APT35 is a threat-actor designation used by cybersecurity vendors and Western governments for an Iranian cyber-espionage group widely assessed to operate on behalf of, or in alignment with, the Islamic Revolutionary Guard Corps (IRGC). The group is tracked under several overlapping names, including Charming Kitten, Phosphorus (Microsoft's older taxonomy, later renamed Mint Sandstorm), TA453 (Proofpoint), Newscaster, and Ajax Security Team.
The group is best known for long-running credential-harvesting and social-engineering campaigns rather than destructive attacks. Typical tradecraft includes:
- Spear-phishing via spoofed login pages for Gmail, Outlook, Yahoo, and corporate SSO portals.
- Persona-driven engagement, in which operators impersonate journalists, think-tank researchers, or conference organizers to build rapport with targets before delivering malicious links.
- Multi-factor authentication bypass using attacker-in-the-middle phishing kits and OAuth abuse.
- Deployment of custom implants and PowerShell-based backdoors on higher-value targets.
Targeting has historically focused on Iranian dissidents and diaspora, Israeli officials, US and UK government personnel, nuclear and Middle East policy researchers, journalists covering Iran, and staff associated with political campaigns. In October 2019, Microsoft publicly disclosed Phosphorus attempts against a US presidential campaign, journalists, and current and former US officials. In March 2019, Microsoft obtained a US court order to seize 99 domains used by the group. The US Department of Justice has indicted multiple Iranian nationals for related intrusion activity, and CISA has issued joint advisories warning of IRGC-affiliated cyber operations.
For policy analysts and MUN delegates, APT35 is a useful case study in state-sponsored influence and intelligence collection that sits below the threshold of armed attack, complicating responses under international law and norms such as the UN GGE and OEWG frameworks on responsible state behavior in cyberspace.
Example
In October 2019, Microsoft disclosed that APT35 (Phosphorus) had attempted to compromise email accounts linked to a US presidential campaign, government officials, and journalists covering Iran.
Frequently asked questions
Public reporting from Microsoft, Mandiant, and US government advisories assesses APT35 as aligned with Iranian state interests, with links commonly drawn to the Islamic Revolutionary Guard Corps (IRGC).
Keep learning