Threat Research

An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling | CloudSEK

CloudSek
An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling | CloudSEK

Episode 3 disclosures reveal APT35/Charming Kitten’s full malware development pipeline, including two RAT families (Saqeb System and RAT-2AC2), custom ASP webshells (m0s.asp variants), training materials, QA procedures, and operational tooling used from 2022–2025. The collection documents targeted regional operations against aviation, law enforcement, and infrastructure with preparations for ransomware (Moses’ Staff) and SCADA reconnaissance. #SaqebSystem #RAT-2AC2

Keypoints

  • APT35 developed a professional Windows RAT (Saqeb System) with five modular components, FUD testing, XOR-encrypted HTTP/HTTPS C2 over TOR, and extensive QA documentation.
  • A secondary .NET-based RAT (RAT-2AC2) uses a Python/Flask server, REST API endpoints, header-token authentication, and built-in VNC via noVNC and bore.pub tunneling.
  • Custom webshells (m0s.asp and simpler file.asp/webshell.asp variants) employ a covert Accept-Language header channel with a substitution cipher to execute arbitrary commands on IIS servers.
  • Operational scale includes claims of control over 300+ compromised sites across 6+ countries (UAE, Jordan, Turkey, Israel, Egypt, Saudi Arabia) with confirmed breaches like FlyDubai and Dubai Police.
  • Focus areas include intelligence collection (airports, law enforcement, tourism), SCADA reconnaissance for future offensive use, and ransomware readiness linked to Moses’ Staff operations.
  • Comprehensive defense-evasion measures documented: anti-VM/anti-debug techniques, runtime API resolution, hex/XOR obfuscation, masquerading service names, and AV exclusion strategies.
  • Detection guidance provided: behavioral rules for Saqeb, RAT-2AC2, and webshells with recommended responses (isolate, memory collection, process termination, block C2s).

MITRE Techniques

  • [T1566 ] Phishing – Google Drive phishing kit with .rar files used for initial access (“Google Drive phishing kit with .rar files”).
  • [T1190 ] Exploit Public-Facing Application – Webshell deployment on web servers enabling remote command execution (“Webshell deployment on web servers”).
  • [T1059 ] Command and Scripting Interpreter – Webshell and RATs execute commands via cmd/PowerShell (“Webshell cmd execution”).
  • [T1106 ] Native API – Use of CreateEventA, LoadLibrary, GetProcAddress for runtime behavior and anti-analysis (“CreateEventA, LoadLibrary, GetProcAddress”).
  • [T1543 ] Create or Modify System Process – Service creation/masquerading for persistence (e.g., WinUpdateService.exe) (“Service masquerading (WinUpdateService.exe, etc.)”).
  • [T1547 ] Boot or Logon Autostart Execution – Auto-run scheduling and registry Run key use for persistence (“Auto-run scheduling (daily/weekly)”).
  • [T1505 ] Server Software Component – Web shells deployed to web servers (m0s.asp, file.asp) for persistent access (“m0s.asp, file.asp, webshell.asp deployed”).
  • [T1027 ] Obfuscated Files or Information – Hex encoding and packing of modules to evade detection (“Hex encoding of modules (bin2hex.py)”).
  • [T1140 ] Deobfuscate/Decode Files or Information – Runtime decoding and XOR decryption of payloads (“Runtime hex decoding, XOR decryption, string deobfuscation”).
  • [T1036 ] Masquerading – Use of legitimate-sounding service/file names to avoid suspicion (“Legitimate service names (Microsoft, Exchange, Windows)”).
  • [T1070 ] Indicator Removal – Self-destruct capability to remove traces (“Self-destruct capability (“Kill RAT”)”).
  • [T1497 ] Virtualization/Sandbox Evasion – Anti-VM techniques taught in training materials for evasion (“Anti-VM techniques (training curriculum Section 8)”).
  • [T1622 ] Debugger Evasion – Anti-debug mechanisms documented in manuals (“Anti-debug mechanisms”).
  • [T1555 ] Credentials from Password Stores – Extraction of Firefox passwords and other browser-stored credentials (“Firefox password extraction (nss3.dll abuse)”).
  • [T1552 ] Unsecured Credentials – Theft of Telegram session files to hijack accounts (“Telegram session file theft”).
  • [T1056 ] Input Capture – Keyboard hooking for keylogging (SetWindowsHookEx WH_KEYBOARD_LL) (“SetWindowsHookEx keyboard hooking”).
  • [T1082 ] System Information Discovery – Execution of systeminfo and collection of system metadata by RAT-2AC2 and webshells (“systeminfo command execution”).
  • [T1083 ] File and Directory Discovery – Disk enumeration and profile access for data collection (“Disk-level file enumeration (Fexp function)”).
  • [T1016 ] System Network Configuration Discovery – Network enumeration via ipconfig/netstat in webshells and RATs (“ipconfig, network enumeration”).
  • [T1071 ] Application Layer Protocol – HTTP/HTTPS used for C2 communications across malware families (“HTTP/HTTPS C2 communication”).
  • [T1132 ] Data Encoding – XOR, Base64, hex encoding, and substitution cipher used to obfuscate C2 traffic and commands (“XOR encryption, Base64, hex encoding, substitution cipher”).
  • [T1090 ] Proxy – Multi-hop C2 and relays including TOR usage to conceal operator location (“Relay servers + TOR (7 hops)”).
  • [T1001 ] Data Obfuscation – Covert Accept-Language header channel and substitution cipher to hide commands (“Covert channel via Accept-Language header”).
  • [T1105 ] Ingress Tool Transfer – Downloading modules/plugins from C2 to clients (“Module download from C2 (dwPlugin function)”).
  • [T1041 ] Exfiltration Over C2 Channel – Data exfiltration via HTTP POST endpoints (“Data exfiltration via HTTP POST”).
  • [T1020 ] Automated Exfiltration – Scheduled automated collection and transmission of data (“Scheduled data collection and transmission”).
  • [T1486 ] Data Encrypted for Impact – Ransomware encryption routines and pre-positioning for encryption-based impact (“Ransomware encryption routine observed in payloads”).

Indicators of Compromise

  • [Domains ] C2/webshell hosting – example: https:///images/flash/test9/m0s.phto, https:///CMS/Uploads/m0s.aspx
  • [File Names ] Webshell and module artifacts – example: m0s.asp, file.asp, rns.dll, central.dat
  • [Service/File Masquerade ] Service names and extensions – example: WinUpdateService.exe (masqueraded service), .dat used for DLL modules
  • [API Endpoints ] RAT-2AC2 panel endpoints – example: /api (registration), /cmd/ (command polling)
  • [Credential/Artifact Identifiers ] Agent identifiers and serials – example: Serial Number 337E81E3BA4B, Telegram session folder D877F783D5D3EF8Cs
  • [Hashes ] Malware module hashes – example: Serial-like module identifier 337E81E3BA4B and mentions of multiple module hashes (and 2 more hashes)

Read more: https://www.cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations-ep3-malware-arsenal-tooling