Anyway, we wanted to tell a bit later, but we had to rush it now, as fellows did publish about the same toolset today (as "TOLLBOOTH"). We're fewer guys but we may still have found a bit more. IOCs & Yaras:

All tools speak CN, operators leveraged a CN RMM service, domains are registered in CN and some infra is at Alibaba Cloud - it's likely way more CN-language and specifics than an actual CN operator would need...

But malicious module is updated, exists in different flavours (C++/.NET/PHP) and compromised hundreds of servers in quite short time. Also, it actually exposes an unauthenticated RCE capability to... well, everyone. Very convenient for infra development - this could be an IAB.

We followed the rabbit 🐇 - or panda, whatever. Driver is a sample of a publicly-available rootkit, operators deploy ready-made toolset, a remote-desktop access, and are noisy 📢 ... We thought financially motivated SEO abuse.

Late summer our stuff stopped an infection chain involving a driver, a previously undocumented malicious IIS module, and ASP .NET viewstate abuse.

Because of simplicity of associated exploitation and tools, several third parties could have hijacked and/or mimicked past or recent BellaCiao/CYCLOPS-related activity and infrastructure... but it starts to quacks quite like a duck 🦆 to me. https://t.co/tnPDgAO1sg

"ea3e059ca58eec16a98691bcae372170d83b97c0_Shell failed[.]txt" contains WebShell filenames which match those dropped by some BellaCiao samples. Several IPs and domains that are listed as "targets" in Episodes 1 and 2 indeed match targets of BellaCiao malware that I know of.

"Episode 2/Malwares and Logs/zsh_history[.]txt" contains commands to connect to IP addresses that we identified as CYCLOPS C2 servers, login we could find in CYCLOPS configurations, and ref. to exploitation tools or techniques that match guessed infection chain

There was no communication 📵 with KittenBusters and we cannot confirm that these documents are genuine, but from a quick look at it 🔎:

Documents 📃 about alleged IRGC 🇮🇷cyber ops are being disclosed since last week (#KittenBusters). 2nd batch of data includes a reference to our work @HarfangLab: "see reports on publicly available tools (such as BellaCiao and CYCLOPS) – these are malware tools used"

As usual, you'll will find IOCs and YARA rules on our blog post and on our GitHub repository https://t.co/gAZqQVk8oQ

We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter

These downloaders attempt to retrieve next stage from C2 URLs mimicking existing content and delivering JPEG image files. Some variants use Slack for C2 communication

We @aridjourney @ArielJT at HarfangLab had a look at archives containing weaponized XLS spreadsheets dropping C# and C++ downloaders, likely intended for targets in Ukraine and Poland

I have never heard about the "XDSpy" threat actor 👾 before, but it turns out I tripped over a Windows shortcut in March and... 🤷‍♂️ we had to "take a look". https://t.co/ADS2FvkcDg

I like a vulnerability analysis 🔬 as I like a scotch 🥃: old enough to order its own scotch... Ivanti CVE-2024-8963 vuln analysis + unique report of malicious activities after exploitation:

Everyone be looking for #CharmingKitten these days. Here, previously undocumented #Cyclops Golang implant, likely replacement for #BellaCiao. With @JusticeRage @ArielJT

Did our bit on #Doppelgänger: standalone paper w/ new infra, ongoing activity inc. Paris #Olympics, tech details, content analysis, links to grey SEO... BTW we're a 3-people show @ArielJT @JusticeRage

Turns out it is now explicitly detected as #FrostyGoop by some vendors, so might actually be it https://t.co/ay1gBLDAN6

Not sure it's any of them though. They all contain the "/CleintTCP" typo string, which does not appear to belong to the modbus library repository, and that I could only find in 7 Golang binaries. 4/4