Recent Cyber Espionage Campaigns and Tactics of State-Backed APT Groups
State-backed advanced persistent threat (APT) groups have intensified their cyber espionage activities, employing increasingly sophisticated tactics, techniques, and procedures (TTPs) to infiltrate and persist within high-value targets. APT15, believed to operate out of China, has conducted a series of high-profile campaigns targeting government entities, defense contractors, and minority groups across Europe, North America, and Asia. Their operations leverage spear phishing, exploitation of public-facing applications, and advanced defense evasion methods such as steganography and masquerading malware as legitimate software. Similarly, the Iranian group Charming Kitten (APT35) has been exposed through recent leaks, revealing the identities of key personnel, financial structures, and thousands of compromised systems worldwide. These leaks detail how the group uses spear-phishing, fake login pages, and malicious attachments to gain initial access, followed by persistent surveillance and data exfiltration from government, academic, and civil society networks.
Technical analysis of these groups' operations highlights the use of legitimate system tools for lateral movement and persistence, as well as complex command-and-control (C2) infrastructures designed to evade detection. The leaks concerning Charming Kitten provide unprecedented insight into the operational management and financial underpinnings of Iranian cyber espionage, including the use of front companies and detailed tasking sheets. Both APT15 and APT35 demonstrate the ongoing evolution of state-sponsored cyber threats, with a focus on stealth, persistence, and the targeting of sensitive information across multiple sectors and geographies.
Sources
Related Stories
Iranian APT42 SpearSpecter Campaign Targets Defense Sector with TAMECAT Backdoor
Iranian state-backed threat group APT42, also known as Charming Kitten and Educated Manticore, has launched a sophisticated cyberespionage campaign dubbed SpearSpecter, targeting high-profile defense and government organizations as well as their officials and family members. The campaign leverages weeks-long social engineering lures via WhatsApp to gain initial access, followed by credential theft through redirection to fake meeting pages. For long-term persistence, the attackers deploy a fileless PowerShell-based backdoor named TAMECAT, which enables command execution, reconnaissance, file harvesting, and browser data exfiltration. The campaign demonstrates advanced operational security and agility, with infrastructure designed for prolonged espionage against high-value targets. Researchers note that TAMECAT's capabilities allow attackers to maintain stealth and flexibility, executing further PowerShell code and adapting their operations based on their objectives. The Israel National Digital Agency highlighted that these attacks are distinct from previous APT42 campaigns, reflecting a continuous evolution in tactics. The campaign's focus on defense and government entities underscores the persistent threat posed by Iranian cyber operations to critical infrastructure and sensitive sectors worldwide.
3 months agoLeak of Internal Operational Documents from Iran-Linked APT35 (Charming Kitten)
A significant leak of internal operational documents allegedly belonging to the Iranian state-sponsored threat group APT35, also known as Charming Kitten, has surfaced online. The dataset, which appeared on a public repository in late September 2025, contains over 100 files of Persian-language internal documentation, including personnel rosters, tooling details, campaign reports, and organizational charts. Analysis of the leak reveals a highly coordinated structure within APT35, with dedicated teams for penetration testing, malware development, social engineering, and infrastructure compromise. The documents detail the group’s rapid exploitation of vulnerabilities such as CVE-2024-1709 and their use of mass router DNS manipulation to compromise targets. Victims identified in the leak span government, legal, academic, aviation, energy, and financial sectors, primarily in the Middle East, but also include targets in the United States and Asia. The operational materials highlight the group’s use of custom remote access trojans (RATs), advanced endpoint detection and response (EDR) evasion techniques, and supply-chain attack vectors. The leak also exposes the group’s sophisticated phishing infrastructure and their ability to achieve long-term persistence and Active Directory dominance within compromised environments. The documents provide insight into the group’s vulnerability research activities, targeting platforms such as Confluence, WordPress, Ivanti, and Apache. Additionally, the leak includes open-source intelligence (OSINT) on targets and detailed attack reports, including domain information and mentions of remote access tools like Anydesk. The individual or group responsible for the leak, operating under the alias KittenBuster, has stated their intention to release further evidence and personal information about APT35 members in the coming days. Security researchers are working to verify the authenticity of the leak, but initial assessments indicate a high degree of credibility based on language, content, and context. The exposure of these materials represents a rare and valuable opportunity for the cybersecurity community to gain insight into the tradecraft, organizational structure, and operational priorities of a major Iranian cyber-espionage group. The leak underscores the acute supply-chain and national security risks posed by IRGC-affiliated actors and highlights the need for heightened vigilance among organizations in targeted sectors. The ongoing release of additional documents may further illuminate the group’s tactics, techniques, and procedures (TTPs), enabling defenders to better anticipate and mitigate future threats. This incident marks one of the most comprehensive public exposures of Iranian APT operations to date, with potential implications for both regional and global cybersecurity.
5 months agoIranian State-Linked Cyber Espionage and Ransomware Operations Targeting Government, Defense, and Activist Entities
Iranian state-sponsored threat actors have intensified their cyber operations, targeting government officials, defense sector personnel, and dissidents through sophisticated espionage and disruptive campaigns. The APT42 group, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has launched the 'SpearSpecter' campaign, employing highly personalized social engineering tactics to compromise senior defense and government officials, as well as their family members. These operations involve building trust over extended periods and leveraging fake conference invitations or meetings to deliver malicious payloads. Other Iranian-linked groups, such as Ferocious Kitten, have focused on targeting dissidents and activists with spear-phishing attacks that deploy custom malware like MarkiRAT, which features advanced data exfiltration and persistence techniques. In parallel, the DEV-1084 group, operating under the 'DarkBit' persona and closely associated with the Iranian state-linked MERCURY group, has conducted ransomware campaigns that prioritize destruction over financial gain. These attacks combine on-premises encryption with the mass deletion of cloud resources, effectively wiping out victim environments and aligning with broader strategic objectives of disruption and psychological impact. Technical analysis has revealed shared infrastructure and tools between DEV-1084 and MERCURY, further solidifying the connection to Iran’s Ministry of Intelligence and Security (MOIS). These coordinated campaigns underscore the evolving threat landscape posed by Iranian APTs, which blend espionage, destructive attacks, and advanced social engineering to achieve their objectives.
4 months ago