Magic Hound

Active

Also known as: Magic Hound, TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm

🇨🇳

China

Active Since

2018

MITRE ID

G0059

Techniques

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)

MITRE ATT&CK Techniques

Recon8

T1589.001Credentials

T1591.001Determine Physical Locations

T1589.002Email Addresses

T1589Gather Victim Identity Information

T1590.005IP Addresses

T1592.002Software

T1598.003Spearphishing Link

T1595.002Vulnerability Scanning

Resource7

T1583.001Domains

T1584.001Domains

T1586.002Email Accounts

T1585.002Email Accounts

T1585.001Social Media Accounts

T1588.002Tool

T1583.006Web Services

Initial4

T1189Drive-by Compromise

T1190Exploit Public-Facing Application

T1566.002Spearphishing Link

T1566.003Spearphishing via Service

Exec7

T1204.002Malicious File

T1204.001Malicious Link

T1059.001PowerShell

T1053.005Scheduled Task

T1059.005Visual Basic

T1059.003Windows Command Shell

T1047Windows Management Instrumentation

Persist5

T1098.002Additional Email Delegate Permissions

T1098.007Additional Local or Domain Groups

T1136.001Local Account

T1547.001Registry Run Keys / Startup Folder

T1505.003Web Shell

PrivEsc0

Defense16

T1070.003Clear Command History

T1027.010Command Obfuscation

T1078.001Default Accounts

T1562.004Disable or Modify System Firewall

T1562.001Disable or Modify Tools

T1562.002Disable Windows Event Logging

T1078.002Domain Accounts

T1027.013Encrypted/Encoded File

+8 more

Creds1

T1003.001LSASS Memory

Discovery12

T1482Domain Trust Discovery

T1087.003Email Account

T1083File and Directory Discovery

T1016.001Internet Connection Discovery

T1046Network Service Discovery

T1057Process Discovery

T1018Remote System Discovery

T1082System Information Discovery

+4 more

Lateral2

T1570Lateral Tool Transfer

T1021.001Remote Desktop Protocol

Collect7

T1560.001Archive via Utility

T1005Data from Local System

T1114Email Collection

T1056.001Keylogging

T1114.001Local Email Collection

T1114.002Remote Email Collection

T1113Screen Capture

C28

T1071Application Layer Protocol

T1102.002Bidirectional Communication

T1573Encrypted Channel

T1105Ingress Tool Transfer

T1571Non-Standard Port

T1572Protocol Tunneling

T1090Proxy

T1071.001Web Protocols

Exfil1

T1567Exfiltration Over Web Service

Impact1

T1486Data Encrypted for Impact

Known Victims

live · just now

No victims recorded in ransomware.live for this group.