【要点】
◎2014年ころから活動するイランのサイバー攻撃組織。イラン国家が後ろ盾と考えられている
◎ThaiCERTによると、2013年(2011年という情報も)から活動が開始されていたもよう
【目次】
概要
【ATT&CK ID】
| ID(ATT&CK) |
備考 |
|---|---|
| G0059 | Magic Hound |
【辞書】
◆Magic Hound (ATT&CK)
https://attack.mitre.org/groups/G0059/
◆APT35 (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/apt35
◆Charming Kitten (Wikipedia)
https://en.wikipedia.org/wiki/Charming_Kitten
◆APT group: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten (ThaiCERT)
https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Magic%20Hound%2C%20APT%2035%2C%20Cobalt%20Gypsy%2C%20Charming%20Kitten
【別名】
| 攻撃組織名 |
命名組織 |
|---|---|
| Ajax Security Team | FireEye |
| APT35 | Mandiant |
| Charming Kitten | Clearsky CrowdStrike CERTFA |
| Cobalt Gypsy | |
| Cobalt Illusion | Secureworks |
| ITG18 | X-Force(IBM) |
| Magic Hound | Paloalto |
| NewsBeef | Kaspersky |
| Newscaster | |
| Phosphorus | Microsoft |
| TA453 | Proofpoint |
| Tarh Andishan | Cylance |
| TEMP.Beanie | FireEye |
| Timberworm | Symantec |
| Yellow Garuda | PwC |
【作戦名】
| 作戦名 | 時期 | 備考 |
|---|---|---|
| Operation Saffron Rose | 2014 | FireEye |
| Operation Woolen-Goldfish | 2015 |
【使用マルウェア/ツール】 *1
| ATT&CK ID | 名称 |
|---|---|
| S0186 | DownPaper |
| S0224 | Havij |
| S0002 | Mimikatz |
| S0029 | PsExec |
| S0192 | Pupy |
| S0225 | sqlmap |
| Memento |
【関係が深い攻撃組織】
| 組織名 | 備考 |
|---|---|
| APT42 | |
| Rocket Kitten |
【最新情報】
◆Cyberspies linked to Memento ransomware use new PowerShell malware (BleepingComputer, 2022/02/01 14:00)
[ランサムウェア「Memento」に関連するサイバースピーが新しいPowerShellマルウェアを使用]
https://www.bleepingcomputer.com/news/security/cyberspies-linked-to-memento-ransomware-use-new-powershell-malware/
⇒ https://malware-log.hatenablog.com/entry/2022/02/01/000000_1
◆PowerLessトロイの木馬:中東のAPTグループPhosphorusがスパイ活動用に新種のPowerShellバックドアを開発 (Cyberreason, 2022/02/24)
https://www.cybereason.co.jp/blog/cyberattack/7583/
⇒ https://malware-log.hatenablog.com/entry/2022/02/24/000000_14
記事
【ニュース】
■2017年
◆Kaspersky Lab、データを破壊する新マルウエア「StoneDrill」を発見 (ITPro, 2017/03/10)
http://itpro.nikkeibp.co.jp/atcl/news/17/031000785/
⇒ http://malware-log.hatenablog.com/entry/2017/03/10/000000_6
■2018年
◆2018년 주목해야 할 정부지원 해킹그룹 8 (boannews, 2018/02/17)
[2018年注目すべき政府支援ハッキンググループ8]
http://www.boannews.com/media/view.asp?idx=66847
⇒ http://malware-log.hatenablog.com/entry/2018/02/17/000000
■2019年
◆MS、イランのハッカー集団のドメイン差し押さえ--裁判所命令勝ち取る (ZDNet, 2019/3/28 13:05)
https://japan.zdnet.com/article/35134876/
⇒ https://malware-log.hatenablog.com/entry/2019/03/28/000000_2
■2020年
◆米イランの対立で「サイバー空間」の戦争はどうなる? (ビジネス+IT, 2020/01/19)
https://www.sbbit.jp/article/cont1/37555
⇒ https://malware-log.hatenablog.com/entry/2020/01/19/000000
◆レムデシビル製造元の米ギリアドにサイバー攻撃 イラン系ハッカー集団か (Newsweek, 2020/05/09 11:00)
https://www.newsweekjapan.jp/stories/world/2020/05/post-93369.php
⇒ https://malware-log.hatenablog.com/entry/2020/05/09/000000
◆Iranian Spies Accidentally Leaked Videos of Themselves Hacking (WIRED, 2020/07/16 06:00)
[イランのスパイがハッキングの様子を撮影した動画を偶然にも公開]IBM’s X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.
