{
	"id": "4a916eed-1190-47c0-8ba2-d74ac729eee1",
	"created_at": "2026-04-06T00:22:19.933286Z",
	"updated_at": "2026-04-10T13:12:52.317147Z",
	"deleted_at": null,
	"sha1_hash": "b6d66ce9bff6a1d554ffdee5832c5948cf3f3663",
	"title": "Newscaster Threat Uses Social Media for Intelligence Gathering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43592,
	"plain_text": "Newscaster Threat Uses Social Media for Intelligence Gathering\r\nBy Sean Michael Kerner\r\nPublished: 2014-05-29 · Archived: 2026-04-05 16:57:23 UTC\r\neWeek content and product recommendations are editorially independent. We may make money when you click\r\non links to our partners. Learn More\r\nA report published on May 28 by iSight Partners alleges that a widespread social media attack campaign has been\r\nundertaken by Iran against organizations in the United States, the United Kingdom and Israel.\r\nDubbed “Newscaster” by iSight Partners, a global provider of cyber-threat intelligence, the social media campaign\r\ninvolves multiple layers of deception, as attackers are creating fake identities with careers in the defense industry,\r\njournalism and government.\r\n“These accounts are elaborate and have created credibility using, among other tactics, a fictitious journalism\r\nwebsite, newsonair.org, that plagiarizes news content from other legitimate media outlets,” iSight states. “These\r\ncredible personas then connected, linked, followed, and ‘friended’ target victims, giving them access to\r\ninformation on location, activities, and relationships from updates and other common content.”\r\nThe Newscaster campaign also involves the use of targeted messages to victims in a bid to steal log-in credential\r\ninformation. According to iSight Partners, the impact of Newscaster extends to at least 2,000 people who are\r\nconnected to the fake online identities. Going a step further, the report points the finger at Iran for being the source\r\nof Newscaster.\r\nThe purpose of Newscaster is likely for intelligence gathering.\r\n“We infer, from our limited knowledge of Newscaster targeting, that such intelligence could ultimately support the\r\ndevelopment of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with\r\nIsrael, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and\r\nproliferation issues,” iSight stated.\r\nWhile iSight Partners is officially ringing the warning bell on the Newscaster threat now, it is not an unknown\r\nthreat to others in the information security industry.\r\n“We have been tracking this activity for some time,” Adam Meyers, vice president of intelligence at CrowdStrike,\r\ntold eWEEK. “We designate it using the cryptonym Charming Kitten.”\r\nEric Cowperthwaite, vice president of advanced security and strategy at Core Security, told eWEEK that anyone\r\ninvolved in media reporting, foreign affairs and defense should consider themselves to always be a target for\r\ncyber-attack.\r\nFrom a protection standpoint, there are a number of things that individuals and organizations can do to limit the\r\nrisk of being a victim of Newscaster. Especially when it comes to social media, all individuals need a much higher\r\nhttps://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering\r\nPage 1 of 2\n\ndegree of awareness and they need to be much more paranoid and less trusting, Cowperthwaite said.\r\nMeyers noted that the Newscaster/Charming Kitten attackers are using social engineering both through direct\r\ncontact and social networks. He suggests that users be wary of social media requests from unknown individuals.\r\n“It’s safer to not accept a request than to be compromised,” Meyers said. “If unknown people, no matter how\r\ninteresting or attractive they may seem, send a request or a link, say no—this is a targeted attacker’s honey trap.”\r\nSean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter\r\n@TechJournalist.\r\nSource: https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering\r\nhttps://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering"
	],
	"report_names": [
		"newscaster-threat-uses-social-media-for-intelligence-gathering"
	],
	"threat_actors": [
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6d66ce9bff6a1d554ffdee5832c5948cf3f3663.pdf",
		"text": "https://archive.orkl.eu/b6d66ce9bff6a1d554ffdee5832c5948cf3f3663.txt",
		"img": "https://archive.orkl.eu/b6d66ce9bff6a1d554ffdee5832c5948cf3f3663.jpg"
	}
}