Iran’s Charming Kitten Adopts New BellaCPP Malware Variant

Iran’s hacking group Charming Kitten is deploying a new malware variant called BellaCPP. This variant is a C++ adaptation of the previously documented BellaCiao malware.

A recent investigation uncovered BellaCPP on a compromised machine in Asia. Researchers noted that BellaCiao, first identified in April 2023, is a custom dropper used to deliver malicious payloads. This malware has been linked to cyberattacks targeting regions such as the United States, the Middle East, and India.

The hacking group, affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), is notorious for developing custom malware families. Known by names such as APT35, Mint Sandstorm, and Yellow Garuda, they often use sophisticated social engineering tactics. For example, earlier BellaCiao campaigns exploited vulnerabilities in platforms like Microsoft Exchange Server and Zoho ManageEngine.

BellaCiao operates as a .NET-based malware capable of establishing covert tunnels and maintaining persistence. BellaCPP, the new C++ variant, shares similar functionalities but lacks a web shell. Instead, it introduces a DLL file named “adhapl.dll,” which loads another DLL likely designed to create SSH tunnels. Researchers highlighted that BellaCPP uses domains previously attributed to Charming Kitten, reinforcing its connection to the group.

While the functionality of BellaCPP aligns closely with its predecessor, its streamlined design and absence of a web shell make it distinct. This adaptation reflects the group’s ongoing efforts to refine its tools while maintaining operational effectiveness.

Preventing Such Attacks

To protect against such malware, organizations should prioritize patching vulnerabilities in widely used applications. Conduct regular security audits to detect suspicious activity. Employees must be trained to recognize social engineering tactics. By adopting proactive cybersecurity measures, the risk of malware infections can be significantly minimized.