{ "id": "41db52c5-d679-437b-b4aa-b3fc63671641", "created_at": "2026-04-06T00:15:19.847267Z", "updated_at": "2026-04-10T03:35:13.606932Z", "deleted_at": null, "sha1_hash": "e5d7f7be2f44518792cfdb3d1d2034ad49ac7667", "title": "Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1875552, "plain_text": "Operation GhostShell: Novel RAT Targets Global Aerospace and\r\nTelecoms Firms\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 12:50:20 UTC\r\nIn July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted\r\ncyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with\r\nadditional victims in the U.S., Russia and Europe. \r\nThe Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure\r\nand technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT\r\n(Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. \r\nThe Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with\r\nseveral iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and\r\npublicly unknown.\r\nAssessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian\r\nthreat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition,\r\nour research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39)\r\nand Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. \r\nKey Findings\r\nNew Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor dubbed MalKamak\r\nthat has been operating since at least 2018 and remained unknown thus far. In addition, the\r\ninvestigation draws possible connections to other Iranian state-sponsored threat actors including Chafer\r\nAPT (APT39) and Agrius APT.\r\nDiscovery of New ShellClient RAT: The Cybereason Nocturnus team discovered a sophisticated and\r\npreviously undocumented RAT (Remote Access Trojan) dubbed ShellClient used for highly targeted\r\ncyber espionage operations.\r\nTargeting Aerospace and Telecom Companies: Based on the telemetry, this threat has been\r\npredominantly observed in the Middle East region, but has also been observed targeting organizations\r\nin the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries. \r\nOngoing Development Since 2018: Our investigation revealed this threat was first operationalized in\r\n2018, and since then has been under active development with each new version adding more features\r\nand stealth. This threat is still active as of September 2021. \r\nAbusing Cloud Services for C2: The most recent ShellClient versions were observed to be abusing\r\ncloud-based storage services for Command and Control (C2), in this case the popular Dropbox service,\r\nin order to remain undetected by blending in with legitimate network traffic.\r\nDesigned for Stealth: The authors of ShellClient invested a lot of effort into making it stealthy to\r\nevade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and\r\nrecently implementing a Dropbox client for command and control (C2), making it very hard to detect. \r\nShellClient: The Silent RAT\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 1 of 24\n\nThe following sections recap the recently observed Operation GhostShell campaign and the evolution of this stealthy\r\nShellClient RAT, which has been operationalized and actively developed since at least November 2018.\r\nRecent Campaign\r\nIn July 2021, Cybereason encountered an unidentified threat actor carrying out a cyber espionage operation using a\r\npreviously undocumented and stealthy RAT dubbed ShellClient. \r\nUsing this RAT, the threat actors were first observed conducting reconnaissance and the exfiltration of sensitive data from\r\nleading Aerospace and Telecommunications companies in the Middle East region, and was later observed targeting the same\r\nindustries in other regions including the U.S, Russia and Europe.\r\nWhen first inspecting the ShellClient RAT, the malicious binary was found to be running on victim machines as\r\n“svchost.exe” while its internal name was disguised as “RuntimeBroker.exe”:\r\nShellClient RAT internal name masquerades as a legitimate Microsoft RuntimeBroker.exe binary\r\nThis executable was determined to have been compiled on May 22nd, 2021, and was observed to be executing adjacent to\r\nadditional TTPs. \r\nShellClient Structure and Configuration\r\nThe ShellClient RAT is a modular PE leveraging Costura to compress each of the modules using zlib:\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 2 of 24\n\nShellClient RAT utilizing Costura\r\nTwo of the references are DLLs containing supporting functionalities: \r\nExtensionLib.dll contains utilities and functionalities such as:\r\nAES Encryption, including an AES Key and an Initialization Vector (IV)\r\nHashing\r\nFile Operations\r\nRegistry Operations\r\nProcess Creation\r\nSerialization\r\nExtensionLib.dll\r\nClientCore.dll holds other core functionalities of the the client such as:\r\nFingerprinting\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 3 of 24\n\nFile Operations\r\nUser Impersonation\r\nToken Handling\r\nFTP Client\r\nTelnet Client\r\nSettings \u0026 