[IBMのX-Forceセキュリティチームは5時間のAPT35ハッキング操作を入手し、グループがどのようにメールアカウントからデータを盗んだか、そしてその対象者を明らかにしました]https://www.wired.com/story/iran-apt35-hacking-video/
⇒ https://malware-log.hatenablog.com/entry/2020/07/16/000000_5
◆Iranian cyberspies leave training videos exposed online (ZDNet, 2020/07/16 10:05)
[イランのサイバースパイがトレーニングビデオをネット上に公開]Cyber-security firm IBM X-Force finds video recordings used to train Iranian state hackers.
[サイバーセキュリティ企業のIBM X-Forceは、イラン国家のハッカーの訓練に使用されたビデオ記録を発見しました]https://www.zdnet.com/article/iranian-cyberspies-leave-training-videos-exposed-online/
⇒ https://malware-log.hatenablog.com/entry/2020/07/16/000000_6
◆イランのハッカーグループが作成したトレーニング用の動画が流出か--IBM X-Force (ZDNet, 2020/07/20)
https://japan.zdnet.com/article/35157008/
⇒ https://malware-log.hatenablog.com/entry/2020/07/20/000000_4
■2021年
◆Googleがイラン政府系ハッカー組織について公式警告を発表 (Gigazine, 2021/10/15 11:17)
https://gigazine.net/news/20211015-google-countering-threats-from-iran/
⇒ https://malware-log.hatenablog.com/entry/2021/10/15/000000_3
◆「Log4j」脆弱性、中国や北朝鮮発の悪用をMicrosoftが確認 (ITmedia, 2021/12/16 07:29)
https://www.itmedia.co.jp/news/articles/2112/16/news065.html
⇒ https://malware-log.hatenablog.com/entry/2021/12/16/000000
◆US govt sanctions ten Iranians linked to ransomware attacks (BleepingComputer, 2022/10/14 11:43)
[米国政府、ランサムウェア攻撃に関連するイラン人10名に制裁措置]
https://www.bleepingcomputer.com/news/security/us-govt-sanctions-ten-iranians-linked-to-ransomware-attacks/
■2023年
◆Iranian hackers backdoor 34 orgs with new Sponsor malware (BleepingComputer, 2023/09/11 12:19)
[イランのハッカー、新マルウェア「Sponsor」で34の組織をバックドア感染させる]
https://www.bleepingcomputer.com/news/security/iranian-hackers-backdoor-34-orgs-with-new-sponsor-malware/
⇒ https://malware-log.hatenablog.com/entry/2023/09/11/000000_2
■2024年
◆イランAPT:TA453が偽のポッドキャストへの出演依頼で宗教関係者を標的にし、新しいBlackSmithマルウェアツールセットを配信 (Proofpoint, 2024/08/20)
https://www.proofpoint.com/jp/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
⇒ https://malware-log.hatenablog.com/entry/2024/08/20/000000_5
■2025年
◇2025年11月
◆APT35 Hacker Groups Internal Documents Leak Exposes their Targets and Attack Methods (Cyber Security News, 2025/11/24)
[APT35ハッカーグループの内部文書流出により標的と攻撃手法が暴露される]
https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/
⇒ https://malware-log.hatenablog.com/entry/2025/11/24/000000_2
【ブログ】
■2017年
◆Magic Hound Campaign Attacks Saudi Targets (UNIT42, 2017/02/15 21:16)
[Magic Houndキャンペーンでは、サウジアラビアをターゲットにした]
https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/
⇒ http://malware-log.hatenablog.com/entry/2017/02/15/000000_8
◆From Shamoon to StoneDrill (Kaspersky, 2017/03/06 15:36)
[シャムーンからストーンドリルへ]
https://securelist.com/from-shamoon-to-stonedrill/77725/
⇒ http://malware-log.hatenablog.com/entry/2017/03/06/000000_1
◆CopyKittens Exposed by ClearSky and Trend Micro (Trendmicro, 2017/07/25)
[ClearSkyとTrend MicroによるCopyKittensの公開]
https://blog.trendmicro.com/copykittens-exposed-clearsky-trend-micro/
⇒ http://malware-log.hatenablog.com/entry/2017/07/25/000000_9
■2018年
◆OVERRULED: Containing a Potentially Destructive Adversary (FireEye, 2018/12/21)
[OVERRULED 潜在的破壊力のある敵を封じ込める]
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
⇒ https://malware-log.hatenablog.com/entry/2018/12/21/000000_19
■2019年
◆Microsoft slaps down 99 APT35/Charming Kitten domains (Naked Security(Sophos), 2019/04/01)
[マイクロソフト、APT35/Charming Kittenのドメイン99個を一斉削除]
https://nakedsecurity.sophos.com/2019/04/01/microsoft-slaps-down-99-apt35-charming-kitten-domains/
⇒ https://malware-log.hatenablog.com/entry/2019/04/01/000000_8
■2020年
◆脅威に関する情報: イラン関連サイバー攻撃オペレーション (UNIT42(Paloalto), 2020/01/13)
