Magic Hound (G0059) Threat Profile: Iran's Persistent Cyber Espionage
- Suspected Origin
- Iran
- Motivation
- Espionage, Geopolitical Influence, Data Theft, Disruption, Silencing Dissent, Spreading Propaganda
- Aliases
- TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm
- Target Sectors
- Government, Military, Defense Industrial Base, Academia, Journalism, NGOs, Energy, Telecommunications, Transportation, Critical Infrastructure, Technology, Biotech
- Associated Malware
- DownPaper, CharmPower, BROKEYOLK, Drokbk, HYPERSCRAPE, BELLACIAO, PUPYRAT, HOUSEBLEND, MediaPl, POWERSTAR, CHAINSHOT, Tickler, DustySky, HookStick, Pupy RAT, MagicHound.Leash, PowerLess Backdoor
Overview
Magic Hound, tracked by MITRE ATT&CK as G0059, is a sophisticated and persistent Iranian state-sponsored threat group. Also widely known by aliases such as APT35, Charming Kitten, Phosphorus, TA453, COBALT ILLUSION, ITG18, Newscaster, and Mint Sandstorm, this actor has been active since at least 2011 or 2014, making them one of Iran’s most enduring cyber operatives. The group is directly attributed to the Islamic Revolutionary Guard Corps (IRGC), functioning as an elite security and intelligence cohort within Iran’s military apparatus.
Magic Hound’s primary motivation revolves around intelligence collection that aligns directly with Iranian geopolitical priorities and foreign policy goals. This encompasses long-term cyber espionage, data theft, influencing discourse, and suppressing dissent. While historically focused on espionage, the group has demonstrated an evolving operational scope, occasionally incorporating destructive capabilities, blurring the line between intelligence gathering and disruptive attacks.
The group’s targeting is broad but strategically focused, spanning European, U.S., and Middle Eastern government and military personnel, the Defense Industrial Base (DIB), academics (particularly those with insights into Middle Eastern affairs or sensitive research like COVID-19 vaccines), journalists, human rights activists, and political dissidents. More recently, Magic Hound has expanded its targeting to include critical infrastructure, such as seaports, energy companies, transportation systems, and utility providers in the U.S. This shift, observed from late 2021 to mid-2022, was likely in retaliation for cyberattacks Iran attributed to Israel and the United States. The group’s activities often coincide with broader increases in the pace and scope of cyberattacks attributed to Iranian threat actors, correlating with shifts in Iran’s national security apparatus.
Tactics & Techniques
Magic Hound is highly proficient in social engineering, which forms the bedrock of their initial access strategies. They meticulously craft sophisticated spear-phishing campaigns, often impersonating legitimate entities like journalists, academics, or non-governmental organizations to build trust with their targets over weeks or months. They leverage fake personas on social media platforms such as LinkedIn and WhatsApp to engage targets before delivering malicious links or attachments. These lures frequently direct victims to credential harvesting pages designed to steal login information for email accounts and other services, sometimes by attempting to game password reset or account recovery features.
Beyond social engineering, Magic Hound rapidly weaponizes N-day vulnerabilities in popular enterprise applications. They have been observed exploiting flaws such as Log4j (CVE-2021-44228), on-premises Microsoft Exchange servers via “ProxyShell” (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortinet FortiOS SSL VPNs (CVE-2018-13379) shortly after proof-of-concepts become public. Initial access methods also include malicious Microsoft Office documents containing macros that download shellcode-based payloads.
For lateral movement and persistence, the group utilizes tools like Impacket, PowerShell scripts for reconnaissance and command execution, and commodity credential dumping tools such as Mimikatz. They establish persistence through custom malware, scheduled tasks, and the abuse of legitimate cloud services like Google Drive, Microsoft OneDrive, and GitHub for command-and-control (C2) communications, exploiting the trusted nature of these platforms to evade detection. They have also used SSH tunnels for C2 and created scheduled tasks to maintain access.
Notable Campaigns
Magic Hound has a long history of impactful campaigns:
- Newscaster Campaign (2014): This early campaign involved using fake journalist personas to extract sensitive information.
- Targeting Saudi Entities (mid-2016): The group focused on organizations in the government, energy, and technology sectors within Saudi Arabia.
- U.S. Presidential Campaign Interference Attempts (2019-2020): Magic Hound conducted hundreds of phishing attempts against U.S. presidential campaigns and related individuals, though compromised accounts were not directly tied to the campaigns.
