← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 13
Iran (IRGC)
G0059
risk 3/5
The Charmed One
APT35
Charming Kitten · Phosphorus · Mint Sandstorm · Magic Hound
JournalistsActivistsAcademic researchersNuclear negotiatorsGovernment officials
Active since ~2014 · Surveillance, Espionage, Targeting dissidents and journalists
It charms. It sends friendly emails from plausible names. It schedules interviews that never happen. It builds rapport, earns trust, and then steals the credentials of everyone who believed in its warmth.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.002
Spearphishing Link
Initial Access
T1078
Valid Accounts
Defense Evasion
T1056.001
Keylogging
Collection
T1598.003
Spearphishing Link
Reconnaissance
T1134
Access Token Manipulation
Privilege Escalation
Notable Operations
  • Targeting JCPOA nuclear deal negotiators
  • COVID-19 vaccine research espionage
  • Journalist and activist credential harvesting
  • Fake interview social engineering campaign
Defenses
  • Journalist and researcher security training on social engineering
    NIST CSF: PR.AT
  • Hardware security keys for email and account access
    NIST SP 800-63B
  • Secure communication tools for sensitive sources (Signal)
    EFF guidance
  • Domain and email header verification practices
    CIS Control 9
Reversed: Their Weakness
Charming Kitten's social engineering requires direct human interaction - a vulnerability. Targets who report suspicious contact provide investigators with tradecraft details that erode its effectiveness over time.

Share this adversary profile

swipe to browse

← PreviousThe OracleNext →The Merchant
Related Adversaries
The Confessor
Callisto Group
3 shared TTPs
The Shadow Court
APT29
3 shared TTPs
The Phantom
APT28
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.