Threat Rating Card
Threat Rating: Critical & Active
APT35 (Charming Kitten / Moses-Staff / Al-Qassam) is widely attributed to the IRGC Intelligence Organization and appears to maintain pre-positioned access across multiple GCC environments targeted during the campaign. Iranian cyber retaliation activity appears to be underway. Defensive teams should prioritize immediate monitoring and mitigation.
1. SITUATION OVERVIEW
On February 28, 2026, the US and Israel launched Operation Epic Fury, destroying Iran’s nuclear infrastructure and killing Supreme Leader Khamenei. Iran’s internet was reduced to 4%. Iran retaliated with a multi-day ballistic missile and drone campaign striking seven countries simultaneously: Saudi Arabia, UAE, Kuwait, Bahrain, Qatar, Jordan, and Israel. The Strait of Hormuz is closed and the campaign is ongoing as of publication.
2. CENTRAL FINDING: CYBER RECONNAISSANCE PRECEDED KINETIC STRIKES
The KittenBusters disclosure (Sep–Oct 2025) provides insight into the reconnaissance activity that preceded the current strike campaign. Several of the countries targeted by Iranian strikes had previously been profiled or penetrated by APT35. The correlation between cyber targets and missile strike locations is systematic:
Cyber Recon Table
| Cyber Recon Target |
APT35 Pre-Positioned Access |
Kinetic Strike That Followed |
| Jordan Civil Aviation |
Files exfiltrated via Telerik CVE |
Amman struck; 13 BMs + 49 drones |
| UAE / Dubai Government |
Internal materials accessed; flydubai BellaCiao deployment |
Al Dhafra, Dubai Airport, Jebel Ali struck; 167 missiles + 541 UAVs |
| Saudi Council of Ministers |
Decision documents exfiltrated; National Water Co. penetrated |
Riyadh, Eastern Province struck; Shamoon 4.0 already deployed Jan 24 |
| Kuwait Civil Aviation |
Airport confirmed target; gov networks mapped |
Airport terminal damaged; 97 BMs + 283 drones engaged |
| Israel ICS/SCADA |
580+ modems exploited; Rafael Defense Systems targeted |
Nationwide barrages; Iron Dome breached multiple times |
3. THE THREAT ACTOR: APT35 — NOW A UNIFIED IRGC PLATFORM
APT35 (also known as Charming Kitten, Phosphorus, Mint Sandstorm, Magic Hound) is attributed to the IRGC Intelligence Organization, Unit 1500, Department 40, commanded by Abbas Rahrovi through front company Zharf Andishaan Tafakkor Sefid. The KittenBusters leak confirms that two previously distinct personas — Moses-Staff (destructive wiper ops, Israel-focused) and Al-Qassam Cyber Fighters (DDoS, US/Israeli finance) — are funded from the same operational budget.
This means all prior Moses-Staff attacks must be re-attributed to IRGC-IO Dept. 40. Following the reported death of Khamenei and the ongoing regional escalation, The Moses-Staff persona may be reactivated for destructive operations if escalation continues.
4. ACTIVE CYBER OPERATIONS (AS OF MARCH 2, 2026)
Actor Threat Table (Responsive Cards)
| Actor |
Affiliation |
Confirmed Actions |
Expected Next Targets |
| Handala Hack |
MOIS (Iran) |
Jordan infrastructure attacked; Israeli healthcare breach; ICS disruption claimed; UAE threatened |
Israeli hospitals, water; UAE govt/financial networks; Jordan fuel infra |
| APT35 / Dept. 40 |
IRGC-IO |
Pre-positioned access across Jordan, UAE, Saudi, Kuwait confirmed; webshell activation likely underway |
Israel (via Moses-Staff wiper); Jordan MoJ; UAE aviation; Saudi energy |
| APT33 / Elfin |
IRGC |
Shamoon 4.0 wiper deployed Jan 24, 2026 — 15,000 Saudi energy workstations wiped |
Saudi Aramco; GCC petrochemical; UAE energy sector |
| CyberAv3ngers |
IRGC-CEC |
Historically targeted Unitronics PLCs; on elevated alert |
US/GCC water & wastewater ICS; Israeli industrial systems |
Handala Hack
Affiliation: MOIS (Iran)
Confirmed Actions: Jordan infrastructure attacked; Israeli healthcare breach; ICS disruption claimed; UAE threatened
Expected Next Targets: Israeli hospitals, water; UAE govt/financial networks; Jordan fuel infra
APT35 / Dept. 40
Affiliation: IRGC-IO
Confirmed Actions: Pre-positioned access across Jordan, UAE, Saudi, Kuwait confirmed; webshell activation likely underway
Expected Next Targets: Israel (via Moses-Staff wiper); Jordan MoJ; UAE aviation; Saudi energy
APT33 / Elfin
Affiliation: IRGC
Confirmed Actions: Shamoon 4.0 wiper deployed Jan 24, 2026 — 15,000 Saudi energy workstations wiped
Expected Next Targets: Saudi Aramco; GCC petrochemical; UAE energy sector
CyberAv3ngers
Affiliation: IRGC-CEC
Confirmed Actions: Historically targeted Unitronics PLCs; on elevated alert
Expected Next Targets: US/GCC water & wastewater ICS; Israeli industrial systems
5. KEY MALWARE IN PLAY
Episode 3 of the KittenBusters leak released APT35’s complete source code for its custom malware. Key tools now being deployed against GCC targets include BellaCiao (C#/.NET webshell with Windows service persistence, tested against Defender/Kaspersky/ESET), Sagheb RAT (native code FUD keylogger using TOR routing, steals Firefox and Telegram credentials), and the Python/Webshell Framework for managing multiple compromised hosts. The source code disclosure enables defenders to build precise YARA rules.
