The actor Microsoft tracks as Mint Sandstorm (PHOSPHORUS) is an Iran-affiliated activity group, active since at least 2013. Mint Sandstorm (PHOSPHORUS) is known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defense industrial base, journalists, think tanks, universities, and multiple government agencies and services, including targets in Israel and the United States. Mint Sandstorm (PHOSPHORUS) focuses on espionage. The actor is known to obtain initial access from broad scale exploitation of remote access devices to spear-phishing campaigns. Mint Sandstorm (PHOSPHORUS) also uses credential harvesting to obtain access to official work accounts as well as personal accounts. Previous tooling observed includes commodity malware, such as information stealers. The actor has also been observed developing custom malware, including their phishing documents that use template injection to load malicious content. Mint Sandstorm (PHOSPHORUS) has also conducted ransomware attacks against multiple organizations. Microsoft has tied such ransomware campaigns to Storm-0270 (DEV-0270), a sub-group of Mint Sandstorm (PHOSPHORUS). Mint Sandstorm (PHOSPHORUS) is tracked by other security companies as Charming Kitten and APT35. Mandiant refers to modern day Mint Sandstorm (PHOSPHORUS) as APT42.