Threat Research

Kitten Had the Map all Along : RAISING GCC TENSIONS & THE PRE-POSITIONING MAP | CloudSEK

CloudSek
Kitten Had the Map all Along : RAISING GCC TENSIONS & THE PRE-POSITIONING MAP | CloudSEK
Operation Epic Fury and subsequent multi-day Iranian missile/drone strikes across seven countries have been accompanied and preceded by extensive APT35 cyber reconnaissance and pre-positioned access in GCC targets, with active webshell activation and malware deployment observed. Defenders should prioritize immediate blocking of listed domains/IP ranges, emergency patching of exploited CVEs, credential rotations, and hunts for indicators such as Plink.exe, Adminer.php, and TOR-linked Sagheb RAT activity. #APT35 #BellaCiao

Keypoints

  • APT35 (IRGC-IO Dept. 40) maintained pre-positioned access across Jordan, UAE, Saudi Arabia, Kuwait and Israel that correlated with subsequent kinetic missile/drone strikes.
  • KittenBusters leak exposed APT35 source code and tools (BellaCiao webshell, Sagheb RAT, Python/Webshell framework), enabling precise detection and YARA rule creation.
  • Multiple public-facing CVEs were exploited for initial access (ConnectWise ScreenConnect, ProxyShell, Ivanti Connect Secure, Log4Shell, Telerik) and consumer routers (GoAhead/TP-LINK/ASUS/D-Link) were abused for DNS manipulation.
  • Active operations include webshell activation, credential theft, file exfiltration, and likely reactivation of destructive personas (Moses-Staff / Shamoon variants) tied to IRGC funding and command.
  • Immediate defensive actions: block IOC domains/IPs, emergency patching or isolation, hunt for Plink.exe/Adminer.php/webshells, rotate Domain Admin credentials, and enforce MFA and behavioral detection for TOR/XOR C2 activity.
  • Key malware in play: BellaCiao (C#/.NET webshell with Windows service persistence), Sagheb RAT (native keylogger using TOR), and known destructive wipers (Shamoon 4.0) already observed in the region.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used to gain initial access via multiple CVEs (ConnectWise, ProxyShell, Ivanti, Log4Shell, Telerik): (‘Day-1 exploitation; mass multi-country campaigns’)
  • [T1505.003 ] Web Shell – Webshells were deployed/activated on internet-facing servers for persistence and remote access: (‘webshell activation likely underway’)
  • [T1543.003 ] Create or Modify System Process: Windows Service – Malware maintained persistence by installing as Windows services (BellaCiao): (‘BellaCiao (C#/.NET webshell with Windows service persistence’)
  • [T1078 ] Valid Accounts – Credential theft and reuse targeted authentication to maintain access and escalate privileges: (‘steals Firefox and Telegram credentials’)
  • [T1041 ] Exfiltration Over C2 Channel – Sensitive files were exfiltrated from breached institutions (e.g., Jordan Ministry of Justice via Telerik exploit): (‘Files exfiltrated via Telerik CVE’)
  • [T1090.004 ] Proxy: TOR – TOR routing was used for command-and-control anonymity by Sagheb RAT: (‘Sagheb RAT (native code FUD keylogger using TOR routing’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – XOR-encrypted HTTP traffic used for C2 and data transfer: (‘XOR-encrypted HTTP traffic’)
  • [T1021.002 ] Remote Services: SSH – Remote command/relay via SSH tools was observed/hunted (Plink.exe indicator): (‘Plink.exe execution in server environments’)
  • [T1056.001 ] Input Capture: Keylogging – Keylogger functionality in Sagheb RAT captured credentials and inputs: (‘native code FUD keylogger’)
  • [T1498 ] Network Denial of Service – Al-Qassam persona and related actors conducted/threatened DDoS operations against financial and critical targets: (‘DDoS, US/Israeli finance’)
  • [T1485 ] Data Destruction – Destructive wipers (Shamoon 4.0 / Moses-Staff persona) were used to wipe energy-sector workstations: (‘Shamoon 4.0 wiper deployed Jan 24, 2026 — 15,000 Saudi energy workstations wiped’)

Indicators of Compromise

  • [Domain ] Blocking/analysis priority – dreamy-jobs.com (APT35 counterintelligence honeypot), gassam.su (Al-Qassam persona domain)
  • [Domain ] Phishing/infrastructure examples – aecars.store (phishing infrastructure), 1543.ir (internal VoIP)
  • [IP Range ] Operations hosting/C2 – 95.169.196.0/24, 185.141.63.0/24
  • [IP Address ] C2/staging/proxy – 103.57.251.31 (anonymisation proxy)
  • [Email ] Persona and account patterns – ProtonMail pattern [firstname].[lastname]@protonmail.com; verified examples: may.arnold@ (ProtonMail persona), [email protected]
  • [File Name ] Malware/indicator files – Plink.exe (hunt for execution linked to BellaCiao), Adminer.php / custom ASP/ASPX webshells on internet-facing servers
  • [Malware ] Active tools observed – BellaCiao, Sagheb RAT, and other tooling including Python/Webshell Framework (and Shamoon 4.0 observed in prior wiper campaign)
  • [Device Type ] Compromised network devices – TP-LINK and D-Link (consumer/SMB routers used for DNS manipulation), and GoAhead/ASUS devices (580+ devices compromised overall)

Read more: https://www.cloudsek.com/blog/kitten-had-the-map-all-along-raising-gcc-tensions-the-pre-positioning-map