6. PRIORITY VULNERABILITIES EXPLOITED BY APT35
CVE Table - Responsive Cards
| CVE |
Product |
APT35 Usage |
| CVE-2024-1709/1708 |
ConnectWise ScreenConnect |
Day-1 exploitation; mass multi-country campaigns |
| CVE-2021-34473 (ProxyShell) |
Microsoft Exchange |
Institutional compromise and credential extraction |
| CVE-2024-21887 |
Ivanti Connect Secure (VPN) |
Initial access into govt/enterprise networks |
| CVE-2021-44228 |
Apache Log4j (Log4Shell) |
Broad Java application targeting |
| CVE-2019-18935 |
Telerik .NET |
Used in Jordan Ministry of Justice penetration |
| GoAhead/TP-LINK/ASUS/D-Link |
Consumer/SMB Routers |
580+ devices compromised for DNS manipulation |
CVE: CVE-2024-1709/1708
Product: ConnectWise ScreenConnect
APT35 Usage: Day-1 exploitation; mass multi-country campaigns
CVE: CVE-2021-34473 (ProxyShell)
Product: Microsoft Exchange
APT35 Usage: Institutional compromise and credential extraction
CVE: CVE-2024-21887
Product: Ivanti Connect Secure (VPN)
APT35 Usage: Initial access into govt/enterprise networks
CVE: CVE-2021-44228
Product: Apache Log4j (Log4Shell)
APT35 Usage: Broad Java application targeting
CVE: CVE-2019-18935
Product: Telerik .NET
APT35 Usage: Used in Jordan Ministry of Justice penetration
CVE: GoAhead/TP-LINK/ASUS/D-Link
Product: Consumer/SMB Routers
APT35 Usage: 580+ devices compromised for DNS manipulation
7. PRIORITY INDICATORS OF COMPROMISE (IOCS)
Domains to block immediately: dreamy-jobs.com (APT35 counterintelligence honeypot, confirmed by Google/Mandiant), gassam.su (Al-Qassam persona domain), aecars.store (phishing infrastructure), 1543.ir (internal VoIP).
Key IP ranges: 95.169.196.0/24 and 185.141.63.0/24 (operations hosting); 88.80.145.0/24 (C2 listener, file staging, SSH relay); 103.57.251.31 (anonymisation proxy).
Email indicators: Western-name ProtonMail personas at scale ([firstname].[lastname]@protonmail.com pattern). Verified active accounts include may.arnold@ and [email protected].
8. DEFENSIVE RECOMMENDATIONS
IMMEDIATE — Next 24 Hours
- Block all IOC domains and IP ranges listed above across perimeter firewalls and DNS.
- Emergency patching: ConnectWise ScreenConnect, ProxyShell (Exchange), Ivanti Connect Secure, Telerik. If patching is not possible, isolate systems.
- Hunt for Plink.exe execution in server environments (BellaCiao Variant 2 primary indicator) and Adminer.php / custom ASP/ASPX webshells on internet-facing servers.
- Rotate all Domain Administrator credentials. Audit admin accounts created since January 2024.
- If your organization operates in Jordan, UAE, or Saudi Arabia: initiate an immediate compromise assessment.
HIGH PRIORITY — Within 72 Hours
- Configure behavioral detection for Sagheb RAT: TOR circuit establishment from non-user processes; XOR-encrypted HTTP traffic.
- Audit SOHO/consumer router fleet (TP-LINK, ASUS, D-Link, Cisco RV) for DNS redirect behavior.
- Validate DDoS mitigation posture — Al-Qassam-pattern attacks on the financial sector are expected within days.
- Enforce MFA everywhere — Sagheb RAT specifically steals Telegram Desktop and Firefox credentials to bypass authentication.
- If using Sophos, Trend Micro, or SentinelOne: APT35 has documented AV bypass research against all three. Verify behavioral (not just signature-based) coverage is enabled.
Strategic Context
STRATEGIC CONTEXT
Following the reported death of Khamenei and the escalation triggered by Operation Epic Fury,
Iranian cyber units are likely to play a more prominent role in retaliation and signaling activities.
At the same time, reduced staffing within CISA due to a DHS funding lapse may limit coordination
and response capacity during the early stages of the crisis. As a result, the period immediately
following the operation is likely to represent an elevated risk window for Iranian cyber activity
targeting GCC infrastructure.
.jpg)
.png)
