{ "id": "e8ad37e9-3da9-49c1-b621-4cd28539d2e1", "created_at": "2026-04-06T00:13:34.265847Z", "updated_at": "2026-04-10T03:34:00.243718Z", "deleted_at": null, "sha1_hash": "f4db1ab0c2319e94527d7e28892db26858bea3c6", "title": "APT42: Crooked Charms, Cons, and Compromises", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 362041, "plain_text": "APT42: Crooked Charms, Cons, and Compromises\r\nBy Mandiant\r\nPublished: 2022-09-07 · Archived: 2026-04-05 18:52:43 UTC\r\nWritten by: Mandiant Intelligence\r\nToday, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage\r\ngroup tasked with conducting information collection and surveillance operations against individuals and\r\norganizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42\r\noperates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO)\r\nbased on targeting patterns that align with the organization’s operational mandates and priorities.\r\nThe full published report covers APT42’s recent and historical activity dating back to at least 2015, the group’s\r\ntactics, techniques, and procedures, targeting patterns, and elucidates historical connections to APT35. APT42\r\npartially coincides with public reporting on TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force),\r\nPhosphorus (Microsoft), and Charming Kitten (ClearSky and CERTFA).\r\nRead the APT42 report now, and check out our podcast for even more information on APT42.\r\nAPT42 Operations\r\nAPT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport\r\nwith their victims in order to access their personal or corporate email accounts or to install Android malware on\r\ntheir mobile devices. In addition, APT42 infrequently uses Windows malware to complement their credential\r\nharvesting and surveillance efforts.\r\nAPT42 operations broadly fall into three categories:\r\nCredential harvesting: APT42 frequently targets corporate and personal email accounts through highly\r\ntargeted spear-phishing campaigns with enhanced emphasis on building trust and rapport with the target\r\nbefore attempting to steal their credentials. Mandiant also has indications that the group leverages\r\ncredential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods\r\nand has used compromised credentials to pursue access to the networks, devices, and accounts of\r\nemployers, colleagues, and relatives of the initial victim.\r\nSurveillance operations: As of at least late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor\r\ncommunications, and generally surveil the activities of individuals of interest to the Iranian government,\r\nincluding activists and dissidents inside Iran.\r\nMalware deployment: While APT42 primarily prefers credential harvesting over activity on disk, several\r\ncustom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools\r\ninto their operations when the objectives extend beyond credential harvesting.\r\nhttps://www.mandiant.com/resources/blog/apt42-charms-cons-compromises\r\nPage 1 of 4\n\nMandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015.\r\nThe total number of APT42 intrusion operations is almost certainly much higher based on the group’s high\r\noperational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and\r\ndomestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with\r\nAPT42.\r\nFigure 1: APT42 operations by category\r\nAPT42 Targeting Patterns\r\nThe targeting patterns for APT42 operations are similar to other Iranian cyber espionage actors, with a large\r\nsegment of its activity focused on the Middle East region. However, unlike other suspected IRGC-affiliated cyber\r\nespionage groups that have focused on targeting the defense industrial base or conducting large-scale collection of\r\npersonally identifiable information (PII), APT42 primarily targets organizations and individuals deemed\r\nopponents or enemies of the regime, specifically gaining access to their personal accounts and mobile devices.\r\nThe group has consistently targeted Western think tanks, researchers, journalists, current Western government\r\nofficials, former Iranian government officials, and the Iranian diaspora abroad.\r\nSome APT42 activity indicates the group alters its operational focus as Iran’s priorities evolve, to include targeted\r\noperations against the pharmaceutical sector at the onset of the COVID-19 pandemic in March 2020 and pursuing\r\ndomestic and foreign-based opposition groups prior to an Iranian presidential election. This indicates that APT42\r\nis trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations\r\nto targets of operational interest to Tehran.\r\nhttps://www.mandiant.com/resources/blog/apt42-charms-cons-compromises\r\nPage 2 of 4\n\nFigure 2: Countries and industries targeted directly by APT42\r\nPotential Ties Between APT42 and Ransomware Activity\r\nMandiant further highlights open-source reporting from Microsoft claiming a connection between intrusion\r\nactivity clusters that generally align with APT42 and UNC2448, an Iran-nexus threat actor known for widespread\r\nscanning for various vulnerabilities, the use of the Fast Reverse Proxy tool, and reported ransomware activity\r\nusing BitLocker. Notably, Mandiant has not observed technical overlaps between APT42 and UNC2448.\r\nIn November 2021, Microsoft reported that “Phosphorus” had targeted Fortinet FortiOS SSL VPN and\r\nunpatched on-premises Exchange servers globally with the intent of deploying ransomware such as\r\nBitLocker on vulnerable networks, aligning with activity we track as UNC2448. Previous reporting on\r\nPhosphorus generally aligned with APT42’s credential harvesting and spear-phishing operations.\r\nWhile Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties\r\nto the IRGC-IO. We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are\r\noperated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source\r\ninformation and operational security lapses by the threat actors. Public leaking campaigns from the Lab\r\nDookhtegan Telegram account further allege these companies are responsible for threat activity aligned with\r\nUNC2448 and operate on behalf of the IRGC-IO.\r\nMandiant identified links between UNC2448, the Revengers persona, an individual named Ahmad Khatibi,\r\nand a likely Iranian front company named Afkar System.\r\nThe Revengers persona had offered data and access to primarily Israeli companies for sale on its Telegram\r\nchannel between February and September 2021.\r\nAdditionally, infrastructure overlaps likely caused by human error indicate that UNC2448 has connections\r\nto a second front company, Najee Technology.\r\nhttps://www.mandiant.com/resources/blog/apt42-charms-cons-compromises\r\nPage 3 of 4\n\nPublic posts by the Lab Dookhtegan Telegram channel in July 2022 claim Afkar System and Najee\r\nTechnology are front companies conducting cyber operations on behalf of the IRGC’s Intelligence\r\nOrganization.\r\nLooking Ahead\r\nAPT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the\r\nUnited States, the United Kingdom, and Israel, working on Iran-related projects. Additionally, the group’s\r\nsurveillance activity highlights the real-world risk to individual targets of APT42 operations, which include\r\nIranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left\r\nthe country, often out of fear for their personal safety.\r\nWe do not anticipate significant changes to APT42’s operational tactics and mandate given the long history of\r\nactivity and imperviousness to infrastructure take downs and a media spotlight on operational security failures.\r\nNevertheless, the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change\r\nover time with evolving domestic and geopolitical conditions. We assess with high confidence that APT42 will\r\ncontinue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational\r\nintelligence collection requirements.\r\nRead the full APT42 report today and listen to The Defender's Advantage Podcast to learn more.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises\r\nhttps://www.mandiant.com/resources/blog/apt42-charms-cons-compromises\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises" ], "report_names": [ "apt42-charms-cons-compromises" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434414, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4db1ab0c2319e94527d7e28892db26858bea3c6.pdf", "text": "https://archive.orkl.eu/f4db1ab0c2319e94527d7e28892db26858bea3c6.txt", "img": "https://archive.orkl.eu/f4db1ab0c2319e94527d7e28892db26858bea3c6.jpg" } }