ETDA ThaiCERT
Report
Search
Home > List all groups > Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten

NamesMagic Hound (Palo Alto)
APT 35 (Mandiant)
Cobalt Gypsy (SecureWorks)
Charming Kitten (CrowdStrike)
TEMP.Beanie (FireEye)
Timberworm (Symantec)
Tarh Andishan (Cylance)
TA453 (Proofpoint)
Phosphorus (Microsoft)
CountryIran Iran
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2013
DescriptionMagic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.

This group appears to be the evolvement of Cutting Kitten, TG-2889.

There is some infrastructure overlap with Rocket Kitten, Newscaster, NewsBeef and ITG18.
ObservedSectors: Defense, Energy, Financial, Government, Healthcare, IT, Oil and gas, Technology, Telecommunications and that are either based or have business interests in Saudi Arabia, and ClearSky, HBO, civil and human rights activists and journalists.
Countries: Afghanistan, Canada, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, UAE, UK, Venezuela, Yemen.
Tools usedCWoolger, DistTrack, DownPaper, FireMalv, Ghambar, Havij, Leash, Matryoshka RAT, Mimikatz, MPKBot, NETWoolger, PsList, PupyRAT, sqlmap, TDTESS.
Operations performedMid-2014Operation “Thamar Reservoir”
This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate it may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin, who exposed new information about the attack and is currently assisting with the investigation.
<https://www.clearskysec.com/thamar-reservoir/>
2016Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks.
<https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/>
Jan 2017PupyRAT campaign
SecureWorks Counter Threat Unit (CTU) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017. Some of messages were sent from legitimate email addresses belonging to several Middle Eastern organizations.
<https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations>
2017In early 2017, SecureWorks Counter Threat Unit (CTU) researchers observed phishing campaigns targeting several entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations. The campaigns delivered PupyRAT, an open-source cross-platform remote access Trojan.
<https://www.secureworks.com/research/the-curious-case-of-mia-ash>
Jun 2018Impersonating ClearSky, the security firm that uncovered its campaigns
Iranian cyberespionage group Charming Kitten, which has been operating since 2014, has impersonated the cybersecurity firm that exposed its operations and campaigns. Israeli firm ClearSky Security said the group managed to copy its official website hosted on a similar-looking domain – clearskysecurity[.]net.
ClearSky’s actual website is Clearskysec.com.
<https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f>
Aug 2017Breach of HBO
On August 7 a small treasure trove of HBO content was posted publicly to the web by a hacker who is now demanding a $6 million payment to stop any further release of data. The hacker who goes by Mr. Smith posted five scripts for Game of Thrones and a month’s worth of email from HBO Vice President for Film Programming Leslie Cohen along with some other corporate information, according to the Associated Press.
<https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/>
Oct 2018The Return of The Charming Kitten
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world.
Our review in Certfa demonstrates that the hackers – knowing that their victims use two-step verification – target verification codes and also their email accounts such as Yahoo! And Gmail.
<https://blog.certfa.com/posts/the-return-of-the-charming-kitten/>
Jul 2019In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers state organizations.
<https://www.clearskysec.com/the-kittens-are-back-in-town/>
Aug 2019In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.
<https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/>
<https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf>
Jan 2020Fake Interview: The New Activity of Charming Kitten
<https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/>
Jul 2020Starting July 2020, we have identified a new TTP of the group, impersonating “DeutscheWelle” and the “Jewish Journal” using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.
<https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf>
Counter operationsFeb 2019Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues
<https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber>
Mar 2019Microsoft slaps down 99 APT35/Charming Kitten domains
<https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/>
Information<https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf>
<https://en.wikipedia.org/wiki/Charming_Kitten>
MITRE ATT&CK<https://attack.mitre.org/groups/G0058/>
<https://attack.mitre.org/groups/G0059/>

Last change to this card: 28 August 2020

Download this actor card in PDF or JSON format

Previous: Madi
Next: Mikroceen

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key