Who Is APT35?
APT35, also known as Charming Kitten, is an Iranian-linked advanced persistent threat (APT) group notorious for cyber espionage campaigns targeting governments, defense contractors, journalists, and human rights activists.
Their campaigns often involve spear-phishing attacks coupled with custom malware, giving them a reliable method for infiltrating high value targets.
New Campaign Against Government & Military Systems
Security researchers have confirmed that APT35 is actively attacking global government and military organizations.
The attackers send crafted phishing emails disguised as communications from trusted agencies. These emails carry either malicious attachments or links leading to credential-harvesting websites. Once victims engage, APT35 installs malware that enables long-term surveillance and data theft.
This campaign continues a pattern of Iranian state-backed operations aiming to gather sensitive intelligence and undermine foreign institutions.
Attack Techniques Used
APT35’s toolkit in this campaign includes:
-
Spear-phishing emails with fake government or military themes
-
Credential phishing portals mimicking secure logins
-
Custom malware payloads for persistence and remote access
-
Exfiltration tools designed to steal documents and communications
Researchers warn that APT35 adapts quickly, customizing lures based on the victim’s sector and region.
Why Government & Military Targets?
Military and government systems hold highly valuable data, including:
-
Strategic plans and operations
-
Confidential communications between agencies
-
Research and defense technology details
-
Diplomatic correspondence
By breaching these systems, APT35 strengthens Iran’s geopolitical standing while weakening adversaries through intelligence theft.
Detection & Indicators of Compromise
Analysts tracking APT35 highlight the following red flags:
-
Emails requesting urgent action or carrying suspicious attachments
-
Login prompts redirecting to unfamiliar domains
-
Malware that disguises itself as productivity tools
-
Unusual outbound traffic indicating data exfiltration
Organizations should monitor for these signs and respond immediately to suspected intrusions.
How to Defend Against APT35
To reduce exposure, organizations should:
-
Implement phishing awareness training across all staff.
-
Enable multi-factor authentication (MFA) on sensitive accounts.
-
Use endpoint detection and response (EDR) to flag suspicious activity.
-
Limit administrative privileges to minimize escalation risks.
-
Continuously monitor network traffic for anomalies linked to exfiltration.
APT35’s renewed attacks on government and military organizations prove that state-sponsored cyber espionage remains one of the top global security threats.
Defending against APT35 requires layered security, proactive monitoring, and resilient cyber hygiene across all levels of government and defense infrastructure.
FAQs
Q: Who is APT35?
A: APT35, or Charming Kitten, is an Iranian state-sponsored hacking group known for espionage targeting governments, militaries, and activists.
Q: How does APT35 attack government systems?
A: They use spear-phishing emails, fake login portals, and malware to steal credentials and exfiltrate sensitive data.
Q: Why are military and government agencies targeted?
A: These sectors hold strategic, diplomatic, and defense data that provide valuable intelligence to state sponsors.
Q: How can organizations defend against APT35?
A: Enforce MFA, train staff against phishing, deploy EDR tools, and monitor for abnormal data flows.
