APT42 is an Iranian state-aligned cyber espionage threat actor widely tracked under the aliases Charming Kitten, Mint Sandstorm, and GreenBravo. The group is associated with Iran’s broader intelligence and influence apparatus and is known for persistent credential theft, social engineering, and targeted intrusion activity in support of strategic collection and surveillance objectives. APT42 primarily targets individuals and organizations of intelligence interest, including government, policy, research, civil society, regional affairs, and other sectors relevant to Iranian national security priorities. The actor is especially noted for highly tailored spearphishing and impersonation operations designed to harvest credentials, establish access to cloud and email accounts, and support follow-on espionage or monitoring. Its tradecraft commonly includes social engineering, phishing, use of fake personas, credential collection, and abuse of legitimate services and enterprise tooling to blend into normal activity. The group has been linked to reconnaissance, exploitation research, and development of malicious tooling rather than disruptive or destructive operations as its defining mission set. Reporting in 2026 indicated that the actor used generative AI tooling, including Gemini, as an engineering aid to accelerate debugging, code generation, and research into exploitation techniques, reflecting an evolution in workflow efficiency rather than a fundamental change in core tradecraft. APT42 is part of the broader ecosystem of Iranian intrusion sets and overlaps in public reporting with the Charming Kitten cluster. Among the names associated with this actor, APT42 is the most widely recognized designation in the security community.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Attributed origin per open-source reporting.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iranian threat actor using Gemini to accelerate development of malicious tooling, including debugging, code generation, and exploitation research.
Iran-linked threat actor using Gemini to accelerate development of specialized malicious tools, including debugging, code generation, and exploitation research.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.