Now- before you flame me for speculating, you should know something about me- I love speculating. I love thinking about probabilities in terms of which threads to pull next. It gives me something highly probable to start with (vs randomly flipping a coin)... and there was no way I was going to spend days trying to tease this out.. I have a short attention span, for better or worse.

So, I asked AlphaHunt to research the article with a bent towards linkable threat actors, accurate or otherwise, this is what came of it. Even if it's not 100% accurate:

✅ I learned something about another set of threat actors (with very low effort)
✅ The article (and research) is now in my intelligence graph (automatically)
✅ If I research similar threat actors (or TTPs) in the future, AlphaHunt will remind me of this event.
✅ I have more cycles to learn about other badness, while AlphaHunt connects the dots!

EDITOR'S NOTE: I'm testing the next generation of the AlphaHunt- the research goes a bit deeper, a bit more directed and a bit more "peer" reviewed. The layout may still need some work... feedback welcome (just hit reply! :))

TL;DR

Key Points

1. • Charming Kitten and Lazarus Group are exploiting supply chain vulnerabilities.
   • Organizations should enhance security measures to protect against these threats.
2. • Recent GitHub supply chain attack affected 23,000 organizations.
   • Implementing dependency pinning and regular audits can mitigate such risks.
3. • Both groups use phishing and software exploitation tactics.
   • User education and multi-factor authentication are critical defenses.
4. • While there is not currently evidence that points to either group (or any other group that I could tell), these intrusion sets are prime candidates given their history of similar attacks.
   • Use AlphaHunt. Learn at the speed of AI.

Summary

Charming Kitten (APT35) and Lazarus Group are prominent cyber espionage groups known for targeting supply chain vulnerabilities. Charming Kitten, an Iranian group, has been active since 2014, focusing on Western technology and academia through sophisticated phishing campaigns and social engineering tactics. Recently, they have been targeting organizations by compromising supply chain partners.

Lazarus Group, linked to North Korea, is notorious for high-profile attacks like the Sony hack and WannaCry ransomware. They target software providers to distribute malware, exploiting vulnerabilities in software development processes. Their recent activities include a $1.5 billion hack of Bybit, exploiting third-party services.

A recent GitHub supply chain attack on March 17, 2025, compromised a GitHub Actions tool, affecting 23,000 organizations. This incident highlights the vulnerability of software development tools, with attackers altering code to leak secrets.

To mitigate such threats, organizations should implement dependency pinning, conduct regular audits, enforce multi-factor authentication, and develop robust incident response plans. User education is crucial to counter phishing and social engineering tactics used by these groups.

The analysis underscores the ongoing threat posed by Charming Kitten and Lazarus Group, emphasizing the need for enhanced security measures in software development and distribution processes.

Research

Analysis of "Charming Kitten" and "Lazarus Group" in Relation to Supply Chain Attacks

Historical Context and Activities

Charming Kitten (APT35)

• Background: Charming Kitten, also known as APT35, is an Iranian cyber espionage group active since at least 2014. They primarily target individuals and organizations in the West, particularly in technology and academia.

• Notable Supply Chain Attacks:

  • Phishing Campaigns: Charming Kitten has been involved in sophisticated phishing campaigns targeting academic institutions and technology companies. They often compromise supply chain partners to access sensitive information.
  • Recent Activities: In August 2023, the German Federal Office for the Protection of the Constitution (BfV) warned that Charming Kitten was actively targeting organizations in espionage activities, indicating their ongoing focus on supply chain vulnerabilities. The BfV reported that the group uses elaborate social engineering tactics, including impersonating journalists and NGO employees to build trust with victims. Source (2023-08-15).
  • Tactics and Techniques: Their tactics include spear-phishing, credential harvesting, and exploiting software vulnerabilities. They have been known to use malware to compromise supply chain partners, allowing them to infiltrate larger networks.

Lazarus Group

• Background: Lazarus Group is a North Korean cyber espionage group linked to various high-profile cyber attacks, including the Sony Pictures hack and the WannaCry ransomware attack. They are known for their sophisticated techniques and financial motivations.

