Insights, news, education and announcements from PolySwarm

2024 Recap - Iranian Threat Actor Activity

Written by The Hivemind | Dec 16, 2024 6:42:43 PM

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2024 Recap series. This report provides highlights of activity perpetrated by Iran-based threat actors in 2024.

Key Takeaways

  • This report provides highlights of activity perpetrated by Iran-based threat actors in 2024.
  • Threat actors featured in this report include Static Kitten, Charming Kitten, Helix Kitten, Nemesis Kitten, Refined Kitten, Haywire Kitten, and Pioneer Kitten.
  • PolySwarm tracked malware associated with multiple Iran nexus threat actors in 2024. 

2024 Iran Nexus Threat Actor Activity 

Static Kitten

Static Kitten, also known as Muddy Water, Seedworm, Mango Sandstorm, Boggy Serpens, TA450, and Cobalt Ulster, is an Iran nexus threat actor group active since at least 2017. MuddyWater has historically targeted entities in the Middle East but has been known to target other regions as well. MuddyWater primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. 

US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco previously assessed the group is a conglomerate of multiple teams operating independently. MuddyWater TTPs include social engineering, spearphishing, maldocs, use of RMM tools, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others.

Activity

  • In early 2024, Static Kitten was observed using a new attack framework known as DarkBeatC2.
  • In March 2024, Static Kitten was observed using embedded links in PDF attachments in a phishing campaign targeting entities in Israel.
  • In July 2024, Static Kitten was observed increasing its targeting of entities in Israel using a backdoor known as BugSleep or MuddyRot.

Charming Kitten 

Charming Kitten, also known as APT35, Phosphorus, Newscaster, Mint Sandstorm, TA453, Cobalt Illusion, Magic Hound, and ITG18, is an Iran nexus state-sponsored threat actor group tentatively linked to the Islamic Revolutionary Guard Corps (IRGC). Charming Kitten has previously targeted government and military personnel, academics, journalists, and the World Health Organization. The group’s targets have primarily been in the US and the Middle East. Charming Kitten has been active since at least 2014.

Activity

  • In early 2024, Charming Kitten was observed staging a fake webinar platform to target Middle East policy experts. 
  • Charming Kitten was observed using NICECURL and TAMECAT custom backdoors. 
  • In June, Charming Kitten was observed targeting a US presidential candidate’s campaign, as well as military and political targets in Israel.
  • In July, Charming Kitten was observed targeting a prominent Jewish religious figure. The group sent the individual a phishing email in an attempt to infect them with the BlackSmith malware toolkit and the AnvilEcho PowerShell trojan. 
  • In mid-2024, industry researchers discovered Charming Kitten building infrastructure that was used by Iran nexus threat actor groups in an attempt to target the 2024 US Presidential election. 
  • Later in 2024, Charming Kitten was observed targeting the aerospace vertical using fake job recruiters. This activity has likely been ongoing since at least September 2023. 

Helix Kitten

Helix Kitten, also known as Chrysene, Greenbug, OilRig, and APT34, has been active in its current form since 2017. The group played a role in the 2012 Shamoon attack. Helix Kitten specializes in gaining initial access to a target and passing the victim to another group for further operations. Helix Kitten is also known to target government organizations in Lebanon.

Activity

  • In mid-2024, Helix Kitten was observed leveraging CVE-2024-30088, a Windows kernel elevation of privilege bug.
  • In 2024, Helix Kitten was observed launching intensified attacks against entities in the UAE and surrounding countries.
  • Helix Kitten was observed using two new backdoors in 2024. 

Nemesis Kitten

Nemesis Kitten, also known as Phosphorus, Bentonite, and UNC2448, is an Iran nexus threat actor group active since at least 2020. Nemesis Kitten is known for conducting ransomware attacks leveraging BitLocker and DiskCryptor. The group has also engaged in espionage activity. Nemesis Kitten is known to target multiple sectors, including the energy sector. 

