CHARMING KITTEN

Continues To Use Credential Phishing Infrastructure to Target Individuals Perceived as a Threat to the Iranian Regime

Since June 2024, the Iran-nexus actor CHARMING KITTEN (APT42, Mint Sandstorm, TA453) continues to create new network infrastructure consistent with what the Mandiant intelligence team identifies as Cluster B. Mandiant previously reported on this CHARMING KITTEN infrastructure cluster using credential phishing pages to target individuals perceived as a threat to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. There are no confirmed targets of the new infrastructure; however, it is likely that the actor’s target scope remains focused on entities deemed a threat to the Iranian regime.

Details

Newly Identified Domains:

• growing-prices-advanced[.]top
• competitive-searchvolume-considered[.]top
• software-selection-features[.]buzz
• app-engage-station[.]help
• Horse-improve-department[.]top
• click-manage-room[.]cfd
• flow-exulltation-uplift[.]top
• house-server-digital[.]xyz
• interconnected-equipment-buildings[.]buzz
• nail-forward-valid[.]lol
• request-human-received[.]xyz
• paper-blue-hero[.]top

These domains were all registered since the publication of Mandiant’s blog with some registered as recently as September 2024.  The domains listed above share many similarities with domains previously attributed to Cluster B including:

• Similar TLDs: The new domains use TLDs such as “.top,” “.buzz,” and “.help,” “.cfd,” “.xyz,” and “.lol” all of which were reported by Mandiant. 
• Hyphenated Naming Conventions:  The new domains continue to contain several words separated by hyphens.
• IP Overlap: All listed domains resolve to 135.181.203[.]1, an IP address assigned to the hosting provider, Hetzner, and used to host multiple Cluster B domains publicly reported by Mandiant.

Targeting

Specific targeting for these newly-identified domains is not known. However, public reporting indicates that Cluster B infrastructure commonly masquerades as login pages for Google, YouTube, and other file hosting services. The actor typically disseminates these credential harvesting pages through spear phishing emails that often pose as invitations to conferences or links to legitimate documents hosted on cloud infrastructure. 

The most recent specific targeting information for Cluster B includes multiple entities impacted during March 2024. This includes Cluster B infrastructure to target a news editor working for a Persian-language news television channel using a fake Gmail login page and to target Google, Microsoft, and Yahoo credentials from individuals in the research and academic sectors in the U.S., Israel, and Europe.

Conclusion

The newly identified domains indicate that the CHARMING KITTEN actor continues to be active in the wake of public reporting. It is likely that this new infrastructure is being used in a manner consistent with previously reported activity: targeted spear phishing used to direct intended victims to credential phishing pages. The actor’s target set likely continues to be focused on  entities deemed a threat to the Iranian regime.