From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks

From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks By Ryan Slaney and Emma DeCarli · January 20, 2026 Executive summary The December 2, 2025, publication of a massive leak revealing the inner workings of the IRGC-linked Department 40 a.k.a. APT35, Charming Kitten, and Fres...

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao. Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP , said it discovered the artifact as part of a "recent" investigation into ...

BellaCPP: Discovering a new BellaCiao variant written in C++

Introduction BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor...

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S. The...

Iranian Cyber Group TA453 Targets Jewish Leader with New AnvilEcho Malware

Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho. Enterprise security company Proofpoint is tracking the...

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud...

Iranian Threat Actor Adapts Tactics to Stay One Step Ahead

Summary: Charming Kitten, an Iranian threat actor, has recently been linked to a series of attacks targeting the Middle East. This campaign involves deploying a new backdoor called BASICSTAR through a deceptive webinar portal. Threat Level - Red | Attack Report For a detailed threat advisory,...

Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal. Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garud...

New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm PHOSPHORUS targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign,...

Attacks, Vulnerabilities and Actors 11 September to 17 September 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, a total of eight attacks were executed, along with eleven vulnerabilities discovered, and two different adversaries...

Charming Kitten’s ‘Sponsor’ Strikes 34 Organizations in Brazil, Israel, and U.A.E

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Charming Kitten, also known as Ballistic Bobcat, orchestrated a sophisticated campaign aimed at 34 diverse targets across Brazil, Israel, and the United Arab Emirates. This operation employed a novel...

Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.

The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor. Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat...

Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks

Germany's Federal Office for the Protection of the Constitution BfV has warned of cyber attacks targeting Iranian persons and organizations in the country since the end of 2022. "The cyber attacks were mainly directed against dissident organizations and individuals – such as lawyers, journalists,...

Attacks, Vulnerabilities and Actors 3 July to 9 July 2023

For a detailed threat digest, download the pdf file here Summary HiveForceLabs recently made several significant discoveries related to cybersecurity threats. Over the past week, the fact that there were a total of eight attacks executed, a zero-day vulnerability in the WordPress Plugin, and thre...

Charming Kitten’s Latest Malware Arsenal and Targeting Strategies

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Charming Kitten, an adaptable threat actor, has shifted to new malware tactics and targets by employing LNK infection chains and utilizing cloud hosting providers. This evolution in their approach poses ...

Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware. "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified...

Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks

Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps IRGC, has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security...

Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks

Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps IRGC, has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security...

Actors, Threats and Vulnerabilities 24 to 30 April 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, they identified a total of eight attacks that were executed. These attacks were taking advantage of three different...

Charming Kitten Hackers Utilize New Tactics with BellaCiao Malware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Iranian APT group, Charming Kitten, is using a new, sophisticated malware called BellaCiao to target specific victims in multiple regions, employing unique communication tactics with its...