Threat Research

An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling

CloudSek
An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling

APT35 (Charming Kitten) maintained a professional malware development pipeline producing two RAT families (Saqeb System and RAT-2AC2), custom webshells (m0s.asp variants), support tools, and QA/testing materials used to target 300+ entities across the Middle East from 2022–2025. The collection shows advanced anti-detection, modular architectures, multi-hop C2 (including TOR), and explicit operational playbooks for persistence, credential theft, VNC access, and ransomware staging. #Saqeb_System #RAT-2AC2

Keypoints

  • APT35 developed two primary RATs: Saqeb System (native C++ Windows RAT with five modular components) and RAT-2AC2 (C# .NET RAT with Flask-based server and VNC capability).
  • Custom webshell family (m0s.asp) uses an Accept-Language header covert channel with a substitution cipher for remote command execution; simpler file.asp/webshell.asp provide direct header-to-shell RCE.
  • Operational scale includes claims of access to 300+ compromised entities across at least six countries (UAE, Jordan, Turkey, Israel, Egypt, Saudi Arabia) with confirmed breaches like FlyDubai and Dubai Police.
  • Sophistication includes FUD testing labs, anti-VM/anti-debug measures, runtime decoding/obfuscation, multi-hop TOR relays, and documented QA and training materials indicating professional development processes.
  • Capabilities cover credential theft (Firefox, Telegram sessions), keylogging, file enumeration/exfiltration, remote VNC access via noVNC and bore.pub tunneling, remote command execution, and ransomware staging (Moses’ Staff group).
  • Behavioral detection rules provided: Saqeb indicators (CreateEventA, LoadLibrary on .dat, XOR-encrypted HTTPS), RAT-2AC2 polling /api and /cmd endpoints, and webshell indicators (IIS spawning cmd.exe with suspicious Accept-Language header).
  • MITRE mapping shows extensive use across Initial Access, Execution, Persistence, Defense Evasion, Credential Access, C2, Exfiltration, and Impact techniques consistent with long-term targeted espionage and disruptive operations.

