A cyberespionage group believed to be linked to the Iranian government has been using a new malware implant called BellaCiao to infect Microsoft Exchange Servers. BellaCiao acts as a dropper for additional payloads and communicates with attackers via DNS queries that encode commands into IP addresses. The group, known as Charming Kitten, APT35, or Phosphorus, is believed to be operated by the Islamic Revolutionary Guard Corps (IRGC) and is known for customizing attacks for each victim. The malware binary contains hardcoded information such as company name, custom subdomains, and IP addresses, and the attackers organize their victims into folders by country code. Charming Kitten has been targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity since late 2021.
