FlagThis

The Iranian nation-state hacking group Charming Kitten has been observed deploying a new C++ variant of the BellaCiao malware, dubbed BellaCPP. This malware was discovered during an investigation of a compromised machine in Asia that was also infected with BellaCiao. This indicates an evolution in the group’s tactics, utilizing C++ for its malware, possibly to enhance its evasion and capabilities. The activity suggests a continued focus on cyber espionage and the use of updated malware variants by nation-state actors.

The Lazarus Group, a North Korean state-sponsored hacking group, is actively targeting the nuclear industry with sophisticated malware. They are employing new tools and tactics, including trojanized VNC utilities and updated malware like ‘CookiePlus’, to infiltrate target organizations. Their attacks involve complex infection chains and modular malware, showing the group’s enhanced persistence and evasion capabilities. These attacks are aimed at espionage and financial gain.

This cluster centers on the analysis of Elpaco, a variant of the Mimic ransomware. Elpaco exhibits customizable features, including the ability to disable security mechanisms, run system commands, and customize ransom notes. The analysis details the malware’s structure, TTPs, and its use of the Everything library for file searching. The detailed technical analysis provided is valuable for security researchers and incident responders.