Charming Kitten Conference Trap: APT35 Phishing Researchers

Threat Intelligence

APT35 targets academics, journalists, and nuclear policy experts using fraudulent conference invitations and fake interview requests, harvesting credentials through elaborate multi-stage phishing campaigns tied to Iranian intelligence priorities.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 29, 2024 · 9 min read

APT35, tracked by Microsoft as Mint Sandstorm and widely known as Charming Kitten, is attributed to Iran's Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. The group has operated since at least 2014 with a consistent focus on credential theft and intelligence collection targeting academics, policy researchers, journalists, human rights activists, and government officials. Their defining characteristic is patience: APT35 invests weeks or months building trust with targets before executing the credential harvest.

The Conference Invitation Attack Pattern

APT35's most documented social engineering technique involves impersonating staff at real academic conferences, think tanks, and media organizations to send fraudulent invitations to researchers working on Middle East policy, nuclear nonproliferation, and Iran sanctions. The invitations are convincingly formatted, reference real events and legitimate organizations, and offer reasonable honoraria. The goal is to drive the target to a spoofed credential harvesting page disguised as a conference registration portal.

• Target selection focuses on researchers with policy influence: think tank fellows, university faculty with government advisory roles, journalists at major outlets covering Iran
• Invitation emails arrive from domains that closely spoof legitimate organizations (e.g., atlancouncil[.]org vs atlanticcouncil.org)
• Multi-stage engagement: initial email establishes relationship, follow-up provides Zoom or Teams meeting link that routes through credential-harvesting proxy
• The group has successfully targeted researchers from Harvard, MIT, University of London, and multiple DC-area policy institutions
• Credentials harvested are used to access personal email, cloud storage, and institutional VPN to collect sensitive research and communications

Fake Interview and Media Persona Operations

A second documented APT35 pattern involves operators posing as journalists or podcast hosts from legitimate outlets, soliciting expert commentary on Iran-related topics. These engagements escalate from email to video call, during which the operator attempts to gather intelligence directly through conversation while a technical team simultaneously attempts to phish the target's credentials via a 'document sharing' link sent during the call.

APT35 documented a willingness to maintain fake personas in email correspondence for over eight weeks before executing the credential harvest. The investment signals high intelligence value assigned to the target, not opportunistic access: this is deliberate, sanctioned intelligence collection.

Technical Infrastructure

1. Evilginx2-style reverse-proxy phishing infrastructure that captures both credentials and session tokens, defeating SMS-based MFA
2. HYPERSCRAPE: a custom tool that downloads email content from victim accounts using harvested Google, Yahoo, and Microsoft credentials
3. NokNok: a macOS backdoor delivered to targets who respond to initial credential harvesting attempts with Apple device indicators
4. PowerStar (updated CharmPower): a PowerShell-based modular backdoor for Windows targets who advance beyond credential phishing to full compromise
5. GhostEcho: a Chrome extension delivered as a 'conference participant tool' that exfiltrates browser history and saved credentials

Academia and Nuclear Policy Targeting

APT35's consistent focus on nuclear policy researchers aligns directly with IRGC intelligence priorities: understanding Western negotiating positions on the JCPOA and JCPOA successor agreements, identifying Iran experts advising governments on sanctions policy, and monitoring the activities of Iranian diaspora academics who engage with Western policy institutions. The targeting is sophisticated enough that it reflects specific intelligence requirements, not generalized interest in the research community.

MITRE ATT&CK Mapping

• T1566.002: Spearphishing Link via fraudulent conference invitation emails with credential-harvesting URLs
• T1539: Steal Web Session Cookie using reverse-proxy infrastructure that captures session tokens alongside credentials
• T1114.002: Remote Email Collection via HYPERSCRAPE against harvested webmail accounts
• T1585.002: Email Accounts for establishing fake journalist and academic persona identities
• T1217: Browser Information Discovery via GhostEcho Chrome extension on compromised endpoints

Protective Measures for Research Communities

APT35's approach is distinguished by social sophistication rather than technical complexity. The group's willingness to invest significant operator time in building trust with high-value targets reflects IRGC confidence that the intelligence return justifies the cost. For research institutions, the defense is equally human: awareness, verification habits, and phishing-resistant authentication.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.