Threats Feed

Kaspersky has uncovered BellaCPP, a new C++ variant of the BellaCiao malware family, linked to the Charming Kitten threat actor. BellaCPP, found on an infected machine in Asia, features domain generation, XOR-encrypted string decryption, and SSH tunneling, with payloads stored in critical directories like C:\Windows\System32. It lacks a webshell, showing refined design. PDB paths reveal targeting details, highlighting evolving capabilities. These findings underscore the need for robust cybersecurity and thorough network scanning to combat such threats.

APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.

ClearSky Cyber Security's research details an Iranian cyber campaign, dubbed "Iranian Dream Job," using fake job postings to target the aerospace industry. The campaign, active since at least September 2023, employs the SnailResin malware, leading to the SlugResin backdoor. Attribution is complex, with potential links to both Iranian group TA455 (a Charming Kitten subgroup) and North Korea's Lazarus group, raising questions about potential collaboration or deception. The campaign leverages fake LinkedIn profiles and websites, distributing malware via seemingly legitimate ZIP files containing a malicious executable. This sophisticated attack uses social engineering and DLL side-loading for infiltration.

APT42 has launched a series of phishing attacks targeting Middle Eastern studies researchers, defense sector officials, and institutions specializing in Iran across Israel and the U.S. The phishing messages were highly personalized, containing malicious links disguised as Zoom invitations and documents. APT42’s tactics included impersonating researchers and reputable organizations to enhance credibility and evade detection. The campaign underscores ongoing cyber espionage efforts by Iranian actors focused on intelligence gathering in academia, defense, and foreign policy sectors, impacting both governmental and research entities.

Charming Kitten has launched a new cyber campaign targeting NGOs and media organizations in Western and Middle Eastern countries. The campaign begins with initial contact via a Yahoo email, followed by a phishing link sent through WhatsApp. To build credibility, attackers may initiate silent WhatsApp voice calls before redirecting victims to a phishing site designed to mimic Google Meet. This page, hosted on Google Sites, employs an EventListener script to capture any entered data and send it to the attackers' server. Indicators of compromise include the domain atlanticcouncil[.]site and specific WhatsApp numbers.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

The Iranian hacktivist group Lord Nemesis, also known as 'Nemesis Kitten,' targeted the Israeli academic sector via a supply chain attack on Rashim Software, a provider of academic administration and training software. They breached Rashim's infrastructure and accessed its clients, including numerous academic institutions, by using stolen credentials and exploiting admin accounts on customer systems. This allowed them to extract sensitive data, circumvent multi-factor authentication, and instill fear by releasing findings and sending ominous warnings. The attack highlights the significant risks posed by third-party vendors and demonstrates the group's sophisticated planning and understanding of targeted IT environments.

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

The Secureworks report details a phishing campaign by the Iranian threat group COBALT ILLUSION, which used a fake Atlantic Council employee, "Sara Shokouhi", to target researchers working on human rights in Iran. The campaign used stolen imagery and a fake online presence to build rapport before attempting to steal credentials or deploy malware. This tactic mirrors previous COBALT ILLUSION operations, highlighting the consistent use of sophisticated social engineering and data harvesting techniques to gather intelligence on behalf of the Iranian government. The report provides indicators of compromise (IOCs) to help mitigate further attacks.

TA453, also known as Charming Kitten, has targeted sectors such as academia, defence, government, NGOs, think tanks and journalists in the UK and other regions of interest. The group uses spear phishing attacks, using open source reconnaissance to create tailored phishing emails. These emails are often sent from fake social media profiles or compromised email accounts. Once a relationship has been established, TA453 directs victims to malicious links or documents and steals credentials upon interaction. The group also exploits compromised email accounts to steal sensitive data, set up mail forwarding rules and facilitate further surveillance and future attacks.

Since late 2020, threat actor TA453 has exhibited a shift in targeting and tactics. Previously targeting academics, diplomats, and journalists among others, TA453 has expanded to target medical researchers, aerospace engineers, realtors, and travel agencies. New tactics include the use of compromised accounts, malware, and confrontational lures. Despite this shift, Proofpoint assesses that TA453 operates in support of Iran's IRGC Intelligence Organization, indicating a broadening scope of cyber operations. The operations appear to focus on the US, Israel, and various European countries, targeting sectors like academia, diplomacy, journalism, human rights, and energy.

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.