APT35 Hackers Targeting Government and Military to Steal Login Credentials

Stormshield CTI researchers have identified two active phishing servers linked to APT35, revealing ongoing credential-stealing operations targeting government and military entities.

In an active threat-hunting operation, Stormshield’s Cyber Threat Intelligence (CTI) team discovered two malicious servers exhibiting hallmark characteristics of APT35 infrastructure.

These servers, mirroring footprints documented by Check Point, are hosting phishing pages designed to harvest login credentials from government, military, academic, and media organizations across the US, Middle East, and Europe.

The investigation began by examining an HTML page spotlighted in Check Point’s recent report on APT35 (also known as Mint Sandstorm, Charming Kitten, or Educated Manticore), an Iran-linked espionage group active since at least 2015.

The simple page displays four colored dots and loads identical JavaScript and CSS files from varying paths on different domains.

Stormshield analysts leveraged this unique page structure to craft an html_body_ssdeep query on the SilentPush threat-hunting platform, enabling the rapid identification of similarly configured pages across the internet.

Identified Servers and Domains

Using the crafted query, the CTI team found eight matches associated with the IPv4 addresses 45.143.166[.]230 and 195.66.213[.]132, previously reported by Check Point. Additionally, two previously undocumented IPs emerged:

• 84.200.193[.]20 (AS214036 Ultahost, Inc.) mapped to domains resolving mostly between early and mid-July 2025, with only one active domain remaining—rohan63[.]xyz.
• 79.132.131[.]184 (AS39378 SERVINGA) hosts 49 “.online” domains, all still resolving, many spoofing video-conferencing services such as meet.go0gle[.]online and meet.video-connect[.]online. The latest registration—proof-video[.]online—went live on September 20, 2025.

These domains act as credential-phishing frontends, masquerading as legitimate government or military collaboration tools. Video conferencing themes have been central to APT35’s phishing tactics since 2023, according to Google threat analysts.

Further investigation uncovered tracking behaviors embedded in URL query parameters. A VirusTotal search for “entity:url url:online/?invitation” yielded multiple URLs submitted from Sweden and Israel between July and September 2025, all following an “invitation-” pattern.

Subdomain enumeration using “entity:domain domain:viliam.*” returned 112 “viliam.” subdomains, providing an effective method to discover new phishing sites potentially linked to this campaign.

Mitigations

The persistence of these servers and subdomain patterns indicates APT35’s continued focus on credential theft within sensitive sectors. Their reliance on predictable HTML templates and subdomain naming conventions offers defenders a reliable approach to detection:

• Template fingerprinting: Query for the distinct four-dot HTML page across internet scan platforms.
• Subdomain pattern monitoring: Watch for new “viliam.” prefixed domains resolving to suspicious IPv4s.
• Phishing URL parameter searches: Track “?invitation-” query strings on “.online” domains via VirusTotal.

Stormshield has proactively blocked all identified indicators across its security products, safeguarding customers from these phishing infrastructures.

Nonetheless, government and military security teams should integrate these hunting techniques into their threat intelligence processes to detect and disable emerging APT35 assets before they can harvest credentials.

APT35’s phishing campaign targeting government and military organizations remains active and largely unchanged since the Check Point report.

While their tactics are straightforward, the predictability of their infrastructure can be leveraged by defenders to rapidly identify and neutralize malicious domains.

Security teams monitoring video-conference themed phishing, “viliam.” subdomains, and “invitation” URL queries can stay ahead of APT35’s credential-stealing efforts, protecting critical credentials from falling into adversary hands.

Indicator of compromises

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.