Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Cyberspy Group Launching Ransomware Attacks Against US

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities.

In November 2021, a joint advisory from government agencies in the US, UK, and Australia warned of Iranian state-sponsored attacks targeting critical infrastructure and other organizations through the exploitation of Fortinet FortiOS vulnerabilities and a Microsoft Exchange ProxyShell bug.

In a report in December 2021, Microsoft noted that Charming Kitten was showing high interest in acquiring exploits targeting the Log4j vulnerability, to modify and use them in new attacks. In January 2022, the APT was observed using a new PowerShell backdoor.

Secureworks, which tracks the cyberespionage group as Cobalt Mirage, reported today that the group appears to have turned to financially-motivated attacks, including the deployment of ransomware.

The researchers note that, in January 2022, the threat actor leveraged previously obtained access to infiltrate the network of a philanthropic organization in the US, where they deployed a web shell that was later used to drop additional files.

Named Dllhost.exe, one of these files is a Go binary that appears to be in part based on the Fast Reverse Proxy (FRP) code available on GitHub. When executed on a compromised Exchange server, dllhost.exe collects system information and sets up a communication tunnel with the command and control (C&C) server.

Next, the attackers conducted a Local Security Authority Server Service (LSASS) dump to hunt for user credentials. Three days later, they used Remote Desktop Protocol (RDP) to log onto the Exchange server, likely a hands-on-keyboard operation.

After enumerating the environment, the threat actor moved laterally and then “encrypted three user workstations with BitLocker, rendering them inaccessible to the compromised organization’s staff,” Secureworks says.

The attackers then sent a ransom note to a local printer, instructing the victim to make contact over email or Telegram to receive information on decryption and recovery.

“This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data. As of this publication, CTU researchers are not aware of a Cobalt Mirage leak site. The victimology of the Cobalt Mirage attacks suggests that these threat actors are focused on financial gain.” Secureworks says.

In March 2022, the same threat actor was observed compromising the network of a local US government, but no ransomware was deployed. Instead, the group focused on harvesting data and exfiltrating it using free online services.

“After the March 2022 intrusion was detected and disrupted, no additional malicious activity was observed. CTU researchers have not directly observed ransomware attacks linked to [the activity], but there is evidence that those threat actors may be experimenting with ransomware,” Secureworks notes.

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

Related: US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks

Related: Newly Detected “StrifeWater” RAT Linked to Iranian APT

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...