Threats Feed

Kaspersky has uncovered BellaCPP, a new C++ variant of the BellaCiao malware family, linked to the Charming Kitten threat actor. BellaCPP, found on an infected machine in Asia, features domain generation, XOR-encrypted string decryption, and SSH tunneling, with payloads stored in critical directories like C:\Windows\System32. It lacks a webshell, showing refined design. PDB paths reveal targeting details, highlighting evolving capabilities. These findings underscore the need for robust cybersecurity and thorough network scanning to combat such threats.

APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.

ClearSky Cyber Security's research details an Iranian cyber campaign, dubbed "Iranian Dream Job," using fake job postings to target the aerospace industry. The campaign, active since at least September 2023, employs the SnailResin malware, leading to the SlugResin backdoor. Attribution is complex, with potential links to both Iranian group TA455 (a Charming Kitten subgroup) and North Korea's Lazarus group, raising questions about potential collaboration or deception. The campaign leverages fake LinkedIn profiles and websites, distributing malware via seemingly legitimate ZIP files containing a malicious executable. This sophisticated attack uses social engineering and DLL side-loading for infiltration.

Charming Kitten has launched a new cyber campaign targeting NGOs and media organizations in Western and Middle Eastern countries. The campaign begins with initial contact via a Yahoo email, followed by a phishing link sent through WhatsApp. To build credibility, attackers may initiate silent WhatsApp voice calls before redirecting victims to a phishing site designed to mimic Google Meet. This page, hosted on Google Sites, employs an EventListener script to capture any entered data and send it to the attackers' server. Indicators of compromise include the domain atlanticcouncil[.]site and specific WhatsApp numbers.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

TA453, also known as Charming Kitten, has targeted sectors such as academia, defence, government, NGOs, think tanks and journalists in the UK and other regions of interest. The group uses spear phishing attacks, using open source reconnaissance to create tailored phishing emails. These emails are often sent from fake social media profiles or compromised email accounts. Once a relationship has been established, TA453 directs victims to malicious links or documents and steals credentials upon interaction. The group also exploits compromised email accounts to steal sensitive data, set up mail forwarding rules and facilitate further surveillance and future attacks.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.

This Proofpoint report details the escalating targeting of journalists and media organisations by state-sponsored advanced persistent threats (APTs). The report highlights how groups linked to China (TA412, TA459), North Korea (TA404), Iran (TA453, TA456, TA457), and Turkey (TA482) are using a variety of methods, including phishing emails with malicious attachments or web beacons for reconnaissance and social media credential harvesting, to achieve their intelligence and propaganda goals. The report highlights the persistent nature of the threat, the variety of tactics used, and the importance of enhanced security measures for journalists to protect their sources and the integrity of their reporting. Ultimately, it aims to raise awareness of this specific cybersecurity threat and encourage proactive protection measures within the media sector.

During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

The Iranian APT group Charming Kitten impersonated Israeli cybersecurity firm ClearSky by creating a phishing website that mimicked the legitimate Clearskysec.com domain. The fake site, hosted on an older compromised server, replicated ClearSky's public web pages and included phishing login options to harvest credentials. ClearSky identified the incomplete site, which was taken down before it could affect any victims. Charming Kitten has previously targeted academic researchers, human rights activists, media outlets and political consultants in Iran, the US, UK and Israel. Known for spear-phishing, impersonating organisations, and deploying malware such as DownPaper, this campaign underscores the ongoing threat to security researchers and geopolitical targets.