Threats Feed|TA455|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date12/11/2024

Charming Kitten’s TA455 Uses Social Engineering to Spread Malware in Aerospace Sector

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Honey Trap,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

ClearSky Cyber Security's research details an Iranian cyber campaign, dubbed "Iranian Dream Job," using fake job postings to target the aerospace industry. The campaign, active since at least September 2023, employs the SnailResin malware, leading to the SlugResin backdoor. Attribution is complex, with potential links to both Iranian group TA455 (a Charming Kitten subgroup) and North Korea's Lazarus group, raising questions about potential collaboration or deception. The campaign leverages fake LinkedIn profiles and websites, distributing malware via seemingly legitimate ZIP files containing a malicious executable. This sophisticated attack uses social engineering and DLL side-loading for infiltration.

Reference and Credit: ClearSky - November 2024

Iranian “Dream Job” Campaign 11.24

Detected Targets

TypeDescriptionConfidence
SectorDefense
Verified
SectorAerospace
Verified
RegionAlbania
High
RegionIndia
High
RegionIsrael
Verified
RegionTurkey
High
RegionUnited Arab Emirates
Verified
RegionMiddle East Countries
Medium

Extracted IOCs

  • careers2find[.]com
  • xboxapicenter[.]com
  • 1acd34fb6de5c645e03ded9875046979be7893c4
  • 2a29ba7302024ec1255811abec2a532136d12fef
  • 2e7fc6d63ce16075a3fe3584e03be24a9bc220e1
  • 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
  • aa5fcea406edd406bd6e0a23e83beebe2b3582d1
  • c52beb64f7450fce923d15efaa1e5be4c0e43d2b
  • 185[.]186.244.130
  • 77[.]91.74.171
  • 77[.]91.74.186
  • 89[.]221.225.230
  • 89[.]221.225.231
  • 89[.]221.225.232
  • 89[.]221.225.233
  • 89[.]221.225.234
  • 89[.]221.225.235
  • 89[.]221.225.236
  • 89[.]221.225.237
  • 89[.]221.225.238
  • 89[.]221.225.239
  • 89[.]221.225.240
  • 89[.]221.225.241
  • 89[.]221.225.242
  • 89[.]221.225.243
  • 89[.]221.225.244
  • 89[.]221.225.245
  • 89[.]221.225.246
  • 89[.]221.225.247
  • 89[.]221.225.248
  • 89[.]221.225.249
download

Tip: 31 related IOCs (23 IP, 2 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

Overlaps

APT35APT35 Targets Aerospace and Semiconductor Sectors Across Multiple Countries

Source: ThreatBook - November 2024

Detection (one case): xboxapicenter[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
TA455
View TA455's Insights