Strings\r\nClientCore.dll\r\nThe executable stores most of the its strings, including configuration strings, as bytes and then converts them in real-time to\r\nUnicode/ASCII to evade antivirus strings detection:\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 4 of 24\n\nShellClient using Unicode/ASCII to evade antivirus strings detection\r\nExecution Flow\r\nThe ShellClient RAT executes according to the following arguments:\r\nIf no arguments are provided, the binary executes itself using InstallUtil.exe to install and run a malicious\r\nnhdService service\r\nIf there is one argument and it is equal to -c, the binary will be executed using the Service Control Manager\r\n(SCM) to create a reverse shell, communicating with a configured Dropbox storage as a C2\r\nIf there is one argument and it is equal to -d, the binary will execute as a regular process\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 5 of 24\n\nShellClient RAT arguments\r\nWhen either of the -c or -d arguments are provided, the malware performs basic fingerprinting using WMI to collect:\r\nHardware information such as BIOS information, Mac address, etc.\r\nNetworking Information including a request to ipinfo[.]io/ip to retrieve the public IP address of the infected\r\nmachine\r\nWhich antivirus products are installed \r\nThe abovementioned collected information is also used to create a unique agent identifier for each infected machine:\r\nCreating a unique identifier\r\nCommand and Control (C2) Communications\r\nThe C2 communications this malware implements are quite unique, as they rely on “cold files” being saved to a remote\r\nDropbox, instead of a common interactive session. This method of communication is an interesting Operational Security\r\n(OPSEC) solution, making it difficult to trace the threat actor’s infrastructure by utilizing a public service such as Dropbox.\r\nTo communicate with Dropbox, ShellClient uses Dropbox’s API with a unique embedded API key. Before communicating, it\r\nencrypts the data using an hardcoded AES encryption key.\r\nThe Dropbox storage contains 3 folders:\r\nAS Folder (Agents Folder): Stores uploaded information on infected machines\r\nCS Folder (Commands Folder): Stores commands to be fetched, executed and then deleted by ShellClient\r\nRS Folder (Results Folder): Stores the output of commands executed by ShellClient\r\nEvery 2 seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their\r\ncontent, then deletes them from the remote folder and enables them for execution:\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 6 of 24\n\nShellClient C2 Communications\r\nAfter executing the commands, the executable uploads the results to the corresponding folder with a randomly generated file\r\nname based on the unique victim ID that the threat actor calls as HardwareID:\r\nShellClient C2 Communications\r\nThe destinations for these communications will be api.dropboxdapi[.]com and content.dropboxapi[.]com.\r\nPersistence and Privilege Escalation\r\nThe ShellClient RAT achieves persistence and privilege escalation to run with SYSTEM privileges on victim machines by\r\ncreating the nhdService disguised as Network Hosts Detection Service:\r\nService Name: nhdService\r\nDisplay Name: Network Hosts Detection Service\r\nDescription: Searches and manages hosts in the Network and Dial-Up Connections folder, where both local\r\narea network and remote connections are viewable\r\nStart Type: Automatic\r\nAccount: LocalSystem\r\nSupported Commands\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 7 of 24\n\nThe executable contains multiple command functions that enable its capabilities, including arbitrary command execution,\r\nFTP/Telnet clients, lateral movement, file manipulation, etc. \r\nIn addition, the malware contains several command functions that seem to do nothing and have no reference in the code; this\r\ncould indicate that the malware is still under development.\r\nThe following table describes the purpose of each command:\r\nCommand Description\r\ncode10 Query hostname, malware version, executable path, IP address and Antivirus products \r\ncode11 Execute an updated version of ShellClient\r\ncode12 Self delete using InstallUtil.exe\r\ncode13 Restart the ShellClient service\r\ncode20 Start a CMD shell\r\ncode21 Start a PowerShell shell\r\ncode22\r\nAdd to the results message the following line: “Microsoft Windows Command Prompt Alternative Started\r\n…”\r\ncode23 Open a TCP Client\r\ncode24 Start a FTP client\r\ncode25 Start a Telnet client\r\nCode26 Execute a shell command\r\ncode29 Kill active CMD or PowerShell shell\r\ncode31 Query files and directories\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 8 of 24\n\ncode32 Create a Directory\r\ncode33 Delete files and folders\r\ncode34 Download a file to the infected machine\r\ncode35 Upload a File to Dropbox\r\ncode36 Does nothing\r\ncode37 Download a file to the infected machine and execute it\r\ncode38 Lateral movement using WMI\r\nShellClient C2 Commands\r\nAdditional TTPs Observed with ShellClient\r\nUsing the ShellClient RAT, the threat actor deployed additional tools to perform various activities to support their operation\r\nsuch as reconnaissance, lateral movement, data collection and more.