Dashboard / Threat Actors / TA453

🇮🇷

TA453

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Religious Organizations 8131 Data Processing, Hosting, and Related Services 51821 Computer Systems Design and Related Services 54151

Details

Origin 🇮🇷 IR

Last Updated 21 Apr 2026

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 20 entries

Magic Hound Palo Alto

APT 35 Mandiant

Cobalt Illusion SecureWorks

Cobalt Mirage SecureWorks

Charming Kitten CrowdStrike

TEMP.Beanie FireEye

Timberworm Symantec

Tarh Andishan Cylance

TA453 Proofpoint

Phosphorus Microsoft

TunnelVision SentinelOne

UNC788 FireEye

Yellow Garuda PWC

Educated Manticore Check Point

Mint Sandstorm Microsoft

Ballistic Bobcat ESET

CharmingCypress Volexity

Agent Serpens Palo Alto

G0058 MITRE

G0059 MITRE

Observed Target Countries 23

Based on ETDA data — countries highlighted in red

Afghanistan Belgium Brazil Canada Egypt France Iran Iraq Israel Jordan Kuwait Morocco Pakistan Saudi Arabia Spain Syria Turkey UAE UK USA Venezuela Yemen Gaza

Description

Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. Magic Hound has 2 subgroups: 1. {{Subgroup: DEV-0270, Nemesis Kitten}} 2. {{Subgroup: TA455, Smoke Sandstorm}} This group appears to be the evolvement of {{Cutting Kitten, TG-2889}}. There is some infrastructure overlap with {{Rocket Kitten, Newscaster, NewsBeef}}, {{ITG18}} and {{APT 42}}.

Tools Used 33

7-Zip AnvilEcho BASICSTAR BlackSmith ChromeHistoryView CommandCam CWoolger DistTrack DownPaper FireMalv FRP Ghambar GoProxy Havij HYPERSCRAPE Leash Matryoshka RAT MediaPl Mimikatz MischiefTut MPKBot NETWoolger NOKNOK PINEFLOWER PowerLess Backdoor POWERSTAR RATHOLE PsList PupyRAT Sponsor sqlmap TDTESS WinRAR

Operations 40

2014 Mid Operation “Thamar Reservoir” This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate it may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin, who exposed new information about the attack and is currently assisting with the investigation. https://www.clearskysec.com/thamar-reservoir/

2016 Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks. https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/

2017-01 PupyRAT campaign SecureWorks Counter Threat Unit (CTU) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017. Some of messages were sent from legitimate email addresses belonging to several Middle Eastern organizations. https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations

2017 In early 2017, SecureWorks Counter Threat Unit (CTU) researchers observed phishing campaigns targeting several entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations. The campaigns delivered PupyRAT, an open-source cross-platform remote access Trojan. https://www.secureworks.com/research/the-curious-case-of-mia-ash

2018-06 Impersonating ClearSky, the security firm that uncovered its campaigns Iranian cyberespionage group Charming Kitten, which has been operating since 2014, has impersonated the cybersecurity firm that exposed its operations and campaigns. Israeli firm ClearSky Security said the group managed to copy its official website hosted on a similar-looking domain – clearskysecurity[.]net. ClearSky’s actual website is Clearskysec.com. https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f

2017-08 Breach of HBO On August 7 a small treasure trove of HBO content was posted publicly to the web by a hacker who is now demanding a $6 million payment to stop any further release of data. The hacker who goes by Mr. Smith posted five scripts for Game of Thrones and a month’s worth of email from HBO Vice President for Film Programming Leslie Cohen along with some other corporate information, according to the Associated Press. https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/

2018-10 The Return of The Charming Kitten In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world. Our review in Certfa demonstrates that the hackers – knowing that their victims use two-step verification – target verification codes and also their email accounts such as Yahoo! And Gmail. https://blog.certfa.com/posts/the-return-of-the-charming-kitten/

2019-07 In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers state organizations. https://www.clearskysec.com/the-kittens-are-back-in-town/

2019-08 In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts. https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/ https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf

2020-01 Fake Interview: The New Activity of Charming Kitten https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/

2020-06 APT35 ‘Charming Kitten' discovered in a pre-infected environment https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment/

2020-07 Starting July 2020, we have identified a new TTP of the group, impersonating “DeutscheWelle” and the “Jewish Journal” using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link. https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf

2020-08 New cyberattacks targeting U.S. elections https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

2020 Late Operation “BadBlood” BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential

2020 Late Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations

2020-12 During the Christmas holidays and the beginning of the new year, the Charming Kitten group, the Iranian state-backed hackers, have begun a targeted phishing campaign of espionage against different individuals to collect information. https://blog.certfa.com/posts/charming-kitten-christmas-gift/

2021-01 Operation “SpoofedScholars” TA453, an Iranian-state aligned actor, masqueraded as British scholars to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars. https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453

2021 Late PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

2021-12 Iranian Spear Phishing Operation Targets Former Israeli Foreign Minister, Former US Ambassador to Israel, Former Israeli Army General and Three other High-Profile Executives https://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/

2021-12 Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/

2021-12 New Iranian APT data extraction tool https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/

2022-01 APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

2022-01 COBALT MIRAGE Conducts Ransomware Operations in U.S. https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us

2022-02 Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/

2022 Early Tracing State-Aligned Activity Targeting Journalists, Media https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

2022-05 Iranian Threat Actor Continues to Develop Mass Exploitation Tools https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools

2022-05 Operation “Sponsoring Access” Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/

2022-06 Opsec Mistakes Reveal COBALT MIRAGE Threat Actors https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors

2022 Mid TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo

2023 Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

2023 CharmingCypress: Innovating Persistence https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

2023-03 Iranian Hackers Target Women Involved in Human Rights and Middle East Politics https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html

2023-03 Educated Manticore – Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

2023-05 Microsoft: Iranian hacking groups join Papercut attack spree https://www.bleepingcomputer.com/news/security/microsoft-iranian-hacking-groups-join-papercut-attack-spree/

2023-05 Charming Kitten Updates POWERSTAR with an InterPlanetary Twist https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/

2023-08 Iranian cyber spies are targeting dissidents in Germany, warns intelligence service https://therecord.media/charming-kitten-iran-targets-dissidents-in-germany

2023-11 New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

2024-07 Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

2025-02 Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/

2025-06 Educated Manticore Reemerges: Iranian Spear-Phishing Campaign Targeting High-Profile Figures https://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/

Reports & References 4

https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf https://en.wikipedia.org/wiki/Charming_Kitten https://vblocalhost.com/uploads/VB2021-Haeghebaert.pdf https://therecord.media/the-not-so-charming-kitten-working-for-iran/

ETDA Profile

Magic Hound, APT 35, Cobalt Illusion, Charming Kitten

Origin

Iran

First Seen 2012

Sponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0058/ https://attack.mitre.org/groups/G0059/

View on ETDA APT Groups ↗