What happens when a TA’s consistent TTPs change? Today we (#CristaNeedsAMastadon and I) released a blog detailing examples of weird and wacky techniques and targeting from #TA453.

https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations

With the current situation (#MahsaAmini) in Iran, I think it’s important to note that the Government of Iran (GOI) has had an intelligence interest in Gender Studies and Women’s Rights experts since AT LEAST 2021.

If we want to see how high they rank in interest, we just need to look at how they likely deployed the same malware (GhostEcho/CharmPower) against some of those researchers and activists that they did against Foreign Government embassy personnel.

When we pivot to look at Samantha, you see a persona that’s targeted MENA energy, a US based academic that’s an Iranian HVT, and senior US & European government officials, all using confrontational lures not typically seen from TA453.

Is this an actor gone rogue, willing to do anything to successfully phish at any cost? Maybe. Is it the intern or conscriptee just trying to meet a quota?

We don’t know but it’s definitely interesting to track.

We talked about confrontational conversational phishing, but nothing really says confrontational like compromising multiple email accounts just to deliver a JPEG of intimidation to a target. That, along with the compromise of a close affiliate of one of the former officials targeted in the IRGC Murder For Hire plot, leads us to believe that a subset of TA453 activity is more aggressive than we’ve seen historically.

Please go read it! Let us know what you think. #APT #Iran #IRGC #APT42 #Phosphorus #charmingKitten