Iran-linked cyber operatives tracked under the name Charming Kitten blended digital intrusion techniques with human intelligence methods that echo Cold War-era espionage, according to a series of U.S. government actions spanning sanctions, criminal indictments, and joint cybersecurity advisories. The group, also known in private-sector research as APT 35, has been tied to network compromises dating back to at least 2020, exploiting software vulnerabilities to steal sensitive data from American organizations. What makes this campaign distinct is not just the scale of the hacking but the pairing of cyber theft with traditional spy tradecraft, including the alleged creation of “target packages” used to identify and recruit human assets.
What is verified so far
The strongest confirmed facts come from three separate U.S. government actions that, taken together, outline a sustained Iranian intelligence operation with both digital and human dimensions.
On September 14, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control designated multiple individuals and entities for their roles in ransomware campaigns and network intrusions carried out on behalf of Iran’s Islamic Revolutionary Guard Corps. In its public Treasury announcement, the department stated that these Iran-based cyber actors had been compromising networks since at least 2020, exploiting vulnerabilities to gain unauthorized access and exfiltrate data. The same announcement noted that private-sector intrusion-set names, including APT 35 and Charming Kitten, partially align with the sanctioned activity, though Treasury stopped short of declaring a one-to-one match between those tracking labels and the specific individuals named.
The corresponding OFAC designations record provides the canonical roster of who was sanctioned and under what legal authorities. The entries carry both cyber-related and Iran-related program tags, reflecting the dual nature of the threat: financially motivated ransomware operations that also served broader intelligence objectives for the Iranian state. These designations freeze any U.S.-linked assets of the named parties and generally prohibit U.S. persons from dealing with them, underscoring that the activity was serious enough to trigger economic penalties typically reserved for significant national security threats.
A joint cybersecurity advisory, identified as AA24-241A and issued by CISA, the FBI, and the Department of Defense Cyber Crime Center, described how Iran-based operators target U.S. networks. The advisory details exploitation patterns, including the use of publicly known software vulnerabilities, and provides defensive guidance such as patching priorities, credential hardening, and logging recommendations for potential targets. While the advisory addresses Iranian cyber actors broadly rather than Charming Kitten alone, it offers an important distinction between financially motivated ransomware and activity conducted for intelligence purposes, a line that these actors appear to have deliberately blurred by using some of the same access and tooling for both profit and espionage.
The human intelligence dimension comes into sharpest focus through the Department of Justice’s case against Monica Witt and several co-defendants. In remarks on the unsealing of United States v. Monica Witt, et al., then-Assistant Attorney General for National Security John C. Demers described how Iranian hackers, acting at the direction of the IRGC, provided detailed targeting materials to enable operations against U.S. government personnel connected to Witt. Those “target packages” were designed to identify and pursue individuals who could be recruited or compromised, combining personal data, online behavior, and professional affiliations into dossiers that could guide follow-on approaches. This tactic is borrowed directly from Cold War intelligence playbooks, with cyber tools replacing dead drops and coded radio transmissions as the means of collecting and organizing sensitive information about human targets.
Put together, these official records establish several points with a high degree of confidence. Iran-based cyber actors linked to the IRGC have repeatedly exploited software vulnerabilities in U.S. and allied networks, both to deploy ransomware and to steal information. Some of the same infrastructure and personnel are associated, at least in part, with what private researchers call Charming Kitten or APT 35. And in at least one documented case, those cyber operations were integrated with a human intelligence campaign that sought to identify, monitor, and potentially recruit U.S. government personnel.
What remains uncertain
Several gaps in the public record limit how confidently analysts can map the full scope of Charming Kitten’s operations. The Treasury Department’s own language is carefully hedged: it states that private-sector tracking names “partially align” with the sanctioned activity, which means the overlap between what researchers call Charming Kitten and the specific IRGC-affiliated individuals named in the sanctions may not be complete. Different cybersecurity firms use different criteria to cluster threat activity, and their labels sometimes merge or split what governments treat as distinct operational units. No declassified U.S. intelligence assessment has been published that draws a definitive boundary around the group.
The “Cold War tactics” framing, while supported by the Witt indictment’s description of target packages and human recruitment, relies on interpretive analysis rather than a single official document that uses that exact phrase. The DOJ remarks describe a hybrid operation combining cyber intrusion with traditional espionage methods, but the degree to which this represents a deliberate strategic shift by Iranian intelligence, as opposed to opportunistic improvisation in one case, is not settled in the public record. No direct statements from the IRGC or any sanctioned individual have confirmed or denied the characterization, and there is no public evidence that Iranian leadership has formally codified this blend of cyber and human intelligence as doctrine.
Post-2022 activity also presents a sourcing challenge. The sanctions and the Witt case established a clear record through mid-2022, but specific Charming Kitten incidents after the designations were imposed are not documented in the primary government sources available here. The CISA advisory addresses ongoing Iranian cyber threats to U.S. organizations but does not name Charming Kitten specifically, leaving open the question of whether the group adapted its tactics, rebranded, or continued operating under the same structure after key members were sanctioned. The latest publicly available primary updates referenced in this article date to 2024 for the CISA advisory and 2022 for the Treasury actions, so any assertions about later campaigns or internal reorganizations would rest on secondary reporting rather than the official record.
There is also uncertainty about the internal command-and-control relationships behind these operations. The sanctions and DOJ filings make clear that the IRGC plays a central role in directing or benefiting from the activity, but they do not fully explain how much latitude contractors or front companies have in choosing targets or methods. Without that visibility, it is difficult to say whether Charming Kitten represents a single coherent unit, a loose federation of operators, or a label that outside observers have applied to several overlapping efforts.
How to read the evidence
The evidence divides into two clear tiers. Primary evidence consists of the Treasury sanctions, the OFAC designations record, the CISA joint advisory, and the DOJ remarks on the Witt case. These are official U.S. government documents carrying legal and operational weight. They name specific individuals and entities, describe verified exploitation patterns, and, in the case of the Witt indictment, lay out allegations tested against a federal grand jury standard. When these sources state that Iran-based actors exploited vulnerabilities and exfiltrated data, that claim rests on intelligence community assessments and law enforcement investigations rather than speculative attribution.
The second tier involves analytical interpretation, particularly around the “Cold War tactics” thesis and the attempt to draw a coherent picture of Charming Kitten as a single actor. The connection between Charming Kitten’s cyber operations and traditional espionage methods is drawn from the Witt case, where digital intrusion tools were used alongside human intelligence recruitment. This is a reasonable inference from the primary record, but it requires readers to accept a bridging argument: that the same operational culture that produced target packages for human recruitment also drives the group’s broader cyber campaigns. No single document makes that argument explicitly. Instead, it emerges from reading the sanctions, the advisory, and the DOJ remarks together and considering how the described behaviors resemble historical intelligence tradecraft.
For policymakers and defenders, the practical takeaway is to treat Charming Kitten and related Iranian intrusion sets as more than just profit-seeking ransomware crews. The official record supports viewing them as extensions of a state-directed intelligence apparatus that is willing to merge financial crime, espionage, and human targeting. At the same time, responsible analysis requires acknowledging where the evidence ends: the exact organizational chart behind these operations, the full roster of participants, and the long-term strategic intent remain only partially visible through the narrow window of sanctions notices, court filings, and technical advisories.
Reading the available documents with that distinction in mind (separating confirmed facts from reasonable but unproven inferences) offers a clearer picture of what is known about Charming Kitten today, and what will require future disclosures, declassifications, or court cases to fully understand.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
