top of page

Charming Kitten's BellaCiao Malware Targets Victims in US, Europe, Middle East, India

The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. "Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm said in a report shared with The Hacker News. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). Over the years, the group has utilized various means to deploy backdoors in systems belonging to a wide range of industry verticals. The development comes as the threat actor was attributed by Microsoft to retaliatory attacks aimed at critical infrastructure entities in the U.S. between late 2021 to mid-2022 using bespoke malware such as harmPower, Drokbk, and Soldier. Then earlier this week, Check Point disclosed Mint Sandstorm's use of an updated version of the PowerLess implant to strike organizations located in Israel using Iraq-themed phishing lures. These attacks underscore the continued threat that Iranian state-sponsored actors pose to critical infrastructure entities and organizations around the world. Organizations should remain vigilant for signs of compromise and take steps to harden their defenses against these and other sophisticated threats.


bottom of page