Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-06 01:07:33 UTC
 APT group: GreenCharlie
Names GreenCharlie (Recorded Future)
Country Iran
Sponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)
Motivation Information theft and espionage
First seen 2020
Description
(Recorded Future) In August 2024, open sources revealed that US political campaign officials
and affiliates were targeted as part of Mint Sandstorm and APT 42 operations. In this report,
we discuss threat activity associated with the Iran-nexus group we track as GreenCharlie,
which overlaps with Magic Hound, APT 35, Cobalt Illusion, Charming Kitten. Recorded
Future has tracked Iran-linked GreenCharlie activity and malicious infrastructure since 2020.
Our global Network Intelligence capability has allowed us to identify and track a large and
rapidly evolving cluster of infrastructure used to support GreenCharlie cyber-espionage
campaigns. Now, we have been able to link this network to the recent targeting of US political
campaigns.
Observed Countries: USA.
Tools used GORBLE, NOKNOK, POWERSTAR, TAMECAT.
Information <https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf>
Last change to this card: 23 October 2024
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2af4b14c-a108-4e9c-a87a-11c6b77de3df
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2af4b14c-a108-4e9c-a87a-11c6b77de3df
Page 1 of 1