ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten

NamesMagic Hound (Palo Alto)
APT 35 (Mandiant)
Cobalt Illusion (SecureWorks)
Charming Kitten (CrowdStrike)
TEMP.Beanie (FireEye)
Timberworm (Symantec)
Tarh Andishan (Cylance)
TA453 (Proofpoint)
Phosphorus (Microsoft)
CountryIran Iran
MotivationInformation theft and espionage
First seen2013
DescriptionMagic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.

This group appears to be the evolvement of Cutting Kitten, TG-2889.

There is some infrastructure overlap with Rocket Kitten, Newscaster, NewsBeef and ITG18.
ObservedSectors: Defense, Energy, Financial, Government, Healthcare, IT, Oil and gas, Technology, Telecommunications and that are either based or have business interests in Saudi Arabia, and ClearSky, HBO, civil and human rights activists and journalists.
Countries: Afghanistan, Canada, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, UAE, UK, USA, Venezuela, Yemen.
Tools usedCWoolger, DistTrack, DownPaper, FireMalv, Ghambar, Havij, Leash, Matryoshka RAT, Mimikatz, MPKBot, NETWoolger, PsList, PupyRAT, sqlmap, TDTESS.
Operations performedMid-2014Operation “Thamar Reservoir”
This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate it may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin, who exposed new information about the attack and is currently assisting with the investigation.
2016Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks.
Jan 2017PupyRAT campaign
SecureWorks Counter Threat Unit (CTU) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017. Some of messages were sent from legitimate email addresses belonging to several Middle Eastern organizations.
2017In early 2017, SecureWorks Counter Threat Unit (CTU) researchers observed phishing campaigns targeting several entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations. The campaigns delivered PupyRAT, an open-source cross-platform remote access Trojan.
Jun 2018Impersonating ClearSky, the security firm that uncovered its campaigns
Iranian cyberespionage group Charming Kitten, which has been operating since 2014, has impersonated the cybersecurity firm that exposed its operations and campaigns. Israeli firm ClearSky Security said the group managed to copy its official website hosted on a similar-looking domain – clearskysecurity[.]net.
ClearSky’s actual website is
Aug 2017Breach of HBO
On August 7 a small treasure trove of HBO content was posted publicly to the web by a hacker who is now demanding a $6 million payment to stop any further release of data. The hacker who goes by Mr. Smith posted five scripts for Game of Thrones and a month’s worth of email from HBO Vice President for Film Programming Leslie Cohen along with some other corporate information, according to the Associated Press.
Oct 2018The Return of The Charming Kitten
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world.
Our review in Certfa demonstrates that the hackers – knowing that their victims use two-step verification – target verification codes and also their email accounts such as Yahoo! And Gmail.
Jul 2019In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers state organizations.
Aug 2019In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.
Jan 2020Fake Interview: The New Activity of Charming Kitten
Jun 2020APT35 ‘Charming Kitten' discovered in a pre-infected environment
Jul 2020Starting July 2020, we have identified a new TTP of the group, impersonating “DeutscheWelle” and the “Jewish Journal” using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.
Aug 2020New cyberattacks targeting U.S. elections
Late 2020Operation “BadBlood”
BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
Dec 2020During the Christmas holidays and the beginning of the new year, the Charming Kitten group, the Iranian state-backed hackers, have begun a targeted phishing campaign of espionage against different individuals to collect information.
Jan 2021Operation “SpoofedScholars”
TA453, an Iranian-state aligned actor, masqueraded as British scholars to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars.
Dec 2021Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey
Counter operationsFeb 2019Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues
Mar 2019Microsoft slaps down 99 APT35/Charming Kitten domains
Oct 2021Countering threats from Iran

Last change to this card: 27 December 2021

Download this actor card in PDF or JSON format

Previous: Madi
Next: MalKamak

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]