CHARMING KITTEN

Oct. 4, 2024, 12:41 p.m.

Description

Since June 2024, the Iran-nexus actor CHARMING KITTEN has been creating new network infrastructure for credential phishing, targeting individuals perceived as threats to the Iranian regime. The actor's infrastructure, known as Cluster B, uses domains with specific characteristics like similar TLDs, hyphenated naming conventions, and shared IP addresses. While specific targets for the new domains are unknown, previous targets included researchers, journalists, NGO leaders, and human rights activists. The phishing pages often mimic login interfaces for popular services like Google and YouTube, distributed through spear-phishing emails disguised as conference invitations or links to legitimate documents.

External References

https://cti-grapevine.com/charming-kitten/
https://otx.alienvault.com/pulse/66ffc070c86bc8575146f723
Tags
iran
infrastructure
domain registration
2024-10-04
spear-phishing
credential phishing
mint sandstorm
ta453
apt42

Date

  • Created: Oct. 4, 2024, 10:16 a.m.
  • Published: Oct. 4, 2024, 10:16 a.m.
  • Modified: Oct. 4, 2024, 12:41 p.m.

Indicators

  • software-selection-features.buzz
  • request-human-received.xyz
  • paper-blue-hero.top
  • nail-forward-valid.lol
  • interconnected-equipment-buildings.buzz
  • house-server-digital.xyz
  • growing-prices-advanced.top
  • flow-exulltation-uplift.top
  • competitive-searchvolume-considered.top
  • click-manage-room.cfd
  • app-engage-station.help
Download all indicators here!

Attack Patterns

  • CHARMING KITTEN

Additional Informations

  • Media
  • Education
  • NGO
  • Government
  • Iran, Islamic Republic of
  • Israel
  • United States of America