• Notable Supply Chain Attacks:

  • Targeting Software Providers: Lazarus Group has been involved in attacks that target software providers to distribute malware. This includes exploiting vulnerabilities in software development processes to insert malicious code into legitimate software updates.
  • Recent Incidents: Their operations have included attacks on cryptocurrency exchanges and financial institutions, where they have used supply chain vulnerabilities to facilitate their attacks. They have been linked to significant financial thefts, including a $1.5 billion hack of Bybit in February 2025, which involved exploiting vulnerabilities in third-party services. Source (2024-09-03).
  • Tactics and Techniques: Lazarus Group employs a range of tactics, including social engineering, exploitation of software vulnerabilities, and the use of advanced malware. They have been known to utilize techniques such as credential dumping and lateral movement within networks.

Correlation with Recent GitHub Supply Chain Attack

• Recent GitHub Incident: On March 17, 2025, a supply chain attack on GitHub was reported, affecting up to 23,000 organizations. The attack involved a compromise of a GitHub Actions tool, leading to potential credential theft. Attackers altered the code of the tj-actions/changed-files project to leak secrets from developer workflows into build logs. Source (2025-03-17).

• Patterns and Techniques:

  • Both Charming Kitten and Lazarus Group have demonstrated a pattern of targeting software development and distribution processes, which aligns with the methods used in the GitHub attack.
  • The use of phishing and exploitation of software vulnerabilities are common tactics observed in both groups, suggesting a potential overlap in methodologies used in the GitHub incident.

Mitigation Strategies

To protect against similar supply chain attacks, organizations should consider implementing the following strategies:

• Pinning Dependencies: Use specific commit hashes for GitHub Actions instead of version tags to avoid unintentional updates that could introduce vulnerabilities.
• Regular Audits: Conduct regular audits of repositories to identify and rotate any exposed secrets.
• Multi-Factor Authentication: Implement multi-factor authentication for all accounts, especially those with access to critical systems.
• User Education: Train employees to recognize phishing attempts and suspicious links, particularly in communications from unknown contacts.
• Incident Response Plans: Develop and regularly test incident response plans to ensure quick action in the event of a breach.

Conclusion

The analysis of Charming Kitten and Lazarus Group reveals a significant historical context of involvement in supply chain attacks. Their tactics and techniques, including phishing, exploitation of software vulnerabilities, and targeting of software providers, correlate with the recent GitHub supply chain attack. This underscores the ongoing threat posed by these groups and highlights the need for enhanced security measures in software development and distribution processes.

Recommendations, Actions and Next Steps

Recommendations

1. Implement Dependency Pinning: Organizations should use specific commit hashes for GitHub Actions instead of version tags. This prevents unintentional updates that could introduce vulnerabilities, reducing the risk of supply chain attacks similar to the recent GitHub incident, which involved a compromised GitHub Action leaking sensitive information.

2. Conduct Regular Repository Audits: Establish a routine for auditing repositories to identify and rotate exposed secrets. This proactive measure mitigates the risk of credential theft and ensures sensitive information is not inadvertently exposed. The recent GitHub attack revealed many repositories had exposed secrets, emphasizing the importance of regular audits.

3. Enhance Multi-Factor Authentication (MFA): Enforce multi-factor authentication for all accounts, especially those with access to critical systems. This adds an additional security layer, making unauthorized access more difficult. The BfV report on Charming Kitten highlights the need for robust authentication measures to protect against credential theft.

4. Develop and Test Incident Response Plans: Create comprehensive incident response plans that are regularly tested to ensure quick and effective action in the event of a breach. This helps organizations respond promptly to security incidents, minimizing potential damage. The rapid response to the GitHub incident demonstrates the importance of a well-prepared incident response strategy.

5. Implement User Education Programs: Conduct training sessions for employees to recognize phishing attempts and suspicious links, especially in communications from unknown contacts. This empowers staff to be the first line of defense against social engineering tactics employed by groups like Charming Kitten and Lazarus Group. The BfV's advisory highlights the effectiveness of social engineering tactics used by these groups, making user education critical.

