Iranian state-sponsored APT groups such as APT35, APT33, and Pioneer Kitten are expected to increase cyber attacks targeting cloud and Linux environments following U.S. strikes on Iranian nuclear infrastructure. The Sysdig Threat Research Team provides guidance and detection strategies to help organizations defend against these advanced threats. #APT35 #APT33 #PioneerKitten
Keypoints
- Sysdig TRT warns of a potential rise in cyber activity by Iranian APTs and hacktivists targeting cloud and Linux infrastructures after U.S. strikes in June 2025.
- Enforcing MFA, patching exposed appliances, and monitoring for web shells and suspicious tools are critical defensive measures.
- APT35 employs credential theft, sophisticated malware like PowerLess and BellaCiao, and tunneling techniques to maintain persistence and exfiltrate data.
- APT33 focuses on cloud-first intrusions using Azure infrastructure and password spraying campaigns targeting Microsoft 365 and Azure Active Directory.
- Pioneer Kitten exploits VPN and network device vulnerabilities to gain initial access, uses web shells for persistence, and collaborates with ransomware groups.
- Detection rules for runtime events and threat intelligence for DNS/IP monitoring are essential for uncovering malicious activities.
- Verifying backup integrity is crucial due to the use of ransomware and disk wiping malware by these groups.
MITRE Techniques
- [T1078] Valid Accounts – APT35 and APT33 use credential theft and password spraying to gain access to cloud accounts (‘stealing credentials from Microsoft 365, Gmail, and cloud VPN portals using phishing, password spraying, and token theft’).
- [T1136] Create Account – APT33 creates malicious Azure infrastructure for C2 purposes (‘creating and operating malicious Azure infrastructure’).
- [T1210] Exploitation of Remote Services – Pioneer Kitten exploits vulnerabilities in VPN and network devices (e.g., Citrix Netscaler, F5 BIG-IP) to gain initial access (‘exploits VPN and network device vulnerabilities to gain initial access’).
- [T1105] Ingress Tool Transfer – Use of web shells and living-off-the-land tools to maintain persistence and move within networks (‘using deeply buried web shells… and tools like ligolo, socat, proxychains’).
- [T1071] Application Layer Protocol – Tunneling RDP and C2 traffic through cloud infrastructure using Fast Reverse Proxy (FRP) (‘leverages Fast Reverse Proxy (FRP) to tunnel RDP and C2 traffic’).
- [T1059] Command and Scripting Interpreter – Use of PowerShell backdoor PowerLess to execute commands without invoking powershell.exe (‘PowerLess (a PowerShell backdoor that executes without invoking powershell.exe)’).
- [T1566] Phishing – Social engineering campaigns via LinkedIn to trick targets (‘uses LinkedIn profiles to trick targets into sharing credentials’).
- [T1486] Data Encrypted for Impact – Use of ransomware to encrypt data (‘common payloads for these groups include ransomware’).
Indicators of Compromise
- [File Hashes] Malware samples – PowerLess and BellaCiao backdoor hashes, Tickler malware hash, and additional unknown hashes.
- [IP Addresses/DNS] Known tunneling/proxy domains and IPs used for C2 and tunneling by APT35 and Pioneer Kitten detected via DNS/IP monitoring.
- [File Names] Deeply buried web shell path examples such as /var/vpn/themes/imgs/ used by Pioneer Kitten.
- [Cloud Account Credentials] Compromised Microsoft 365 and Gmail credentials targeted by APT35 and APT33 through password spraying and phishing campaigns.
Read more: https://sysdig.com/blog/sysdig-threat-bulletin-iranian-cyber-threats/