentication works as a fail-safe if a malicious actor has\r\ngained access to your credentials. As a last line of defense, MFA offers a second form of verification requirement\r\nin order to access an account.\r\nReset your passwords periodically – Don’t use the same password across various accounts and regularly update\r\npasswords. If you use the same password for all your accounts, it can leave you open to multiple attacks if one\r\naccount is compromised. Consider using unique passphrases and more than 14 characters for stronger passwords.\r\nUse a password manager – Password managers can generate stronger passwords for you, and they do not require\r\nyou to memorize them.\r\nReview settings and limit access to third-party apps from your email – In a few instances, the operators had to\r\nchange account preferences to permit third-party apps to connect with compromised accounts. These settings\r\nallowed the threat actor to extend the access they had to other victims.\r\nAdditional analysis of ITG18’s tactics, techniques and procedures (TTP) and is available on our Enterprise\r\nIntelligence Management platform via TruSTAR, which was originally published June 2, 2020.\r\nResponsible disclosure\r\nDuring the course of the investigation and where possible, IBM X-Force IRIS notified the appropriate parties\r\nabout the activity and compromised accounts.\r\nSource: https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nhttps://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" ], "report_names": [ "new-research-exposes-iranian-threat-group-operations" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9908b3aa9616bc3d4d69a0d0644262ef5bf63de.pdf", "text": "https://archive.orkl.eu/a9908b3aa9616bc3d4d69a0d0644262ef5bf63de.txt", "img": "https://archive.orkl.eu/a9908b3aa9616bc3d4d69a0d0644262ef5bf63de.jpg" } }