Threats Feed|Charming Kitten|Last Updated 25/04/2025|AuthorCertfa Radar|Publish Date18/09/2023

Charming Kitten Targets Global Sectors with Sponsor Backdoor

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Security Misconfiguration,Vulnerability Exploitation,Backdoor,Malware
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.

Detected Targets

TypeDescriptionConfidence
SectorFinancial
Verified
SectorInformation Technology
Verified
SectorInsurance
Verified
SectorManufacturing
Verified
SectorProfessional Service
Verified
SectorRetail
Verified
SectorHealthcare
Verified
SectorTelecommunication
Verified
RegionBrazil
Verified
RegionIsrael
Verified
RegionUnited Arab Emirates
Verified

Exploited Vulnerabilities

Extracted IOCs

  • 2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f
  • 2c7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3
  • 4afa5fde76f1f3030cf7dbd12e37b717e1f902ac95c8bdf54a2e58a64faade04
  • 5e0f28bd2d49b73e96a87f5c20283ebe030f4bb39b3107d4d68015dce862991d
  • 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d
  • aac08c6f7474c979acf2a3aef1f2727820ece755001530cdebf346b5d1ae2ccb
  • c4dbda41c726af9ba3d9224f2e38fc433d2b60f4a23512437adeae8ef8986c57
  • e2b74ed355d68bed2e7242baecccd7eb6eb480212d6cc54526bc4ff7e6f57629
  • e5ee874bd59bb2a6dec700686544e7914312abff166a7390b34f7cb29993267a
  • f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7
  • f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
download

Tip: 11 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 11 file hash) to this threat have been found.

FAQs

Understanding the Charming Kitten "Sponsoring Access" Campaign

A known Iranian threat group called Charming Kitten launched a cyber campaign using a backdoor tool called Sponsor to infiltrate organizations in Brazil, Israel, and the UAE. The attackers used known security flaws in Microsoft Exchange servers to gain initial access.

The campaign was carried out by Charming Kitten, also known as APT35 or Phosphorus, a group believed to be connected to the Iranian government. They have a history of targeting a wide range of organizations globally.

The group’s intent appears to be espionage, aiming to steal sensitive data from a variety of sectors including healthcare, finance, legal services, and telecommunications.

The attackers exploited vulnerabilities in Microsoft Exchange servers, then installed the Sponsor backdoor disguised as a legitimate updater. They also used several hacking tools to maintain access, move laterally, and extract data.

The affected organizations may have been selected based on poor security configurations or existing vulnerabilities, rather than being specifically chosen for strategic reasons.

Organizations should patch their systems, especially Microsoft Exchange servers, and strengthen their network monitoring and credential security. It’s also important to stay aware of known attacker tools and tactics.

While the attack was directed at specific entities, the use of common vulnerabilities and opportunistic targeting means that any organization with similar exposures could potentially be at risk.