IRGC EXPOSED: Decoding the Complete Structure, Tools, and Global Espionage Operations of APT35    

Chapter 1: The Digital Arm of the IRGC — An Introduction to APT35

APT35, also known by the monikers **Charming Kitten**, **Phosphorus**, and **TA453**, is one of the most persistent and sophisticated state-sponsored cyber espionage groups operating today. With high confidence, the global threat intelligence community attributes this group to Iran's Islamic Revolutionary Guard Corps (IRGC). Their primary mission is not disruption or financial gain, but **intelligence gathering**. They are the digital spies of the Iranian state, and they are masters of their craft.

Chapter 2: The Playbook — A Masterclass in Social Engineering & Credential Theft

Unlike many APTs who rely on zero-day exploits, APT35's primary weapon is the human mind. Their entire attack lifecycle is built on a foundation of highly patient and personalized social engineering.

Patient, Rapport-Building Social Engineering

An APT35 operator will create a fake persona—often a journalist, an academic, or a policy expert—and make contact with their target. They will engage in a legitimate, professional email exchange for weeks or even months, sharing non-malicious articles and building a sense of trust and rapport. They are playing the long game.

Credential Harvesting & MFA Bypass

Once trust is established, the attack begins. The APT35 operator will send the target a link to a "collaborative document" or a "conference registration form." This link leads to a pixel-perfect clone of a Google or Microsoft login page. These are not simple phishing sites; they are often **Adversary-in-the-Middle (AiTM)** proxies. When the victim enters their password and their MFA code, the proxy captures both in real-time and hijacks the authenticated session cookie. The attacker is now logged in as the victim, completely bypassing their MFA.

Chapter 3: The Targets — A Global Espionage Campaign

APT35's targeting is highly specific and aligns directly with the strategic interests of the Iranian state. Their primary targets include:

• **Academics & Researchers:** Particularly those specializing in Middle East policy, nuclear non-proliferation, and sanctions.
• **Journalists:** Foreign correspondents and investigative journalists covering Iran.
• **Human Rights Activists:** Individuals and organizations critical of the Iranian government.
• **Government Officials:** Diplomats and policymakers in the US, Europe, and Israel.

Chapter 4: The Defender's Playbook — How to Defend Against APT35

Defending against an adversary this sophisticated requires a multi-layered, Zero Trust approach.

1. MANDATE Phishing-Resistant MFA

This is the single most effective technical control. The AiTM phishing techniques used by APT35 are designed to defeat weaker forms of MFA like SMS codes and push notifications. As we detail in our **Ultimate Guide to MFA**, the only reliable defense is **FIDO2/WebAuthn-based hardware security keys**. These are not phishable.

2. Intensive User Training

Your high-risk users (executives, researchers) must be trained on these specific, long-con social engineering tactics. They must be taught to be deeply suspicious of any unsolicited contact, no matter how legitimate it appears.

3. Advanced Detection and Response

You must assume your preventative controls will fail. A modern **XDR platform** with access to high-quality threat intelligence is essential for detecting the post-compromise TTPs of APT35 and hunting for their C2 infrastructure.