Now- before you flame me for speculating, you should know something about me- I love speculating. I love thinking about probabilities in terms of which threads to pull next. It gives me something highly probable to start with (vs randomly flipping a coin)... and there was no way I was going to spend days trying to tease this out.. I have a short attention span, for better or worse.

So, I asked AlphaHunt to research the article with a bent towards linkable threat actors, accurate or otherwise, this is what came of it. Even if it's not 100% accurate:

✅ I learned something about another set of threat actors (with very low effort)
✅ The article (and research) is now in my intelligence graph (automatically)
✅ If I research similar threat actors (or TTPs) in the future, AlphaHunt will remind me of this event.
✅ I have more cycles to learn about other badness, while AlphaHunt connects the dots!

EDITOR'S NOTE: I'm testing the next generation of the AlphaHunt- the research goes a bit deeper, a bit more directed and a bit more "peer" reviewed. The layout may still need some work... feedback welcome (just hit reply! :))

TL;DR

Key Points

1. • Charming Kitten and Lazarus Group are exploiting supply chain vulnerabilities.
   • Organizations should enhance security measures to protect against these threats.
2. • Recent GitHub supply chain attack affected 23,000 organizations.
   • Implementing dependency pinning and regular audits can mitigate such risks.
3. • Both groups use phishing and software exploitation tactics.
   • User education and multi-factor authentication are critical defenses.
4. • While there is not currently evidence that points to either group (or any other group that I could tell), these intrusion sets are prime candidates given their history of similar attacks.
   • Use AlphaHunt. Learn at the speed of AI.

Summary

Charming Kitten (APT35) and Lazarus Group are prominent cyber espionage groups known for targeting supply chain vulnerabilities. Charming Kitten, an Iranian group, has been active since 2014, focusing on Western technology and academia through sophisticated phishing campaigns and social engineering tactics. Recently, they have been targeting organizations by compromising supply chain partners.

Lazarus Group, linked to North Korea, is notorious for high-profile attacks like the Sony hack and WannaCry ransomware. They target software providers to distribute malware, exploiting vulnerabilities in software development processes. Their recent activities include a $1.5 billion hack of Bybit, exploiting third-party services.

A recent GitHub supply chain attack on March 17, 2025, compromised a GitHub Actions tool, affecting 23,000 organizations. This incident highlights the vulnerability of software development tools, with attackers altering code to leak secrets.

To mitigate such threats, organizations should implement dependency pinning, conduct regular audits, enforce multi-factor authentication, and develop robust incident response plans. User education is crucial to counter phishing and social engineering tactics used by these groups.

The analysis underscores the ongoing threat posed by Charming Kitten and Lazarus Group, emphasizing the need for enhanced security measures in software development and distribution processes.

Research

Analysis of "Charming Kitten" and "Lazarus Group" in Relation to Supply Chain Attacks

Historical Context and Activities

Charming Kitten (APT35)

• Background: Charming Kitten, also known as APT35, is an Iranian cyber espionage group active since at least 2014. They primarily target individuals and organizations in the West, particularly in technology and academia.

• Notable Supply Chain Attacks:

  • Phishing Campaigns: Charming Kitten has been involved in sophisticated phishing campaigns targeting academic institutions and technology companies. They often compromise supply chain partners to access sensitive information.
  • Recent Activities: In August 2023, the German Federal Office for the Protection of the Constitution (BfV) warned that Charming Kitten was actively targeting organizations in espionage activities, indicating their ongoing focus on supply chain vulnerabilities. The BfV reported that the group uses elaborate social engineering tactics, including impersonating journalists and NGO employees to build trust with victims. Source (2023-08-15).
  • Tactics and Techniques: Their tactics include spear-phishing, credential harvesting, and exploiting software vulnerabilities. They have been known to use malware to compromise supply chain partners, allowing them to infiltrate larger networks.

Lazarus Group

• Background: Lazarus Group is a North Korean cyber espionage group linked to various high-profile cyber attacks, including the Sony Pictures hack and the WannaCry ransomware attack. They are known for their sophisticated techniques and financial motivations.

• Notable Supply Chain Attacks:

  • Targeting Software Providers: Lazarus Group has been involved in attacks that target software providers to distribute malware. This includes exploiting vulnerabilities in software development processes to insert malicious code into legitimate software updates.
  • Recent Incidents: Their operations have included attacks on cryptocurrency exchanges and financial institutions, where they have used supply chain vulnerabilities to facilitate their attacks. They have been linked to significant financial thefts, including a $1.5 billion hack of Bybit in February 2025, which involved exploiting vulnerabilities in third-party services. Source (2024-09-03).
  • Tactics and Techniques: Lazarus Group employs a range of tactics, including social engineering, exploitation of software vulnerabilities, and the use of advanced malware. They have been known to utilize techniques such as credential dumping and lateral movement within networks.

Correlation with Recent GitHub Supply Chain Attack

• Recent GitHub Incident: On March 17, 2025, a supply chain attack on GitHub was reported, affecting up to 23,000 organizations. The attack involved a compromise of a GitHub Actions tool, leading to potential credential theft. Attackers altered the code of the tj-actions/changed-files project to leak secrets from developer workflows into build logs. Source (2025-03-17).

• Patterns and Techniques:

  • Both Charming Kitten and Lazarus Group have demonstrated a pattern of targeting software development and distribution processes, which aligns with the methods used in the GitHub attack.
  • The use of phishing and exploitation of software vulnerabilities are common tactics observed in both groups, suggesting a potential overlap in methodologies used in the GitHub incident.

Mitigation Strategies

To protect against similar supply chain attacks, organizations should consider implementing the following strategies:

• Pinning Dependencies: Use specific commit hashes for GitHub Actions instead of version tags to avoid unintentional updates that could introduce vulnerabilities.
• Regular Audits: Conduct regular audits of repositories to identify and rotate any exposed secrets.
• Multi-Factor Authentication: Implement multi-factor authentication for all accounts, especially those with access to critical systems.
• User Education: Train employees to recognize phishing attempts and suspicious links, particularly in communications from unknown contacts.
• Incident Response Plans: Develop and regularly test incident response plans to ensure quick action in the event of a breach.

Conclusion

The analysis of Charming Kitten and Lazarus Group reveals a significant historical context of involvement in supply chain attacks. Their tactics and techniques, including phishing, exploitation of software vulnerabilities, and targeting of software providers, correlate with the recent GitHub supply chain attack. This underscores the ongoing threat posed by these groups and highlights the need for enhanced security measures in software development and distribution processes.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)