Threat Watch

Iranian Threat Actors Expose Their Own Training Videos

Iran: Iranian threat actors who are believed to be linked to APT35 (Charming Kitten) uploaded training videos to an unsecured server. Discovered by researchers at IBM’s X-Force, the videos are believed to be used to train recruits for the threat actor. The videos that were found showed a range of techniques used by the group, including hijacking accounts using stolen credentials and how to export account data. Some of the victims in the videos were alerted to the attack by X-Force after the training videos showed 2-Factor-Authentication(2FA) being used to block intrusions. The videos were recorded using an application called BandiCam, which suggests that they were taken on purpose and ruled out the threat actors being infected by their malware by accident.


The discovery of these videos is important for researchers who have been looking at the group and their Tactics, Techniques, and Procedures (TTPs). The videos gave insight into how the group carried out attacks and steals credentials, which will, in turn, allow defenders to put the proper procedures in place to stop these attacks. Now that the news of the videos is public, the group may scrap those attack methods. 2-Factor-Authentication blocking intrusions in the video are important to note. To prevent account takeovers, 2-Factor-Authentication should be put in place, and proof that it does stop the attack is in the video. The Iranian threat actor has a history of attacking government entities and United States pharmaceutical executives during the COVID-19 pandemic.

More information can be read here: