Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.8K
active users

social.tchncs.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#charmingkitten

0 posts0 participants0 posts today
Public
Threat Insight

New APT insight from Proofpoint ⬇️

This week, our team observed IRGC/Iraninan-aligned threat group #TA453 continue their phishing efforts despite the recent unsealing of indictments and sanctions by the U.S. government.

Specifically, Proofpoint observed TA453 masquerade as the Centre for Feminist Foreign Policy (CFFP) to target individuals associated with U.S. based universities, media companies, and politically adjacent social benefit organizations.

Today #CISA and the @FBI released a resource guide titled, “How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations.” It sets a good baseline on ways to protect against a variety of threat actors, including TA453. cisa.gov/resources-tools/resou

TA453 overlaps with reporting on #CharmingKitten, #MintSandstorm, #CharmingCypress and #APT42.

See our recent blog post to learn more about TA453’s malware evolution. ow.ly/OrXE50THoKZ

Public *
Threat Insight

The Iran-aligned threat actor who compromised the Trump campaign's email systems is known in the cybersecurity research community as #TA453, #APT42, or #CharmingKitten.

"The group's appearance in the U.S. election is noteworthy, sources told @Reuters, because of their invasive #espionage approach against high-value targets in Washington and Israel."

Read the article for insights from Joshua Miller of Proofpoint and other experts: reuters.com/world/trump-campai

Public
Ivan Kwiatkowski

Our team just released a report on #CharmingKitten/#APT35: harfanglab.io/insidethelab/cyc

We discovered a new malware family called Cyclops, written in Go. It launches a local web server which exposes a REST API used to control the malware. The port is forwarded to the C2 via SSH.

We believe Cyclops was developed as a replacement for the (burnt) BellaCiao implant.
There seem to be very few samples in existence and we'd be curious to know if anyone else can find some. Suspected area of activity is the Middle-East since December 2023.

Reverse-engineering was a challenge due to the malware expecting mashalled objects from the network. How do you figure out their expected structure with Golang when there's no constructor? If there's any interest, I may write a separate blog post or thread on the subject.

IOCs and more in the full post. Enjoy!

HarfangLab EDR | Cyberangriffe blockierenCyclops: a likely replacement for BellaCiaoIdentifier: TRR240801. Summary This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go which dates back to December 2023, and that we believe has been deployed against targets in the Middle-East in 2024. Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside […]
Public
Just Another Blue Teamer

Happy Thursday everyone!

The Volexity team share their findings from a recent incident that involved the APT known as #CharmingKitten (aka #CharmingCypress) and what lengths this group went to make their attack look as convincing as possible. The Volexity team also shared technical details about the malware that was used, specific commands seen, and TTPs used. Enjoy and Happy Hunting!

CharmingCypress: Innovating Persistence
volexity.com/blog/2024/02/13/c

As always, I don't want to leave you empty handed! So take this Community Hunt Package from Cyborg Security to help you identify discovery behavior from adversaries!

Excessive Windows Discovery and Execution Processes - Potential Malware Installation
volexity.com/blog/2024/02/13/c

Volexity · CharmingCypress: Innovating PersistenceThrough its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists.
#CyberSecurity#ITSecurity#InfoSec
Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"🌪️ Mint Sandstorm: Sophisticated Phishing Campaign Unleashed by APT35 🚨"

Microsoft's security blog reveals an intricate phishing campaign, "Mint Sandstorm," by the subgroup PHOSPHORUS (also known as APT35 and Charming Kitten), linked to Iran's Islamic Revolutionary Guard Corps. This campaign targets individuals in universities and research organizations involved in Middle Eastern affairs across various countries. Unique tactics include bespoke phishing lures, using compromised legitimate email accounts, and deploying custom backdoors like MediaPl and MischiefTut. These tools allow for encrypted communications, reconnaissance, and persistence in target environments. Microsoft suggests using Attack Simulator in Defender for Office 365, enabling SmartScreen on browsers, and activating cloud-delivered protection to mitigate risks.

Microsoft's security blog

Tags: #CyberSecurity #Phishing #APT35 #CharmingKitten #MintSandstorm #MicrosoftSecurity #InfoSec #ThreatIntelligence

Mitre - APT35

Microsoft Security Blog · New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security BlogSince November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, the threat actor used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.
Public *
Anonymous Germany

Nach Erkenntnissen des Bundesamtes für () ist seit Ende 2022 von konkreten Ausspähversuchen der -Gruppe gegen iranische Personen und Organisationen in Deutschland auszugehen.

Insbesondere warnt das BfV im "Cyber-Brief Nr. 01/2023" vom 10. August 23 vor -Angriffen gegen -Organisationen und Einzelpersonen – wie Juristen, Journalisten oder – innerhalb und außerhalb des .

verfassungsschutz.de/SharedDoc

BundesamtfuerVerfassungsschutzBundesamt für VerfassungsschutzBundesamt
Public
securityaffairs

Iranian #CharmingKitten #APT used a new #BellaCiao #malware in recent wave of attacks
securityaffairs.com/145354/mal
#securityaffairs #hacking

Security AffairsIranian Charming Kitten APT used a new BellaCiao malware in recent wave of attacksIran-linked APT group Charming Kitten employed a new malware dubbed BellaCiao in attacks against victims in the U.S., Europe, the Middle East and India. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at […]
Public
Just Another Blue Teamer

Good day everyone! I hope everyone is enjoying their Wednesday!

In a recent report by Bitdefender Labs, they took a deep-dive into the threat group #CharmingKitten and their latest malware, #BellaCiao. It is a great read, but some main behaviors that I pulled from the report included:

#DefenseEvasion:
T1562.001 - Impair Defenses: Disable or Modify Tools
Charming Kitten used powershell to disable real-time monitoring on the machine to avoid detection.

#Persistence:
T1053.005 - Scheduled Task/Job: Scheduled Task
They also created scheduled tasks to run on start and used the technique of masquerading their process names to blend in.

#Execution:
The Bitdefender team provided the locations that the executables were written to.

You should go and check out this #readoftheday, it contains great technical details that you can use to improve your threat hunting skill.
Enjoy and Happy Hunting!

Defense Evasion through the use of powershell
Scheduled tasks created for persistence
Locations the executable was written to
#CyberSecurity#ITSecurity#InfoSec
Public
Yoshi :verified:

#introduction
I’m Josh/Yoshi.
I work as a Senior Threat Researcher hunting for state aligned cyber threat actors (aka APTs).
I focus on threats suspected of originating in the Middle East & North Africa Region, primarily Iranian aligned threats like #TA453 (#CharmingKitten), #TA450 (#Muddywater), and #TA456 (#Tortoiseshell).

Before this, I did #threatIntel work in healthcare. Before that, I worked for the #FBI.

I live in Chicago(land) with 3 kids, 2 dogs and my beautiful wife.

I’m a huge fan of #StarWars and the #LAChargers

This seems like a pretty cool place, excited to see how it grows.

ExploreLive feeds
About