BellaCiao, an allusion to an old Italian resistance song, is the newest malware out of Charming Kitten/APT 35, an Iranian state-backed advanced persistent threat. According to The Hacker News, “BellaCiao is a personalized dropper that’s capable of delivering other malware payloads onto a victim’s machine based on commands received from an actor-controlled server.” This malware already has reported victims in the United States, Europe, Turkey, and India.
Actor: Charming Kitten (Mint Sandstorm, PHOSPHOROUS, and APT35)
Charming Kitten, also known as Mint Sandstorm, PHOSPHOROUS, and APT35, is an Iranian state-backed hacking group. Charming Kitten is responsible for several cyber attacks that have hit the United States and other countries. They have previously targeted a wide variety of victims including political dissidents, critical infrastructure, government employees, activists, and journalists internationally. In particular, Charming Kitten actively targets critical infrastructure in the United States and in the Middle East. According to the Microsoft Threat Intelligence team, the group “is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities.” Unlike other malevolent groups in play at the moment this group seems to have pretty distinct ties back to the Islamic Revolutionary Guard Corps (IRGC).