APT35 (IRGC-IO) maintained pre-positioned access across multiple GCC environments and its reconnaissance activity correlated with kinetic strikes following Operation Epic Fury, causing combined cyber and physical impacts across Jordan, UAE, Saudi Arabia, Kuwait, and Israel. Defenders are urged to block listed domains/IPs, patch critical vulnerabilities (ConnectWise, ProxyShell, Ivanti, Telerik), hunt for webshells and Plink.exe, rotate Domain Admin credentials, and monitor for BellaCiao and Sagheb RAT activity. #APT35 #BellaCiao
Keypoints
- APT35 (attributed to IRGC Intelligence Organization, Dept. 40) had pre-positioned access across Jordan, UAE, Saudi Arabia, Kuwait, and Israel prior to multi-country kinetic strikes tied to Operation Epic Fury.
- Reconnaissance and intrusions (e.g., files exfiltrated via Telerik CVE, Exchange ProxyShell compromises) correlated with subsequent missile and drone strikes on the same targets.
- The KittenBusters leak released APT35 source code and confirms consolidation of Moses-Staff and Al-Qassam personas under IRGC Dept. 40, increasing risk of destructive operations (wipers/DDoS).
- Key tools in use include BellaCiao webshell (C#/.NET, Windows service persistence), Sagheb RAT (TOR-routed native keylogger), and a Python/Webshell framework — source code enables precise YARA rule creation.
- APT35 exploits multiple high-priority vulnerabilities (ConnectWise CVE-2024-1709/1708, ProxyShell CVE-2021-34473, Ivanti CVE-2024-21887, Telerik CVE-2019-18935, Log4j) and has compromised 580+ consumer/SMB routers for DNS manipulation.
- Immediate defensive actions: block listed domains/IPs, emergency patching or isolation, hunt for Plink.exe and webshells, enforce MFA, rotate Domain Admin credentials, and audit newly created admin accounts.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used for initial access via multiple CVEs and day-1 exploitation campaigns (‘Day-1 exploitation; mass multi-country campaigns’)
- [T1505 ] Web Shell – Webshells deployed and managed on internet-facing servers for persistence and remote control (‘Adminer.php / custom ASP/ASPX webshells on internet-facing servers’)
- [T1543 ] Create or Modify System Process – Windows service persistence employed by BellaCiao for durable execution (‘Windows service persistence’)
- [T1078 ] Valid Accounts – Abuse and creation of administrative accounts and recommendation to rotate Domain Admin credentials (‘Rotate all Domain Administrator credentials. Audit admin accounts created since January 2024.’)
- [T1041 ] Exfiltration Over C2 Channel – Data and files exfiltrated from targeted institutions (e.g., via Telerik exploit) prior to strikes (‘Files exfiltrated via Telerik CVE’)
- [T1566 ] Phishing – Phishing infrastructure used to gain access and credentials (‘aecars.store (phishing infrastructure)’)
- [T1498 ] Network Denial of Service – DDoS operations and threats from Al-Qassam/related personas against financial and infrastructure targets (‘DDoS’ / ‘Al-Qassam-pattern attacks on the financial sector are expected within days.’)
- [T1485 ] Data Destruction – Destructive wiper activity (Shamoon 4.0) used against energy sector workstations (‘Shamoon 4.0 wiper deployed Jan 24, 2026 — 15,000 Saudi energy workstations wiped’)
- [T1090 ] Proxy – Use of TOR circuits and anonymisation proxies for C2 and routing (‘TOR circuit establishment from non-user processes’ and ‘103.57.251.31 (anonymisation proxy)’)
- [T1071 ] Application Layer Protocol – XOR-encrypted HTTP traffic used for C2 and data transfer (‘XOR-encrypted HTTP traffic’)
- [T1562 ] Impair Defenses – Documented AV bypass research and techniques to evade signature-based protection (‘APT35 has documented AV bypass research against all three.’)
Indicators of Compromise
- [Domain ] command and phishing infrastructure – dreamy-jobs.com, gassam.su, and 2 more domains (aecars.store, 1543.ir)
- [IP Range / IP Address ] operational hosting, C2, and proxies – 95.169.196.0/24, 185.141.63.0/24, and other ranges/addresses including 88.80.145.0/24 (C2 listener/file staging/SSH relay) and 103.57.251.31 (anonymisation proxy)
- [File Name ] execution and webshell indicators – Plink.exe (BellaCiao Variant 2 indicator), Adminer.php, and other custom ASP/ASPX webshell filenames
- [Email Address ] weaponized personas and account patterns – [email protected], [email protected], and other ProtonMail personas using the [firstname].[lastname]@protonmail.com pattern
- [CVE ] exploited vulnerabilities used for access – CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2019-18935 (Telerik .NET), and additional CVEs (CVE-2021-34473, CVE-2024-21887, CVE-2021-44228)
- [Malware / Tool ] deployed toolset and frameworks – BellaCiao webshell, Sagheb RAT, and the Python/Webshell Framework (source code released in KittenBusters leak)