A new variant of malware linked to Iranian state-sponsored hackers has been discovered by cybersecurity researchers, marking an evolution in the group's digital arsenal.
Kaspersky, a Russian cybersecurity firm, recently identified a C++ version of the BellaCiao malware, dubbed BellaCPP, during an investigation of a compromised system in Asia. The discovery reveals how the Iranian hacking group known as Charming Kitten continues to refine its cyber weapons.
The original BellaCiao malware, first detected by Bitdefender in April 2023, has been used in attacks targeting organizations across the United States, Middle East, and India. This malware serves as a custom dropper, designed to deliver additional malicious payloads to infected systems.
The newly discovered BellaCPP variant appears as a DLL file named "adhapl.dll" and maintains many core functions of its predecessor. However, unlike the original version, it lacks the web shell capability that allowed attackers to upload, download, and execute files on compromised systems.
Charming Kitten, also tracked under various names including APT35 and Mint Sandstorm, operates as part of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has gained notoriety for its sophisticated social engineering campaigns and exploitation of vulnerabilities in popular business applications like Microsoft Exchange Server and Zoho ManageEngine.
According to Kaspersky researcher Mert Degirmenci, BellaCPP represents a streamlined version of the original malware, maintaining its core functionality while using domains previously connected to the Iranian threat actor.
The emergence of BellaCPP demonstrates the ongoing evolution of state-sponsored cyber threats and highlights the persistent nature of advanced persistent threat (APT) groups in developing new tools for their operations.