Threat Actor Profile
High
APT
Description
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)
Confidence Score
Known Aliases
Magic Hound
TA453
COBALT ILLUSION
Charming Kitten
ITG18
Phosphorus
Newscaster
APT35
Mint Sandstorm
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (79)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Magic Hound',
'TA453',
'COBALT ILLUSION',
'Charming Kitten',
'ITG18',
'Phosphorus',
'Newscaster',
'APT35',
'Mint Sandstorm'],
'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Magic Hound](https://attack.mitre.org/groups/G0059) is an '
'Iranian-sponsored threat group that conducts long term, '
'resource-intensive cyber espionage operations, likely on '
'behalf of the Islamic Revolutionary Guard Corps. They have '
'targeted European, U.S., and Middle Eastern government and '
'military personnel, academics, journalists, and organizations '
'such as the World Health Organization (WHO), via complex '
'social engineering campaigns since at least 2014.(Citation: '
'FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August '
'2020)(Citation: Certfa Charming Kitten January '
'2021)(Citation: Secureworks COBALT ILLUSION Threat '
'Profile)(Citation: Proofpoint TA453 July2021)',
'external_references': [{'external_id': 'G0059',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0059'},
{'description': '(Citation: ClearSky Charming Kitten '
'Dec 2017)(Citation: Eweek Newscaster '
'and Charming Kitten May '
'2014)(Citation: ClearSky Kittens '
'Back 2 Oct 2019)(Citation: ClearSky '
'Kittens Back 3 August '
'2020)(Citation: Proofpoint TA453 '
'March 2021)(Citation: Check Point '
'APT35 CharmPower January 2022)',
'source_name': 'Charming Kitten'},
{'description': '(Citation: FireEye APT35 '
'2018)(Citation: Certfa Charming '
'Kitten January 2021)(Citation: Check '
'Point APT35 CharmPower January 2022)',
'source_name': 'APT35'},
{'description': '(Citation: IBM ITG18 2020)',
'source_name': 'ITG18'},
{'description': '(Citation: Microsoft Phosphorus Mar '
'2019)(Citation: Microsoft Phosphorus '
'Oct 2020)(Citation: US District '
'Court of DC Phosphorus Complaint '
'2019)(Citation: Certfa Charming '
'Kitten January 2021)(Citation: '
'Proofpoint TA453 March '
'2021)(Citation: Check Point APT35 '
'CharmPower January 2022)',
'source_name': 'Phosphorus'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Mint Sandstorm'},
{'description': '(Citation: Proofpoint TA453 March '
'2021)(Citation: Proofpoint TA453 '
'July2021)(Citation: Check Point '
'APT35 CharmPower January 2022)',
'source_name': 'TA453'},
{'description': '(Citation: Secureworks COBALT '
'ILLUSION Threat Profile)',
'source_name': 'COBALT ILLUSION'},
{'description': '(Citation: Unit 42 Magic Hound Feb '
'2017)',
'source_name': 'Magic Hound'},
{'description': 'Burt, T. (2019, March 27). New steps '
'to protect customers from hacking. '
'Retrieved May 27, 2020.',
'source_name': 'Microsoft Phosphorus Mar 2019',
'url': 'https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/'},
{'description': 'Burt, T. (2020, October 28). '
'Cyberattacks target international '
'conference attendees. Retrieved '
'March 8, 2021.',
'source_name': 'Microsoft Phosphorus Oct 2020',
'url': 'https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/'},
{'description': 'Certfa Labs. (2021, January 8). '
'Charming Kitten’s Christmas Gift. '
'Retrieved May 3, 2021.',
'source_name': 'Certfa Charming Kitten January 2021',
'url': 'https://blog.certfa.com/posts/charming-kitten-christmas-gift/'},
{'description': 'Check Point. (2022, January 11). '
'APT35 exploits Log4j vulnerability '
'to distribute new modular PowerShell '
'toolkit. Retrieved January 24, 2022.',
'source_name': 'Check Point APT35 CharmPower January '
