Charming Kitten is one of several aliases used by cybersecurity researchers to track an Iranian state-aligned threat group widely assessed to operate on behalf of, or in coordination with, the Islamic Revolutionary Guard Corps (IRGC). The group is also known in industry reporting as APT35, Phosphorus (Microsoft's former naming convention), Mint Sandstorm (Microsoft's current taxonomy), TA453 (Proofpoint), and Newscaster.
The group is primarily known for cyber-espionage and credential-harvesting operations rather than destructive attacks. Its typical targets include journalists, academics, human rights defenders, dissidents in the Iranian diaspora, current and former government officials, nuclear policy researchers, and staff of think tanks working on Middle East issues. Campaigns have also targeted political campaigns and election-related figures.
Characteristic tradecraft includes:
- Social-engineering lures in which operators impersonate journalists, conference organizers, or academic researchers and build rapport over email before delivering a malicious link or document.
- Spoofed login pages mimicking Gmail, Outlook, Yahoo, and institutional SSO portals to harvest credentials and bypass two-factor authentication, including session-cookie theft.
- Use of custom malware families documented by researchers, including POWERSTAR (also called CharmPower) and HYPERSCRAPE, the latter a tool disclosed by Google's Threat Analysis Group in 2022 for extracting data from already-compromised mailboxes.
Notable public disclosures include Microsoft's 2019 announcement that Phosphorus had targeted a U.S. presidential campaign, journalists, and Iranian expatriates, and the U.S. Department of Justice's 2018 and later indictments of Iranian nationals for related intrusion activity. In 2019 Microsoft also obtained a court order to seize 99 domains used by the group.
For political researchers, Charming Kitten matters because its targeting set overlaps directly with the MUN, IR, and think-tank community — making basic operational security (hardware security keys, scrutiny of unsolicited interview requests, and verification of conference invitations) a practical concern rather than an abstract one.
Example
In 2022, Google's Threat Analysis Group disclosed Charming Kitten's use of a data-extraction tool called HYPERSCRAPE to siphon emails from compromised Gmail, Yahoo, and Outlook accounts belonging to individuals in the Middle East.
Frequently asked questions
Most major vendors treat them as the same or heavily overlapping cluster. Mandiant uses APT35, Microsoft uses Mint Sandstorm (formerly Phosphorus), Proofpoint uses TA453, and CrowdStrike has used Charming Kitten. Naming conventions differ because each vendor clusters intrusions independently.
Keep learning