ID212 - SOC250
APT35 HyperScrape Data Exfiltration Tool Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Who is APT35?
APT35, also known by various aliases such as **Charming Kitten, Phosphorus, and Mint Sandstorm**, is an Iranian state sponsored cyber-espionage group active since at least 2014. The group has been involved in numerous cyber espionage campaigns targeting various sectors globally.
In 2021, Google’s Threat Analysis Group highlighted APT35’s use of conference-themed phishing emails and the exploitation of Telegram for operator notifications.
In 2022, Google’s Threat Analysis Group identified a new tool developed by APT35, dubbed HYPERSCRAPE, designed to steal data from well-known email providers. This tool requires the target’s credentials to create a session on their behalf and acts in such a way that using old-style mail services appears normal to the server, downloading the victim’s emails and making changes to hide its fingerprint.
Initial Triage: Threat Intel
The hash cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
is flagged as malicious and attributed to APT35 / Charming Kitten.
Log Management
Logs show three key events directed toward the victim host:
- Dec 27, 2023, 11:17 AM — RDP connection attempt from 173.209.51[.]54 to Arthur’s host.
- Dec 27, 2023, 11:17 AM — Port 3389 connection from the same source IP.
- Dec 27, 2023, 11:21 AM — Exchange download event with subject:
- “Notification of Multiple Mail Download” — a behavior aligned with HYPERSCRAPE malware activity.
At 11:22 AM, outbound HTTP traffic from Arthur’s host was logged to another APT35-attributed IP: 136.243.108[.]14, with the source process identified as downloader.exe.
Let’sDefend threat intel and VirusTotal both confirm this IP is tied to APT35 operations.
Endpoint Security
Browser history on Arthur’s machine shows extensive non-business use (Amazon, Netflix, Instagram, etc.), likely in violation of company policy or indicating BYOD usage.
All history is from 2 days prior, except for a single visit to microsoft.com on the day of the event.
Terminal history is empty — either cleared or not logged.
The Network Action tab reveals:
– Post-compromise outbound connections to criminal IPs
– Three suspicious connections at 11:50 AM to internal IP 172.31.26[.]208, which is unrecognized by the inventory system
The Process tab shows:
– Execution of emaildownloader.exe at 2023-12-27 11:21:37.051 from explorer.exe
– Then:
– MpCmdRun.exe (Defender CLI) spawning conhost.exe with undocumented arguments: 0xffffffff -ForceV1
– This is not typical Defender behavior, suggesting LOLBAS abuse for stealth execution or post-exploitation.
Playbook Execution
Determine the Type of Reconnaissance
gather victim identity information
Attacker IP Analysis
external
Is the attacker IP suspicious or not?
YES
Is there more than one affected device?
No
Does the device need the be isolated?
YES
Add Artifacts
Artifact
Description
Type
cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
MD5 hash
md5 hash
136.243.108[.]14
Ip address attacker
Ip address
Verdict
True Positive
Analyst Summary Report
Summary of findings
On December 27, 2023, suspicious activity was detected involving host Arthur. Threat intelligence and forensic data confirm indicators consistent with APT35 (Charming Kitten), an Iranian state-sponsored cyber-espionage group.
Threat intel flagged hash cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa as malicious, attributed to APT35 and associated with the HYPERSCRAPE malware tool.
Log management shows:
– RDP connection to Arthur’s host from 173.209.51[.]54 at 11:17 AM.
– Shortly after, an Exchange download event titled “Notification of Multiple Mail Download” — behavior consistent with HYPERSCRAPE’s email theft operations.
– Outbound HTTP traffic from the victim to 136.243.108[.]14 at 11:22 AM, an IP known to be APT35 infrastructure, flagged as malicious on VirusTotal.
Endpoint telemetry shows:
– Execution of emaildownloader.exe, followed by MpCmdRun.exe spawning conhost.exe with suspicious undocumented arguments (0xffffffff -ForceV1), suggesting LOLBAS abuse for stealth execution or post-exploitation.
– Terminal history is empty (potentially cleared).
– Network action tab reveals multiple connections to criminal IPs and a possible lateral traffic toward internal IP 172.31.26[.]208 (unrecognized by endpoint inventory).
– No related activity was found in email security logs, and browser history on the host shows non-corporate usage unrelated to the incident.
This attack is consistent with APT35’s typical tactics, leveraging stolen credentials, LOLBin abuse, and exfiltration through Exchange services.
Remediation recommendations
- Block malicious IP 136.243.108[.]14 and the associated malware hash across the network.
- Reset credentials for the affected user and enable monitoring for suspicious logins.
- Restrict RDP access through proper segmentation, logging, and alerting.
- Audit RDP access logs and check for signs of lateral movement or credential misuse.
- Review endpoint and firewall logs for signs of persistence or outbound exfiltration.
- Enforce MFA and strengthen endpoint protection to prevent LOLBin abuse.
More Alerts!
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-085 | SOC109 – Emotet Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.