Home/ Threat Actors/ Magic Hound

🇮🇷Magic Hound

🇮🇷 Magic Hound is a tracked threat actor in the Clankerusecase corpus. IR-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 78 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0059) ↗

14Use cases

0Articles

78Techniques

0IOCs

About this actor (MITRE)

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Securew

Known aliases

Magic HoundTA453COBALT ILLUSIONCharming KittenITG18PhosphorusNewscasterAPT35Mint Sandstorm

Top techniques

T1003.001 · LSASS Memory T1005 · Data from Local System T1016 · System Network Configuration Discovery

All other tracked techniques

T1016.001 · Internet Connection Discovery T1016.002 · Wi-Fi Discovery T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1027.010 · Command Obfuscation T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1036.010 · Masquerade Account Name T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1056.001 · Keylogging T1057 · Process Discovery T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1070.003 · Clear Command History T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1078.001 · Default Accounts T1078.002 · Domain Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.003 · Email Account T1090 · Proxy T1098.002 · Additional Email Delegate Permissions T1098.007 · Additional Local or Domain Groups T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1112 · Modify Registry T1113 · Screen Capture T1114 · Email Collection T1114.001 · Local Email Collection T1114.002 · Remote Email Collection T1136.001 · Local Account T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1204.001 · Malicious Link T1204.002 · Malicious File T1218.011 · Rundll32 T1482 · Domain Trust Discovery T1486 · Data Encrypted for Impact T1505.003 · Web Shell T1547.001 · Registry Run Keys / Startup Folder T1560.001 · Archive via Utility T1564.003 · Hidden Window T1566.002 · Spearphishing Link T1566.003 · Spearphishing via Service T1567 · Exfiltration Over Web Service T1570 · Lateral Tool Transfer T1571 · Non-Standard Port T1572 · Protocol Tunneling T1573 · Encrypted Channel T1583.001 · Domains T1583.006 · Web Services T1584.001 · Domains T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1586.002 · Email Accounts T1588.002 · Tool T1589 · Gather Victim Identity Information T1589.001 · Credentials T1589.002 · Email Addresses T1590.005 · IP Addresses T1591.001 · Determine Physical Locations T1592.002 · Software T1595.002 · Vulnerability Scanning T1598.003 · Spearphishing Link T1685 · Disable or Modify Tools T1685.001 · Disable or Modify Windows Event Log T1686.003 · Windows Host Firewall

Detection use cases (14)

Magic Hound (APT35/Charming Kitten) CharmPower/PowerLess maldoc chain — Office-spawned scripting host followed by schtasks persistence AI · profile S Magic Hound (TA453/Charming Kitten) post-compromise mailbox-rule abuse — auto-forward / delete inbox rules with external recipient AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) MITRE match