Cyberdudebivash

IRGC EXPOSED: Decoding the Complete Structure, Tools, and Global Espionage Operations of APT35 (Charming Kitten)

, , , ,
CYBERDUDEBIVASH

🇮🇷 APT THREAT REPORT • NATION-STATE ESPIONAGE

      IRGC EXPOSED: Decoding the Complete Structure, Tools, and Global Espionage Operations of APT35    

By CyberDudeBivash • October 09, 2025 • Threat Intelligence Briefing

 cyberdudebivash.com |       cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a threat intelligence briefing for security and risk professionals. It contains affiliate links to relevant enterprise security solutions. Your support helps fund our independent research.

 Threat Report: Table of Contents 

  1. Chapter 1: The Digital Arm of the IRGC — An Introduction to APT35
  2. Chapter 2: The Playbook — A Masterclass in Social Engineering & Credential Theft
  3. Chapter 3: The Targets — A Global Espionage Campaign
  4. Chapter 4: The Defender’s Playbook — How to Defend Against APT35

Chapter 1: The Digital Arm of the IRGC — An Introduction to APT35

APT35, also known by the monikers **Charming Kitten**, **Phosphorus**, and **TA453**, is one of the most persistent and sophisticated state-sponsored cyber espionage groups operating today. With high confidence, the global threat intelligence community attributes this group to Iran’s Islamic Revolutionary Guard Corps (IRGC). Their primary mission is not disruption or financial gain, but **intelligence gathering**. They are the digital spies of the Iranian state, and they are masters of their craft.

Chapter 2: The Playbook — A Masterclass in Social Engineering & Credential Theft

Unlike many APTs who rely on zero-day exploits, APT35’s primary weapon is the human mind. Their entire attack lifecycle is built on a foundation of highly patient and personalized social engineering.

Patient, Rapport-Building Social Engineering

An APT35 operator will create a fake persona—often a journalist, an academic, or a policy expert—and make contact with their target. They will engage in a legitimate, professional email exchange for weeks or even months, sharing non-malicious articles and building a sense of trust and rapport. They are playing the long game.

Credential Harvesting & MFA Bypass

Once trust is established, the attack begins. The APT35 operator will send the target a link to a “collaborative document” or a “conference registration form.” This link leads to a pixel-perfect clone of a Google or Microsoft login page. These are not simple phishing sites; they are often **Adversary-in-the-Middle (AiTM)** proxies. When the victim enters their password and their MFA code, the proxy captures both in real-time and hijacks the authenticated session cookie. The attacker is now logged in as the victim, completely bypassing their MFA.

Chapter 3: The Targets — A Global Espionage Campaign

APT35’s targeting is highly specific and aligns directly with the strategic interests of the Iranian state. Their primary targets include:

  • **Academics & Researchers:** Particularly those specializing in Middle East policy, nuclear non-proliferation, and sanctions.
  • **Journalists:** Foreign correspondents and investigative journalists covering Iran.
  • **Human Rights Activists:** Individuals and organizations critical of the Iranian government.
  • **Government Officials:** Diplomats and policymakers in the US, Europe, and Israel.

Chapter 4: The Defender’s Playbook — How to Defend Against APT35

Defending against an adversary this sophisticated requires a multi-layered, Zero Trust approach.

1. MANDATE Phishing-Resistant MFA

This is the single most effective technical control. The AiTM phishing techniques used by APT35 are designed to defeat weaker forms of MFA like SMS codes and push notifications. As we detail in our **Ultimate Guide to MFA**, the only reliable defense is **FIDO2/WebAuthn-based hardware security keys**. These are not phishable.

2. Intensive User Training

Your high-risk users (executives, researchers) must be trained on these specific, long-con social engineering tactics. They must be taught to be deeply suspicious of any unsolicited contact, no matter how legitimate it appears.

3. Advanced Detection and Response

You must assume your preventative controls will fail. A modern **XDR platform** with access to high-quality threat intelligence is essential for detecting the post-compromise TTPs of APT35 and hunting for their C2 infrastructure.

 The Unphishable Defense: Deploying hardware security keys is the gold standard for protecting your most valuable accounts.

Shop for FIDO2 Security Keys →

Explore the CyberDudeBivash Ecosystem

Our Core Services:

  • CISO Advisory & Strategic Consulting
  • Penetration Testing & Red Teaming
  • Digital Forensics & Incident Response (DFIR)
  • Advanced Malware & Threat Analysis
  • Supply Chain & DevSecOps Audits

Follow Our Main Blog for Daily Threat IntelVisit Our Official Site & Portfolio

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in APT tracking, threat intelligence, and advising government and enterprise leaders on counter-espionage. [Last Updated: October 09, 2025]

  #CyberDudeBivash #APT35 #CharmingKitten #APT #ThreatIntel #CyberSecurity #InfoSec #CISO #Espionage #Iran

Leave a comment

Design a site like this with WordPress.com
Get started