BellaCiao Showcases How Irans Threat Groups Are Modernizing Their Malware

The dropper is being used in a Charming Kitten APT campaign that has hit organizations in multiple countries.

A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Irans state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.
The malware, dubbed BellaCiao, is a dropper that Irans Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.
Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. The communication between implant and C2 infrastructure is based on DNS name resolution, he explains. There is no active communication that is detectable between the implant and the malicious C2 infrastructure. [Infected hosts] asks Internet servers for a DNS name resolution, and based on the format of returned IP address, decides which action to take. The format of each segment of IP address — or octet — specifies further instructions to the malware such as location where to drop stolen information, Zugec says.
Zugec likens the manner in which BellaCio uses DNS information to retrieve C2 instruction to how someone might convey specific information to another person via a phone number. When an individual looks up a specific name in the phone book, the associated telephone number could be code for something else. In this analogy, country code can tell you the action to execute, area code tells you the malware to deploy, and phone number specifies the location where to deploy it. There is never any direct contact between C2 and the agent/implant. The approach makes it hard for defenders to spot the activity. Our hypothesis is that the aim of BellaCiao is to evade detection during the period between the initial infiltration and the actual commencement of the attack, Zugec says.
DNS-based attacks themselves are not completely new, Zugec says, pointing to techniques like DNS tunneling and the use of domain generation algorithms in attacks. But the techniques involve active use of DNS, which makes it possible for a defender to detect malicious intent. With BellaCiao, the usage is completely passive, he says.
Charming Kitten (aka APT35 and Phosphorous), is a state-backed Iranian cyber threat group that has been operational since at least 2014. The threat actor has been associated with numerous sophisticated spear-phishing attacks against targets that have included government agencies, journalists, think tanks, and academic institutions. One of its primary missions has been to collect information on people and entities of interest to the Iranian government. Security researchers have also associated Charming Kitten with
credential harvesting
and malware distribution campaigns. Last year, Proofpoint identified the group as even using
phishing lures in kinetic attacks
— such as attempted kidnapping.
Charming Kitten is among several threat groups that have been upgrading tactics and their cyber arsenals in support of Iranian government objectives since mid-2021 after Ebrahim Raisi replaced the more moderate Hassan Rouhani as the president of Iran. After a transition of power in 2021, the [Islamic Revolutionary Guards Corps] and associated APT groups adopted a more aggressive and confrontational approach and demonstrated a willingness to use force to achieve its objectives, Bitdefender said in its report this week.
One manifestation of the new approach is the increasingly quick weaponization of newly disclosed exploits and proof of concept code, by Iranian state-sponsored actors and financially motivated threat groups. It is premature to discuss the motivations of Iranian state-sponsored groups following the power transition in 2021, Zugec says. [But] these groups are enhancing their attack strategies and refining their tactics, techniques, and procedures.
Ransomware attacks continues to be common method among Iranian groups for monetary gain and for causing disruptions. But Bitdefender has also observed a pattern of sustained involvement by Iranian groups in some campaigns, suggesting long-term objectives. It is quite possible that these threat actors are employing a trial-and-error approach to test various techniques, Zugec notes, in order to determine the most effective modus operandi for their operations.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BellaCiao Showcases How Irans Threat Groups Are Modernizing Their Malware