The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao.
Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP, said it discovered the artifact as part of a “recent” investigation into a compromised machine in Asia that was also infected with the BellaCiao malware.
BellaCiao was first documented by Romanian cybersecurity firm Bitdefender in April 2023, describing it as a custom dropper capable of delivering additional payloads. The malware has been deployed by the hacking group in cyber attacks targeting the United States, the Middle East, and India.
It’s also one of the many bespoke malware families the Charming Kitten actor has developed over the years. Affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), the advanced persistent threat (APT) group is also known by the monikers APT35, CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.
While the group has a history of orchestrating creating clever social-engineering campaigns to gain targets’ confidence and deliver malware, attacks involving BellaCiao have been found to weaponize known security flaws in publicly accessible applications like Microsoft Exchange Server or Zoho ManageEngine.
“BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a web shell with the power to establish covert tunnel,” Kaspersky researcher Mert Degirmenci said.
The C++ variant of BellaCiao is a DLL file named “adhapl.dll” that implements the similar features as that of its ancestor, containing code to load another unknown DLL (“D3D12_1core.dll”) that’s likely used to create an SSH tunnel.
Unique to BellaCPP, however, is the lack of a web shell that’s used in BellaCiao to upload and download arbitrary files as well as run commands.
“From a high-level perspective, this is a C++ representation of the BellaCiao samples without the web shell functionality,” Degirmenci said, adding BellaCPP “uses domains previously attributed to the actor.”
