Iranian Hackers Unleash Deadly New BellaCPP Malware in Global Cyber Assault

Iranian Hackers Unleash Deadly New BellaCPP Malware in Global Cyber Assault

Iranian Hacking Group Deploys New BellaCiao Malware Variant

Kaspersky, the Russian cybersecurity firm, has identified a new C++ variant of the BellaCiao malware, dubbed BellaCPP, deployed by the Iranian state-sponsored hacking group Charming Kitten. The discovery was made during an investigation of a compromised system in Asia.

Originally documented by Bitdefender in April 2023, BellaCiao functions as a custom dropper for delivering additional malicious payloads. The malware has been actively used in cyber attacks targeting organizations in the United States, Middle East, and India.

Charming Kitten, also known by various names including APT35, CALANQUE, and Mint Sandstorm, operates under Iran’s Islamic Revolutionary Guard Corps (IRGC). The group has been exploiting vulnerabilities in public-facing applications like Microsoft Exchange Server and Zoho ManageEngine to deploy BellaCiao.

The new BellaCPP variant, identified as a DLL file named “adhapl.dll,” maintains core functionalities of its predecessor but notably lacks the web shell feature present in the original BellaCiao. The malware is designed to load an additional DLL (“D3D12_1core.dll”) for creating SSH tunnels, demonstrating the group’s evolving tactical approach.

According to Kaspersky researcher Mert Degirmenci, BellaCPP represents a streamlined C++ implementation of BellaCiao’s capabilities, utilizing domains previously linked to the threat actor’s operations.

Share This Article