- COVID-19 Research Attacks (2020): Universities and pharmaceutical firms in the U.S. and U.K. were targeted for vaccine research, including the World Health Organization (WHO).
- U.S. Critical Infrastructure Targeting (late 2021-mid-2022): A significant shift saw a subgroup of Magic Hound targeting critical infrastructure entities, including seaports, energy companies, and transportation systems, in potential retaliation for cyberattacks on Iran.
- Targeting Defense Contractors and Foreign Policy Teams (2022-2023): The group aimed at US defense contractors and members of the Biden administration’s foreign policy team, employing spear phishing with malicious links to compromised legitimate websites.
- Activist Targeting in Europe (2023): Campaigns specifically focused on activists in Europe.
- High-Profile Individuals at Universities and Research Orgs (since November 2023): A distinct subgroup has been observed targeting individuals working on Middle Eastern affairs across universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US, utilizing bespoke phishing lures and a new custom backdoor called MediaPl.
- Internal Document Leak (October 2025): Leaked internal documents from APT35 (Charming Kitten) surfaced, revealing a highly structured, quota-driven cyber operations unit operating under a bureaucratic military chain of command. The documents detailed campaigns against diplomatic and governmental mail servers in Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and even domestic Iranian targets, emphasizing strategic intelligence collection.
Associated Malware & Tools
Magic Hound employs a diverse toolkit comprising both custom-developed malware and readily available commodity tools. Custom Malware:
- DownPaper: A lightweight dropper for establishing persistence and downloading secondary payloads.
- CharmPower: A modular PowerShell-based backdoor enabling reconnaissance, command execution, and data exfiltration.
- BROKEYOLK & Drokbk: Android-targeting tools designed to compromise mobile devices, often used against journalists and dissidents.
- HYPERSCRAPE: A tool designed to steal data from well-known email providers like Google, Yahoo!, and Microsoft by creating a session on behalf of the target.
- BELLACIAO: An ASPX webshell variant used for IIS lateral movement.
- MediaPl: A newer, custom backdoor observed in campaigns since late 2023, leveraging obscure APIs.
- Other custom malware includes POWERSTAR, CHAINSHOT, Tickler, DustySky, HookStick, MagicHound.Leash (an IRC bot), FUELDUMP Loader/Stealer, NokNok modules for persistent surveillance, and PowerLess Backdoor.
Commodity Tools: The group frequently integrates open-source and commercial tools, including:
- Mimikatz: For credential dumping.
- Impacket: For lateral movement.
- Metasploit, Havij, sqlmap: For various exploitation and database interactions.
- PsExec: For remote execution.
- Pupy RAT: A Python-based open-source remote administration tool. They also extensively use PowerShell scripts for various attack phases, from initial access to lateral movement and data staging.
For command and control (C2) infrastructure, Magic Hound often leverages legitimate cloud services such as Google Drive, Microsoft OneDrive, and GitHub, as well as Amazon S3 buckets, webhook.site, and IRC. This strategy helps them blend C2 traffic with normal network activity and bypass traditional security controls.
Current Status
Magic Hound remains an active and evolving threat actor. Recent intelligence indicates continuous refinement of their tactics, techniques, and procedures (TTPs), demonstrating a commitment to improving their tradecraft and evading detection.
Since November 2023, a distinct subgroup has been actively targeting high-profile individuals at universities and research organizations with interests in Middle Eastern affairs across multiple Western and Middle Eastern countries. This campaign specifically introduced a new, custom backdoor named MediaPl. Microsoft has noted an increased aggression and scope in Iranian threat actor operations since September 2021, which appears to correlate with a new national security apparatus in Iran, suggesting fewer operational constraints.
The leaked internal documents from October 2025 further confirm the group’s highly organized and mission-driven nature, operating as a disciplined element within the IRGC’s cyber-intelligence arm with specific targeting quotas. Security researchers continue to observe their capacity for rapid weaponization of N-day vulnerabilities, sophisticated social engineering, and bespoke tooling. Given the ongoing geopolitical tensions, further cyber activity from Magic Hound is anticipated, as highlighted by a June 2025 assessment by Sysdig Threat Research Team in the context of U.S. strikes on Iranian nuclear infrastructure. Their focus remains on intelligence gathering, with a demonstrated willingness to pivot to disruptive actions when aligned with Iran’s strategic objectives.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call