MITRE ATTACK IDs

T1071, T1070, T1203, T1566, T1190, T1193, T1204, T1586, T1555, T1556, T1078, T1040, T1056, T1069, T1074, T1086

Followup Research

Suggested Pivots

1. What specific vulnerabilities in software development tools, such as CI/CD pipelines and dependency management systems, are most susceptible to exploitation by groups like Charming Kitten and Lazarus Group, and how can organizations proactively address these vulnerabilities?

2. How do the tactics and techniques employed by Charming Kitten and Lazarus Group compare to those of other prominent cyber espionage groups, such as APT29 and Equation Group, and what unique patterns can be identified in their operations?

3. What are the potential long-term impacts of the recent GitHub supply chain attack on the software development community, including specific examples from past incidents like the SolarWinds attack, and how can organizations mitigate similar risks in the future?

4. In what ways can organizations enhance their incident response plans specifically to counter the tactics used by Charming Kitten and Lazarus Group in supply chain attacks, and what successful case studies exist that demonstrate effective responses to similar threats?

5. How can user education programs be tailored to effectively address the specific social engineering tactics used by Charming Kitten and Lazarus Group, including suggested training modules, and what framework can be used to measure the effectiveness of these programs?

Forecast

Short-Term Forecast (3-6 months)

1. Surge in Supply Chain Attacks Targeting Software Development Tools

   • The recent GitHub supply chain attack, which compromised the tj-actions/changed-files project and affected over 23,000 repositories, highlights the vulnerability of software development tools. Both Charming Kitten and Lazarus Group are expected to exploit similar vulnerabilities in widely used development platforms. Organizations in technology, finance, and critical infrastructure sectors will be particularly at risk as these groups refine their tactics to infiltrate software supply chains.
   • Examples:
     • The GitHub incident involved attackers altering code to leak sensitive information, demonstrating how easily supply chain vulnerabilities can be exploited.
     • Similar tactics were observed in the SolarWinds attack, where attackers compromised a software update mechanism to infiltrate numerous organizations.

2. Increased Regulatory Pressure and Compliance Requirements

   • As supply chain attacks become more frequent, regulatory bodies will likely impose stricter compliance measures on organizations, particularly those handling sensitive data. This will lead to heightened scrutiny of security practices and the implementation of more robust security frameworks to protect against supply chain vulnerabilities.
   • Examples:
     • The German Federal Office for the Protection of the Constitution's advisory on Charming Kitten's activities indicates a growing awareness of the threat landscape and the need for enhanced security measures.
     • Regulatory frameworks similar to the NIST Cybersecurity Framework may be adopted to address supply chain security, compelling organizations to invest in better security practices.

Long-Term Forecast (12-24 months)

1. Evolution of Attack Techniques and Targeting of Emerging Technologies

   • Over the next 12-24 months, both Charming Kitten and Lazarus Group are expected to evolve their attack techniques, particularly as they adapt to new technologies such as cloud services and DevOps environments. This evolution may include the development of more sophisticated malware and exploitation techniques that target these emerging technologies, leading to significant disruptions in affected sectors.
   • Examples:
     • The increasing adoption of cloud-native applications may present new attack vectors, similar to how these groups have previously exploited software development processes.
     • Historical trends show that cyber adversaries often adapt their tactics in response to improved security measures, as seen with the evolution of ransomware tactics.

2. Proliferation of Advanced Supply Chain Security Solutions

   • In response to the growing threat of supply chain attacks, the cybersecurity industry will likely see a surge in the development and adoption of specialized security solutions aimed at protecting software supply chains. This may include enhanced dependency management tools, automated vulnerability scanning, and advanced threat detection systems tailored for software development environments.
   • Examples:
     • The rise of tools like Snyk and GitHub's Dependabot, which focus on identifying and mitigating vulnerabilities in dependencies, reflects the industry's response to supply chain security challenges.
     • Organizations may increasingly invest in security training and awareness programs to empower developers and employees to recognize and respond to potential threats.