MITRE Techniques

  • [T1566 ] Phishing – Use of Google Drive phishing kit with .rar attachments to deliver payloads: “Google Drive phishing kit with .rar files”
  • [T1190 ] Exploit Public-Facing Application – Webshell deployment on compromised web servers to gain RCE: “Webshell deployment on web servers”
  • [T1059 ] Command and Scripting Interpreter – Remote command execution via webshells and RATs using PowerShell/cmd: “Webshell cmd execution”
  • [T1059.003 ] Windows Command Shell – Execution of cmd /c via WScript.Shell in ASP webshells: “cmd /c execution via WScript.Shell”
  • [T1204 ] User Execution – Delivery via malicious files and phishing attachments to trick victims into running payloads: “Phishing attachments, malware executables”
  • [T1106 ] Native API – Use of CreateEventA, LoadLibrary, GetProcAddress for execution and evasion in Saqeb: “CreateEventA, LoadLibrary, GetProcAddress”
  • [T1543 ] Create or Modify System Process – Service creation/masquerading for persistence and privilege escalation (WinUpdateService.exe examples): “Service masquerading (WinUpdateService.exe, etc.)”
  • [T1547 ] Boot or Logon Autostart Execution – Auto-run scheduling and registry run keys for persistence in Saqeb: “Auto-run scheduling (daily/weekly)”
  • [T1505 ] Server Software Component – Webshells deployed as persistent server components (m0s.asp, file.asp): “m0s.asp, file.asp, webshell.asp deployed”
  • [T1027 ] Obfuscated Files or Information – Hex encoding and packing of modules and runtime obfuscation: “Hex encoding of modules (bin2hex.py)”
  • [T1140 ] Deobfuscate/Decode Files or Information – Runtime hex decoding and XOR decryption of modules and traffic: “Runtime hex decoding, XOR decryption, string deobfuscation”
  • [T1036 ] Masquerading – Use of legitimate-sounding service names and .dat extensions for DLLs to evade detection: “Legitimate service names (Microsoft, Exchange, Windows)”; “dat extensions for DLLs”
  • [T1070 ] Indicator Removal – Self-destruct capability and file deletion functions to remove artifacts: “Self-destruct capability (“Kill RAT”)”
  • [T1112 ] Modify Registry – Registry manipulation for persistence (minimal changes to reduce detection): “Registry manipulation for persistence”
  • [T1497 ] Virtualization/Sandbox Evasion – Anti-VM techniques documented in training materials to avoid analysis: “Anti-VM techniques (training curriculum Section 8)”
  • [T1622 ] Debugger Evasion – Anti-debug mechanisms described in Saqeb manuals: “Anti-debug mechanisms”
  • [T1562 ] Impair Defenses – Use of AV exclusion paths and disabling defensive tools mentioned in module docs: “AV exclusion paths in file destruction module rns.dll”
  • [T1555 ] Credentials from Password Stores – Firefox credential extraction via nss3.dll functions: “Firefox password extraction (nss3.dll abuse)”
  • [T1552 ] Unsecured Credentials – Theft of Telegram session files for account takeover: “Telegram session file theft”
  • [T1056 ] Input Capture – Keylogging via SetWindowsHookEx to capture keystrokes and window titles: “Keyboard hook with window title logging”
  • [T1082 ] System Information Discovery – Systeminfo collection by RAT-2AC2 during registration and discovery: “systeminfo command execution”
  • [T1083 ] File and Directory Discovery – Disk-level enumeration functions in Saqeb to collect files: “Disk-level file enumeration (Fexp function)”
  • [T1057 ] Process Discovery – Process enumeration capabilities in RATs for reconnaissance: “Process enumeration capabilities”
  • [T1016 ] System Network Configuration Discovery – ipconfig and network enumeration via webshells and RATs: “ipconfig, network enumeration”
  • [T1049 ] System Network Connections Discovery – netstat usage documented in webshell command sets: “netstat commands”
  • [T1518 ] Software Discovery – AV and security product discovery for evasion and targeting: “AV detection (Kaspersky, BitDefender exclusions)”
  • [T1021 ] Remote Services – Use of WMIC and remote commands to move laterally: “WMIC commands in webshell scripts”
  • [T1080 ] Taint Shared Content – Uploading to shared locations and UNC paths for lateral movement: “File upload to UNC shares”
  • [T1005 ] Data from Local System – File download capabilities and specific stealer modules for Firefox/Telegram: “File download capabilities, Firefox/Telegram data extraction”
  • [T1113 ] Screen Capture – Screenshot features in both RATs for visual intelligence: “Screenshot functionality (capHandler)”
  • [T1119 ] Automated Collection – Automated enumeration and exfiltration scheduling in Saqeb: “Automated file enumeration and exfiltration”
  • [T1071 ] Application Layer Protocol – HTTP/HTTPS used for C2 communications across toolset: “HTTP/HTTPS C2 communication”
  • [T1132 ] Data Encoding – Use of XOR, Base64, hex encoding, and substitution ciphers across malware and webshells: “XOR encryption, Base64, hex encoding, substitution cipher”
  • [T1573 ] Encrypted Channel – XOR-based symmetric encryption of C2 traffic in Saqeb: “XOR-based traffic encryption”
  • [T1090 ] Proxy – Multi-hop proxying and relay servers including TOR relays for C2 chaining: “Relay servers + TOR (7 hops)”
  • [T1095 ] Non-Application Layer Protocol – Use of TOR network (.onion addresses) for hidden service C2: “TOR network usage (.onion addresses)”
  • [T1001 ] Data Obfuscation – Covert Accept-Language channel in m0s.asp acting as a data obfuscation/covert channel: “Covert channel via Accept-Language header”
  • [T1105 ] Ingress Tool Transfer – Remote module download mechanisms (dwPlugin) and central.dat updates: “Module download from C2 (dwPlugin function)”; “central.dat replacement”
  • [T1041 ] Exfiltration Over C2 Channel – Data exfiltration via HTTP POST to C2 infrastructure: “Data exfiltration via HTTP POST”
  • [T1020 ] Automated Exfiltration – Scheduled collection and automated exfiltration features in Saqeb: “Scheduled data collection and transmission”
  • [T1030 ] Data Transfer Size Limits – Chunked transfer handling for large files in Saqeb: “Chunked file transfer (flwHandler)”
  • [T1486 ] Data Encrypted for Impact – File encryption/destruction module intended for irreversible data destruction and ransomware operations: “File encryption/destruction; random byte overwriting”

Indicators of Compromise

  • [File Names ] Malware modules and webshells – central.dat, creds.dat, lock.dat, logging.dat, msg.dat, m0s.asp, file.asp (used as RAT modules and webshells)
  • [File Hashes ] Sample artifacts referenced – example hash: 337E81E3BA4B (serial number identifier), and 2 more hashes
  • [Domains/URLs ] Webshell and C2 endpoints – examples from client scripts: https:///images/flash/test9/m0s.phto, http:///CMS/Uploads/m0s.aspx (hardcoded target URLs in tooling)
  • [IP Addresses ] Infrastructure references – example: http:///images/m0s.php used in client scripts (indicative of specific compromised hosts)
  • [Header Patterns ] Covert channel header usage – Accept-Language header containing substitution-cipher-encoded commands (used by m0s.asp variants)
  • [Service Names ] Masqueraded service/process names – WinUpdateService.exe and other legitimate-sounding service names used by RAT-2AC2 for persistence

Read more: https://www.cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations-ep3—malware-arsenal-tooling