TA453 (Proofpoint), PHOSPHORUS, APT35
APT35 is a state-sponsored Iranian threat group active since at least 2014. Their targets include military, diplomatic, and government entities across the U.S., Europe, and the Middle East, along with individuals in research, media, energy, and the defense contracting sector.
APT35 is known for credential theft targeting Microsoft 365, Gmail, and cloud-based VPN portals. Their tactics include phishing, password spraying, and token theft. Microsoft has reported that the group attempted to breach over 250 Office 365 tenants using stolen credentials and brute-force techniques.
The group developed Hyperscrape, a custom tool designed to log into victim Gmail and Microsoft accounts and covertly extract email data without raising alerts.
APT35 has built multiple malware families, including PowerLess, a stealthy PowerShell backdoor that runs without invoking powershell.exe, and BellaCiao, a dropper that delivers customized implants based on the victim’s geographic location.
To maintain access and evade detection, APT35 uses Fast Reverse Proxy (FRP) to tunnel RDP and command-and-control (C2) traffic through attacker-controlled infrastructure. This includes cloud services like Azure or VPS providers, allowing them to bypass firewall restrictions.
While APT35’s payloads typically target Windows systems, their initial access techniques often impact Linux environments. They've exploited vulnerabilities such as Log4Shell (Log4j) in Apache servers, Exchange, and VPN appliances like Fortinet and Zimbra, using methods like reverse shells and credential harvesting to compromise cloud-hosted Linux systems.