'2022',
'url': 'https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/'},
{'description': 'ClearSky Cyber Security. (2017, '
'December). Charming Kitten. '
'Retrieved December 27, 2017.',
'source_name': 'ClearSky Charming Kitten Dec 2017',
'url': 'http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf'},
{'description': 'ClearSky Research Team. (2019, '
'October 1). The Kittens Are Back in '
'Town2 - Charming Kitten Campaign '
'KeepsGoing on, Using New '
'Impersonation Methods. Retrieved '
'April 21, 2021.',
'source_name': 'ClearSky Kittens Back 2 Oct 2019',
'url': 'https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf'},
{'description': 'ClearSky Research Team. (2020, '
'August 1). The Kittens Are Back in '
'Town 3 - Charming Kitten Campaign '
'Evolved and Deploying Spear-Phishing '
'link by WhatsApp. Retrieved April '
'21, 2021.',
'source_name': 'ClearSky Kittens Back 3 August 2020',
'url': 'https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf'},
{'description': 'Kerner, S. (2014, May 29). '
'Newscaster Threat Uses Social Media '
'for Intelligence Gathering. '
'Retrieved April 14, 2021.',
'source_name': 'Eweek Newscaster and Charming Kitten '
'May 2014',
'url': 'https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering'},
{'description': 'Lee, B. and Falcone, R. (2017, '
'February 15). Magic Hound Campaign '
'Attacks Saudi Targets. Retrieved '
'December 27, 2017.',
'source_name': 'Unit 42 Magic Hound Feb 2017',
'url': 'https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/'},
{'description': 'Link analysis of infrastructure and '
'tools revealed a potential '
'relationship between Magic Hound and '
'the older attack campaign called '
'Newscaster (aka '
'Newscasters).(Citation: Unit 42 '
'Magic Hound Feb 2017)(Citation: '
'FireEye APT35 2018)',
'source_name': 'Newscaster'},
{'description': 'Mandiant. (2018). Mandiant M-Trends '
'2018. Retrieved November 17, 2024.',
'source_name': 'FireEye APT35 2018',
'url': 'https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Miller, J. et al. (2021, July 13). '
'Operation SpoofedScholars: A '
'Conversation with TA453. Retrieved '
'August 18, 2021.',
'source_name': 'Proofpoint TA453 July2021',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453'},
{'description': 'Miller, J. et al. (2021, March 30). '
'BadBlood: TA453 Targets US and '
'Israeli Medical Research Personnel '
'in Credential Phishing Campaigns. '
'Retrieved May 4, 2021.',
'source_name': 'Proofpoint TA453 March 2021',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential'},
{'description': 'Secureworks. (n.d.). COBALT ILLUSION '
'Threat Profile. Retrieved April 14, '
'2021.',
'source_name': 'Secureworks COBALT ILLUSION Threat '
'Profile',
'url': 'https://www.secureworks.com/research/threat-profiles/cobalt-illusion'},
{'description': 'US District Court of DC. (2019, '
'March 14). MICROSOFT CORPORATION v. '
'JOHN DOES 1-2, CONTROLLING A '
'COMPUTER NETWORK AND THEREBY '
'INJURING PLAINTIFF AND ITS '
'CUSTOMERS. Retrieved March 8, 2021.',
'source_name': 'US District Court of DC Phosphorus '
'Complaint 2019',
'url': 'https://noticeofpleadings.com/phosphorus/files/Complaint.pdf'},
{'description': 'Wikoff, A. Emerson, R. (2020, July '
'16). New Research Exposes Iranian '
'Threat Group Operations. Retrieved '
'March 8, 2021.',
'source_name': 'IBM ITG18 2020',
'url': 'https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/'}],
'id': 'intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13',
'modified': '2024-11-17T16:17:26.385Z',
'name': 'Magic Hound',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Anastasios Pingios',
'Bryan Lee',
'Daniyal Naeem, BT Security'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '6.1'}