MITRE ATTACK IDs

T1071, T1070, T1203, T1566, T1190, T1193, T1204, T1586, T1555, T1556, T1078, T1040, T1056, T1069, T1074, T1086

Appendix

References

1. (2025-03-17) - GitHub supply chain attack spills secrets from 23,000 projects
2. (2023-08-15) - German agency warns of Charming Kitten APT group targeting organizations in recent espionage activities
3. (2024-09-03) - Lazarus Group: The Hackers Behind Bybit's $1.5B Exploit
4. (2024-09-09) - Threat Assessment: North Korean Threat Groups
5. (2023-08-14) - Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks
6. (2024-03-17) - Supply Chain is FUBAR

MITRE ATTACK

Techniques

1. T1566 (Phishing) - The use of deceptive emails or messages to trick users into revealing sensitive information or downloading malware.

   • Both Charming Kitten and Lazarus Group have employed phishing campaigns to gain initial access to their targets, making this technique highly relevant.

2. T1203 (Exploitation for Client Execution) - Exploiting vulnerabilities in client applications to execute malicious code.

   • This technique is pertinent due to the groups' history of exploiting software vulnerabilities, particularly in supply chain contexts.

3. T1071 (Application Layer Protocol) - Using application layer protocols to communicate with command and control servers.

   • This technique reflects the operational methods of both groups in maintaining communication with compromised systems.

4. T1070 (Indicator Removal on Host) - Techniques used to remove indicators of compromise from the host.

   • This technique is significant as it highlights the groups' efforts to cover their tracks after executing attacks.

5. T1190 (Exploit Public-Facing Application) - Exploiting vulnerabilities in public-facing applications to gain access.

   • This technique is relevant given the groups' focus on exploiting software vulnerabilities in their supply chain attacks.

6. T1555 (Credentials from Password Stores) - Extracting credentials from password management tools.

   • This technique is applicable as both groups have been known to target credential storage mechanisms.

Tactics

1. TA0001 (Initial Access) - The tactic of gaining initial access to a network.

   • This tactic encompasses the methods used by both Charming Kitten and Lazarus Group to infiltrate their targets.

2. TA0002 (Execution) - The tactic of executing malicious code on a target system.

   • This tactic includes the execution of malware and exploits used by both groups.

3. TA0005 (Defense Evasion) - Techniques used to evade detection and avoid defenses.

   • This tactic reflects the groups' strategies to maintain persistence and avoid detection.

PROCEDURES

1. T1078.001 (Valid Accounts: Local Accounts) - Using valid local accounts to gain access to systems.

   • This procedure is relevant as both groups have been known to leverage valid accounts for lateral movement.

2. T1078.002 (Valid Accounts: Domain Accounts) - Using valid domain accounts to gain access to systems.

   • This procedure highlights the groups' use of compromised credentials for access.

SOFTWARE

1. Mandiant's APT35 Tools - Tools associated with Charming Kitten, including malware and exploitation tools.

   • This software directly relates to the capabilities of Charming Kitten.

2. Lazarus Group Tools - Tools associated with Lazarus Group, including malware and exploitation tools.

   • This software reflects the operational capabilities of Lazarus Group.

MITIGATIONS

1. M1030.001 (User Training) - Training users to recognize phishing attempts and suspicious links.

   • This mitigation addresses the primary attack vector used by both groups.

2. M1030.002 (Multi-Factor Authentication) - Implementing multi-factor authentication to secure accounts.

   • This mitigation adds an additional layer of security against credential theft.

GROUPS

1. G0032 Lazarus Group (APT38, BeagleBoyz, etc.)

   • Lazarus Group is a North Korean state-sponsored cyber threat group known for sophisticated attacks, including supply chain attacks. Their activities are highly relevant to the analysis of supply chain vulnerabilities.
   • Lazarus Group Overview

2. G0040 Charming Kitten (APT35, Phosphorus, Ajax Security)

   • Charming Kitten is an Iranian cyber espionage group that targets individuals and organizations in the West, particularly in technology and academia. Their focus on supply chain vulnerabilities makes them a significant threat.
   • Charming Kitten Overview

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get compound questions like this:

1. which intrusion sets were likely involved in with the ‘GitHub supply chain attack spills secrets from 23,000 projects’ breach?

2. deep research on this, providing historical context (and examples) that correlate this activity with the intrusion sets

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0