APT35: Iran’s Persistent Cyber Espionage Force

APT35 (aka Charming Kitten and multiple other aliases) is an Iran-linked persistent cyber espionage and influence actor active since at least 2011 that targets governments, academia, NGOs, media, and dissident communities. The group relies heavily on social engineering and phishing (including credential-harvesting fake login portals), waters the web and abuses VPNs, and employs custom malware (POWERSTAR, CHAINSHOT, Tickler, DustySky, HookStick) alongside legitimate cloud services (Google Drive, OneDrive) for C2 and exfiltration; recent evolution includes supply-chain targeting and AI-assisted disinformation campaigns, with documented operations against universities, defense firms, activists, and election-related targets.