Activity

  • In Q1 2024, Nemesis Kitten was observed targeting academic institutions based in Israel in a supply chain attack.

Refined Kitten 

Refined Kitten, also known as APT33, Elfin, Magnalium, Peach Sandstorm, and Holmium, is an Iran nexus threat actor group with potential ties to the IRGC. The group has been active since at least 2013. Refined Kitten activity is focused on gathering intelligence. They typically target aerospace, defense, energy, and ONG entities in Saudi Arabia, the US, and UAE.

Activity

  • In May 2024, Refined Kitten was observed compromising a local government entity in a US swing state prior to the presidential election. Industry researchers noted the intent of this particular activity was unclear.
  • Later in 2024, Refined Kitten was observed using Tickler malware to target entities involved with satellite communications, government, and oil & gas. Most targets were based in the US and UAE. 

Haywire Kitten

Haywire Kitten, also known as Cotton Sandstorm and Marnanbridge, is an Iran nexus threat actor group active since at least 2020. Haywire Kitten is thought to be part of Iran’s Islamic Revolutionary Guard Corps (IRGC). The group is known to use the company Emennet Pasargad as a front for its activities. In mid-2024, the front company’s name was changed to Aria Sepehr Ayandehsazan (ASA). ASA set up its own hosting providers to help hide its infrastructure. These providers were used for Iran nexus threat actor operations and reportedly hosted websites affiliated with Hamas. Haywire Kitten was observed using generative AI in an influence operation in 2023. 

Activity

  • In July 2024, Haywire Kitten was observed targeting a French commercial dynamic display provider to display images protesting Israel’s participation in the 2024 Olympics. 
  • Haywire Kitten’s company ASA was observed hacking IP cameras in Israel, Gaza, and Iran in 2023 and 2024. 
  • Haywire Kitten was observed using an online persona “Cyber Court” to promote hacktivist activity in protest of the Israel-Hamas conflict. 

Pioneer Kitten

Pioneer Kitten, also known as Parisite, Fox Kitten, Rubidium, and UNC757, has been active since at least 2017. The group is likely state-sponsored and primarily focuses on espionage and targeting the energy sector. Industry researchers noted operational overlap with several other Iran nexus APT groups.

Activity

  • In August 2024, US law enforcement issued a joint cybersecurity advisory warning that Pioneer Kitten was involved with ransomware campaigns targeting US-based entities. Targets included entities in the education, finance, healthcare, defense, and government verticals. 

Other Threat Actors 

  • In early 2024, UNC1549 was observed targeting entities in the Aerospace and Defense verticals in the Middle East. UNC1549’s activity is thought to overlap operationally with other threat actor groups, including Imperial Kitten and Smoke Sandstorm. 
  • In mid-2024, multiple Iran-based threat actor groups, besides those mentioned above, were reportedly observed attempting to interfere in the US Presidential elections using influence operations. 
  • In September 2024, industry researchers exposed UNC1860 as an initial access broker for Iranian state-sponsored threat actor groups. UNC1860, which appears to be affiliated with Iran’s MOIS, has been observed aiding other Iran nexus threat actor groups in targeting entities in Iraq, Saudi Arabia, and Qatar. Malware used by UNC1860 includes but is not limited to Sasheyaway dropper, Stayshante webshell, Templedoor, Sparkload, Templedrop, Oatboat, Tofupipe, and Tofuload. All of UNC1860’s implants are passive, making their activity difficult to detect. 

Tracking Iran Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following Iran nexus threat actor groups in 2024:

 

Static Kitten

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809

B8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0

 

Charming Kitten

0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d

dbdb14e37fc4412711a1e5e37e609e33410de31de13911aee99ab473753baa4a

07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407

5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422

bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8

c99cc10f15f655f36314e54f7013a0bc5df85f4d6ff7f35b14a446315835d334

 

You can use the following CLI command to search for all samples associated with a particular threat actor in our portal:

$ polyswarm link list -t ThreatActorName

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post