Microsoft takes down 99 websites used by APT35/Phosphorus


Microsoft used a court order to take control of 99 websites used by cyber threat group Phosphorus (also known as APT35 or Charming Kitten) widely associated with Iranian hackers.

Microsoft revealed the court documents last Wednesday, outlining the detailed work performed by Microsoft’s Digital Crimes Unit and partnership with other technology companies, such as Yahoo in taking down the websites used by the Phosphorus operation.

The cyber activity is typically designed to gain unauthorized access to business and government computer systems and steal sensitive information. Often the targets include journalists or others involved in the advocacy or reporting of Middle East issues.

In an effort to protect users from hacking, Microsoft’s Digital Crimes Unit (DCU) and Microsoft Threat Intelligence Center (MSTIC) have been tracking the Phosphorus group since 2013.

“Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure,” said Tom Burt, Microsoft Corporate Vice President, Customer Security & Trust.

The court order enabled Microsoft to take control of the 99 websites and prevent the hackers from using the sites to execute future cyber attacks.

Microsoft also noted the techniques used by Phosphorus involved the use of spear-phishing techniques that target individuals. Such attacks are designed to trick users into clicking on links to phishing sites and downloading malicious software.

The Phosphorus hackers used well-known brands in the phishing emails warning users of risk to their accounts, thus coming across as more authentic. Some of the registered domains the hackers used, for instance included:,, and