Stormshield’s CTI team uncovered new phishing infrastructure linked to APT35, an Iran-based threat group, targeting high-value targets with video conferencing-themed campaigns. Their research details new IPs, domain patterns, and tactics used by APT35, emphasizing ongoing regional espionage activities. #APT35 #CharmingKitten
Keypoints
- APT35 continues to deploy video conferencing-themed phishing campaigns against Middle Eastern targets.
- New suspicious servers sharing similarities with previously reported infrastructure were identified by Stormshield.
- The threat actors use domains with specific patterns, including subdomains starting with “viliam” and URLs containing “?invitation”.
- Stealthy HTML loading animations, like “four colored dots,” are part of the phishing setup, consistent since 2025.
- Defense strategies include searching for specific URL patterns and subdomain scans to detect ongoing APT35 activity.