APT35 Launches Sophisticated Global Credential-Stealing Campaign
Iran-linked APT35 has initiated a sophisticated global campaign targeting government and military networks. The group, known for its evolving tactics, is now employing custom malware to capture hashed credentials from secure networks.
The campaign, active since early 2025, begins with spear-phishing emails carrying HTML attachments. These deploy a multi-stage payload, including a two-stage downloader that can discern and halt execution in recognized analysis sandboxes. Once infiltrated, the malware masquerades as legitimate system processes and hooks into the Windows Security Support Provider Interface (SSPI) to capture hashed credentials.
The malware establishes a foothold by downloading a PowerShell stager and fetching a primary credential-stealer module. It exploits a vulnerability (CVE-2023-23397) in Microsoft Office to bypass Outlook's security model. APT35's latest campaign demonstrates a growing sophistication in embedding within trusted processes and leveraging native APIs to capture credentials without overt artifacts. Compromised credentials are relayed to the attacker's infrastructure, where hash-cracking and pass-the-hash techniques are used to unlock privileged accounts. Multiple military communications network accounts have been compromised without triggering conventional intrusion detection systems.
APT35's global campaign highlights the group's increasing sophistication in evading detection and compromising secure networks. The use of custom malware, exploitation of vulnerabilities, and stealthy credential-stealing techniques underscore the importance of robust network security measures and continuous monitoring.