https://unit42.paloaltonetworks.jp/threat-brief-iranian-linked-cyber-operations/
⇒ https://malware-log.hatenablog.com/entry/2020/01/13/000000_3
■2021年
◆感染した環境でAPT35 ‘Charming Kitten' を発見 (DarkTrace, 2021/04/23)
https://www.darktrace.com/ja/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment/
⇒ https://malware-log.hatenablog.com/entry/2021/04/23/000000_14
◆Countering threats from Iran (Google, 2021/10/14)
[イランからの脅威への対応]
https://blog.google/threat-analysis-group/countering-threats-iran/
⇒ https://malware-log.hatenablog.com/entry/2021/10/15/000000_4
■2022年
◆PowerLessトロイの木馬:中東のAPTグループPhosphorusがスパイ活動用に新種のPowerShellバックドアを開発 (Cyberreason, 2022/02/24)
https://www.cybereason.co.jp/blog/cyberattack/7583/
⇒ https://malware-log.hatenablog.com/entry/2022/02/24/000000_14
■2023年
◆Charming Kitten Updates POWERSTAR with an InterPlanetary Twist (Volexity, 2023/06/28)
https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
⇒ https://malware-log.hatenablog.com/entry/2023/06/28/000000_7
【公開情報】
■2015年
◆Report: The CopyKittens are targeting Israelis (Clearsky, 2015/11/23)
[レポート コピーキッテンはイスラエル人をターゲットにしている]
https://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/
⇒ http://malware-log.hatenablog.com/entry/2015/11/23/000000_1
■2025年
◇2025年11月
◆Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets (DomainTools, 2025/11/21)
[脅威インテリジェンスレポート:レバノン、クウェート、トルコ、サウジアラビア、韓国、およびイラン国内の標的に対するAPT35のハッキング作戦内部漏洩]
https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/
⇒ https://malware-log.hatenablog.com/entry/2025/11/21/000000_4
【資料】
■2017年
◆FROM SHAMOON TO STONEDRILL (Kaspersky, 2017/03/07)
[シャムーンからストンドリルへ ]Wipers attacking Saudi organizations and beyond
[ワイパーがサウジの組織を超えて攻撃する]https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf
⇒ http://malware-log.hatenablog.com/entry/2017/03/06/000000_1
◆Operation Wilted Tulip (ClearSky Cyber Security, 2017/07/27)
[枯れたチューリップ作戦]
https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
⇒ http://malware-log.hatenablog.com/entry/2017/07/27/000000_7
◆Charming Kitten (Clearsky, 2017/12)
http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
⇒ http://malware-log.hatenablog.com/entry/2017/12/01/000000_7
【コード】
◆pupy (n1nj4sec)
https://github.com/n1nj4sec/pupy
【検索】
google: APT35
google: TA453
google: Yellow Garuda
google: ITG18
google: Phosphorus
google: Charming Kitten
google:news: APT35
google:news: TA453
google:news: Yellow Garuda
google:news: ITG18
google:news: Phosphorus
google:news: Charming Kitten
google: site:virustotal.com APT35
google: site:virustotal.com TA453
google: site:virustotal.com Yellow Garuda
google: site:virustotal.com ITG18
google: site:virustotal.com Phosphorus
google: site:virustotal.com Charming Kitten
■Bing
https://www.bing.com/search?q=APT35
https://www.bing.com/search?q=TA453
https://www.bing.com/search?q=Yellow%20Garuda
https://www.bing.com/search?q=ITG18
https://www.bing.com/search?q=Phosphorus
https://www.bing.com/search?q=Charming%20Kitten
https://www.bing.com/news/search?q=APT35
https://www.bing.com/news/search?q=TA453
https://www.bing.com/news/search?q=Yellow%20Garuda
https://www.bing.com/news/search?q=ITG18
https://www.bing.com/news/search?q=Phosphorus
https://www.bing.com/news/search?q=Charming%20Kitten
https://twitter.com/search?q=%23APT35
https://twitter.com/search?q=%23TA453
https://twitter.com/search?q=%23Yellow%20Garuda
https://twitter.com/search?q=%23ITG18
https://twitter.com/search?q=%23Phosphorus
https://twitter.com/search?q=%23Charming%20Kitten
関連情報
【関連情報】
◆Ransomware: Memento (まとめ)
https://malware-log.hatenablog.com/entry/Memento
【関連まとめ記事】
◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT
