An Iranian nation-state hacking group known as Charming Kitten has been spotted deploying a C++ variant of a well-known malware called BellaCiao.
The Russian cyber security company Kaspersky announced the new version BellaCPPsaid it discovered the artifact as part of a “recent” investigation into a hacked machine in Asia that was also infected with the BellaCiao malware.
BellaCiao was first documented by Romanian cybersecurity firm Bitdefender in April 2023, describing it as a custom dropper capable of delivering additional payloads. The malware was deployed by a hacker group for cyber attacks targeting the US, the Middle East and India.
It is also one of many families of custom malware A charming kitten the actor has developed over the years. Associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), the Advanced Persistent Threat Group (APT) is also known by the aliases APT35, CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.
While the group has a history of orchestrating creation smart social engineering companies Attacks involving BellaCiao have been found to exploit known security flaws in public applications such as Microsoft Exchange Server or Zoho ManageEngine to gain the trust of entities and distribute malware.
“BellaCiao is a .NET-based malware family that adds a unique feature to intrusion by combining the stealth of a web shell with the ability to establish a hidden tunnel,” Kaspersky researcher Mert Degirmenci said.
The C++ variant of BellaCiao is a DLL called “adhapl.dll” that implements functions similar to those of its ancestor, which contains code to load another unknown DLL (“D3D12_1core.dll”), which is probably used to create SSH – the tunnel.
Unique to BellaCPP, however, is the lack of a web shell used by BellaCiao to download and upload arbitrary files and execute commands.
“From a high-level perspective, it’s a C++ representation of the BellaCiao samples without the web shell functionality,” Degirmenti said, adding that BellaCPP “uses the domains previously assigned to the actor.”
