Iran-based nation-state threat group called Phosphorus (aka TA453, COBALT ILLUSION, Charming Kitten, Newscaster, Magic Hound, and APT35) that has been active since at least 2014. The threat group conducts cyberattacks against adversaries with Iran’s Islamic Revolutionary Guard Corps. The group uses novel techniques to evade detection using malicious PowerShell scripts. It operates as a remote access backdoor installed through these malicious scripts to further download malware payloads. With multistaged and modular toolkits, the Phosphorus toolkit becomes a stealthy threat against enemies of Iran.