Ballistic Bobcat

Threat Actor updated 6 months ago (2024-05-15T14:17:28.588Z)

Download STIX

Preview STIX

Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bobcat's activities have notably evolved over time, shifting towards more noticeable operations aimed at Israel. This shift was concurrent with a downturn in the activities of another threat actor, OilRig, suggesting a strategic realignment. In a recent campaign, Ballistic Bobcat initiated a global cyber espionage operation targeting 14 countries, with the majority of the victims being located in Israel. The group's modus operandi involves exploiting vulnerabilities, often opportunistically, in Microsoft Exchange as part of their "Sponsoring Access" campaign. They've developed a unique approach to evade scans by employing innocuous configuration files and using a modular method. Open-source tools such as host2ip.exe, RevSocks, Mimikatz, Armadillo PE packer, GO Simple Tunnel (GOST), Chisel, csrss_protected.exe, Plink (PuTTY Link), WebBrowserPassView.exe, and sqlextractor.exe have been used on compromised systems. In one notable instance, Ballistic Bobcat hit an Israeli insurance marketplace in August 2021 by exploiting tools reported by the Cybersecurity and Infrastructure Security Agency (CISA). Recently, in May 2022, security experts uncovered a new backdoor deployed by the Ballistic Bobcat APT group from a sample on an Israeli victim’s system. This new campaign, named Sponsor Malware, shows a clear pattern in tool development, indicating an overlap between Ballistic Bobcat and Sponsor backdoor campaigns. The group has also introduced a new server, piggybacking on PowerLess C&C, and using multiple IPs for tools which are now inactive. The threat posed by Ballistic Bobcat continues to evolve, highlighting the need for robust cybersecurity measures and vigilance in tracking the activities of such threat actors.

Description last updated: 2024-05-15T14:16:12.596Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Phosphorus is a possible alias for Ballistic Bobcat. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ	3
Charming Kitten is a possible alias for Ballistic Bobcat. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Apt

Eset

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sponsor Backdoor Malware is associated with Ballistic Bobcat. The Sponsor backdoor is a malicious software (malware) designed and coded by Ballistic Bobcat. This malware obfuscates data before sending it to the Command & Control (C&C) server, employing innocuous configuration files and a modular approach to evade scans. The Sponsor backdoor, a version of Power	Unspecified	3
The PowerLess Malware is associated with Ballistic Bobcat. Powerless is a malicious software (malware) that was deployed by Ballistic Bobcat in September 2021, during the wrap-up of the campaign documented in CISA Alert AA21-321A. This malware was introduced as part of the PowerLess campaign, which involved the use of a new command and control (C&C) server.	Unspecified	3

Source Document References

Information about the Ballistic Bobcat Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	6 months ago	ESET APT Activity Report Q4 2023–Q1 2024
CERT-EU	a year ago	Why cyberspace remains largely unaffected amidst ongoing geopolitical turmoil
CERT-EU	a year ago	New Sponsor Malware Attacking Government & Healthcare Organizations
CERT-EU	a year ago	RagnarLocker Ransomware, LokiLocker Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: September 27th, 2023
ESET	a year ago	Ballistic Bobcat's Sponsor backdoor – Week in security with Tony Anscombe
ESET	a year ago	Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity	a year ago	Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU	a year ago	‘Scan-and-exploit’ campaign snares unpatched Exchange servers
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU	a year ago	Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU	a year ago	Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor
DARKReading	a year ago	Iran's Charming Kitten Pounces on Israeli Exchange Servers
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
Securityaffairs	a year ago	Security Affairs newsletter Round 437 by Pierluigi Paganini