Magic Hound
Aliases: TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.
Open interactive actor investigation
ATT&CK techniques
T1056.001
KeyloggingT1567
Exfiltration Over Web ServiceT1589.001
CredentialsT1547.001
Registry Run Keys / Startup FolderT1059.001
PowerShellT1016.002
Wi-Fi DiscoveryT1588.002
ToolT1584.001
DomainsT1059.003
Windows Command ShellT1572
Protocol TunnelingT1585.002
Email AccountsT1591.001
Determine Physical LocationsT1071
Application Layer ProtocolT1071.001
Web ProtocolsT1486
Data Encrypted for ImpactT1016.001
Internet Connection DiscoveryT1586.002
Email AccountsT1053.005
Scheduled TaskT1592.002
SoftwareT1021.001
Remote Desktop ProtocolT1087.003
Email AccountT1105
Ingress Tool TransferT1190
Exploit Public-Facing ApplicationT1204.002
Malicious FileT1218.011
Rundll32T1027.010
Command ObfuscationT1046
Network Service DiscoveryT1590.005
IP AddressesT1113
Screen CaptureT1573
Encrypted ChannelT1059.005
Visual BasicT1595.002
Vulnerability ScanningT1036.010
Masquerade Account NameT1589.002
Email AddressesT1204.001
Malicious LinkT1102.002
Bidirectional CommunicationT1033
System Owner/User DiscoveryT1098.002
Additional Email Delegate PermissionsT1070.004
File DeletionT1027.013
Encrypted/Encoded FileT1566.002
Spearphishing LinkT1078.001
Default AccountsT1083
File and Directory DiscoveryT1016
System Network Configuration DiscoveryT1036.005
Match Legitimate Name or LocationT1098.007
Additional Local or Domain GroupsT1598.003
Spearphishing LinkT1562.002
Disable Windows Event LoggingT1562.001
Disable or Modify ToolsT1049
System Network Connections DiscoveryT1114
Email CollectionT1003.001
LSASS MemoryT1570
Lateral Tool TransferT1136.001
Local AccountT1057
Process DiscoveryT1562.004
Disable or Modify System FirewallT1114.002
Remote Email CollectionT1571
Non-Standard PortT1070.003
Clear Command HistoryT1082
System Information DiscoveryT1114.001
Local Email CollectionT1505.003
Web ShellT1090
ProxyT1036.004
Masquerade Task or ServiceT1583.001
DomainsT1018
Remote System DiscoveryT1112
Modify RegistryT1482
Domain Trust DiscoveryT1589
Gather Victim Identity InformationT1078.002
Domain AccountsT1566.003
Spearphishing via ServiceT1560.001
Archive via UtilityT1585.001
Social Media AccountsT1564.003
Hidden WindowT1562
Impair DefensesT1005
Data from Local SystemT1047
Windows Management InstrumentationT1583.006
Web ServicesT1189
Drive-by CompromiseT1566.001
Spearphishing AttachmentT1555.003
Credentials from Web BrowsersT1098
Account ManipulationT1204
User Execution
KeyloggingT1567
Exfiltration Over Web ServiceT1589.001
CredentialsT1547.001
Registry Run Keys / Startup FolderT1059.001
PowerShellT1016.002
Wi-Fi DiscoveryT1588.002
ToolT1584.001
DomainsT1059.003
Windows Command ShellT1572
Protocol TunnelingT1585.002
Email AccountsT1591.001
Determine Physical LocationsT1071
Application Layer ProtocolT1071.001
Web ProtocolsT1486
Data Encrypted for ImpactT1016.001
Internet Connection DiscoveryT1586.002
Email AccountsT1053.005
Scheduled TaskT1592.002
SoftwareT1021.001
Remote Desktop ProtocolT1087.003
Email AccountT1105
Ingress Tool TransferT1190
Exploit Public-Facing ApplicationT1204.002
Malicious FileT1218.011
Rundll32T1027.010
Command ObfuscationT1046
Network Service DiscoveryT1590.005
IP AddressesT1113
Screen CaptureT1573
Encrypted ChannelT1059.005
Visual BasicT1595.002
Vulnerability ScanningT1036.010
Masquerade Account NameT1589.002
Email AddressesT1204.001
Malicious LinkT1102.002
Bidirectional CommunicationT1033
System Owner/User DiscoveryT1098.002
Additional Email Delegate PermissionsT1070.004
File DeletionT1027.013
Encrypted/Encoded FileT1566.002
Spearphishing LinkT1078.001
Default AccountsT1083
File and Directory DiscoveryT1016
System Network Configuration DiscoveryT1036.005
Match Legitimate Name or LocationT1098.007
Additional Local or Domain GroupsT1598.003
Spearphishing LinkT1562.002
Disable Windows Event LoggingT1562.001
Disable or Modify ToolsT1049
System Network Connections DiscoveryT1114
Email CollectionT1003.001
LSASS MemoryT1570
Lateral Tool TransferT1136.001
Local AccountT1057
Process DiscoveryT1562.004
Disable or Modify System FirewallT1114.002
Remote Email CollectionT1571
Non-Standard PortT1070.003
Clear Command HistoryT1082
System Information DiscoveryT1114.001
Local Email CollectionT1505.003
Web ShellT1090
ProxyT1036.004
Masquerade Task or ServiceT1583.001
DomainsT1018
Remote System DiscoveryT1112
Modify RegistryT1482
Domain Trust DiscoveryT1589
Gather Victim Identity InformationT1078.002
Domain AccountsT1566.003
Spearphishing via ServiceT1560.001
Archive via UtilityT1585.001
Social Media AccountsT1564.003
Hidden WindowT1562
Impair DefensesT1005
Data from Local SystemT1047
Windows Management InstrumentationT1583.006
Web ServicesT1189
Drive-by CompromiseT1566.001
Spearphishing AttachmentT1555.003
Credentials from Web BrowsersT1098
Account ManipulationT1204
User Execution
Correlated CTI and IR reports
Magic Hound / APT35 G0059
MITRE ATT&CK · direct source mappingActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionMint Sandstorm
Microsoft Security Insider · actor contextNation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
Microsoft Security · actor context
MITRE ATT&CK · direct source mappingActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionMint Sandstorm
Microsoft Security Insider · actor contextNation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
Microsoft Security · actor context