Charming Kitten Targets Global Sectors with Sponsor Backdoor
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Security Misconfiguration,Vulnerability Exploitation,Backdoor,Malware
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Financial | Verified |
| Sector | Information Technology | Verified |
| Sector | Insurance | Verified |
| Sector | Manufacturing | Verified |
| Sector | Professional Service | Verified |
| Sector | Retail | Verified |
| Sector | Healthcare | Verified |
| Sector | Telecommunication | Verified |
| Region | Brazil | Verified |
| Region | Israel | Verified |
| Region | United Arab Emirates | Verified |
Exploited Vulnerabilities
Extracted IOCs
- 2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f
- 2c7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3
- 4afa5fde76f1f3030cf7dbd12e37b717e1f902ac95c8bdf54a2e58a64faade04
- 5e0f28bd2d49b73e96a87f5c20283ebe030f4bb39b3107d4d68015dce862991d
- 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d
- aac08c6f7474c979acf2a3aef1f2727820ece755001530cdebf346b5d1ae2ccb
- c4dbda41c726af9ba3d9224f2e38fc433d2b60f4a23512437adeae8ef8986c57
- e2b74ed355d68bed2e7242baecccd7eb6eb480212d6cc54526bc4ff7e6f57629
- e5ee874bd59bb2a6dec700686544e7914312abff166a7390b34f7cb29993267a
- f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7
- f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
Tip: 11 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 11 file hash) to this threat have been found.
FAQs
Understanding the Charming Kitten "Sponsoring Access" Campaign
A known Iranian threat group called Charming Kitten launched a cyber campaign using a backdoor tool called Sponsor to infiltrate organizations in Brazil, Israel, and the UAE. The attackers used known security flaws in Microsoft Exchange servers to gain initial access.
The campaign was carried out by Charming Kitten, also known as APT35 or Phosphorus, a group believed to be connected to the Iranian government. They have a history of targeting a wide range of organizations globally.
The group’s intent appears to be espionage, aiming to steal sensitive data from a variety of sectors including healthcare, finance, legal services, and telecommunications.
The attackers exploited vulnerabilities in Microsoft Exchange servers, then installed the Sponsor backdoor disguised as a legitimate updater. They also used several hacking tools to maintain access, move laterally, and extract data.
The affected organizations may have been selected based on poor security configurations or existing vulnerabilities, rather than being specifically chosen for strategic reasons.
Organizations should patch their systems, especially Microsoft Exchange servers, and strengthen their network monitoring and credential security. It’s also important to stay aware of known attacker tools and tactics.
While the attack was directed at specific entities, the use of common vulnerabilities and opportunistic targeting means that any organization with similar exposures could potentially be at risk.