\r\nLateral Movement\r\nThe attackers were observed using PAExec and “net use” for lateral movement. PAExec is a redistributable version of the\r\nfamous Sysinternals PsExec, with some additional options. \r\nThe attackers leveraged PAExec to:\r\nExecute a CMD shell as SYSTEM on remote machines\r\nPerform remote service related operations like start, stop, restart, status and more\r\nExfiltrate organizational Active Directory structure using a remotely executed csvde.exe -f \u003c output file \u003e\r\ncommand\r\nCheck internet connectivity using ping to reach Google.com\r\nGather host information by executing ipconfig, tasklist and net use\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 9 of 24\n\nShellClient leveraging PAExec as observed in the Cybereason Defense Platform\r\nCredential Dumping Tool\r\nDuring the observed attacks, the ShellClient RAT activity group deployed and executed an unknown executable named\r\nlsa.exe to perform credential dumping. Lsa.exe dumped the memory of lsass.exe to a file named debug.bin and was observed\r\nexecuting with the following command-line arguments:\r\nlsa.exe -d \r\nlsa.exe -m\r\nAlthough the Cybereason Nocturnus team was unable to retrieve the lsa.exe executable, we speculate the tool might be a\r\nvariation of the tool SafetyKatz based on the debug.bin dump file the tool creates, which is also the name of the dump file\r\ncreated by SafetyKatz that was previously tied to Iranian threat actors:\r\nShellClient credential dumping as observed in the Cybereason Defense Platform\r\nStaging\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 10 of 24\n\nIn order to exfiltrate data, the attackers used WinRar to compress important files before data exfiltration using a renamed\r\nrar.exe WinRar file:\r\nShellClient using WinRar to compress data before exfiltration\r\nThe Evolution of ShellClient and Finding the Missing Link\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 11 of 24\n\nKnown ShellClient RAT version history timeline\r\nOne of the questions that came up during the investigations was regarding how far back the use of the malware can be\r\nobserved. At first it was thought to have been developed recently since there was no publicly available documentation or any\r\nmention of it available. However, the code indicates that the sample we analyzed was version 4.0, which implies there\r\nshould be several previous versions.\r\nWith that in mind, the investigation revealed the missing link in a .NET GUID that appeared in the metadata of the observed\r\nsample. Pivoting on this unique identifier, we were able to uncover an older instance (version 3.1, VT link) that used the\r\nsame .NET TypeLibID GUID, a unique ID generated by Visual Studio per project - fd01304b-571f-4454-b52b-19cfb8af44a9:\r\nShared .NET TypeLib Id GUID between the recent and the older version of ShellClient\r\nFrom there, finding the other previous versions of ShellClient was achieved by pivoting searching for string and code\r\nsimilarities. This pivoting process proved that ShellClient has been under continuous development since at least November\r\nof 2018, marking almost three years of development work to evolve the malware from a simple standalone reverse shell to a\r\nstealthy modular espionage tool. \r\nIn each new iteration of the malware, the authors added new features and capabilities, attempting to use various exfiltration\r\nprotocols and methods, such as using an FTP client and a Dropbox account to hide in plain site. In addition, from version\r\n4.0.0 and up, the authors made significant design and architecture changes like introducing modular design. \r\nBelow is a summary of the variants that were discovered so far:\r\nVT\r\nLink\r\nVariant\r\nVersion\r\nName\r\nCompilation\r\nDate\r\nFirst\r\nSubmission\r\nDate\r\nPDB Path \r\nVT\r\nlink\r\nEarliest\r\nvariant\r\nsvchost.exe\r\n2018-11-06\r\n21:35:41\r\n2018-11-11\r\n15:28:46\r\nVT\r\nlink\r\n1 svchost.exe\r\n2018-11-29\r\n23:41:15\r\n2020-04-15\r\n23:22:13\r\nD:\\projects\\07 - Reverse\r\nShell\\ShellClientServer_HTTP\\obj\\Release\\svchost.pdb\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 12 of 24\n\nVT\r\nlink\r\n2.1 svchost.exe\r\n2018-12-16\r\n11:19:14\r\n2020-04-14\r\n22:59:49\r\nE:\\Projects (Confidential)\\07 - Reverse\r\nShell\\ShellClientServer_HTTP.v2\\obj\\Release\\svchost.\r\nVT\r\nlink\r\n3.1 svchost.exe\r\n2019-01-12\r\n18:37:20\r\n2019-01-17\r\n22:53:43\r\nD:\\Visual Studio\r\n2017\\v3.1\\ShellClient\\obj\\Release\\svchost.pdb\r\nVT\r\nlink\r\n4.0.0\r\nRuntimeBroker.exe\r\n/ svchost.exe\r\n2021-08-10\r\n11:14:51\r\n2021-09-22\r\n09:18:59\r\nVT\r\nlink\r\n4.0.1\r\nRuntimeBroker.exe\r\n/ svchost.exe\r\n2021-05-22\r\n12:06:05\r\n2021-07-20\r\n16:16:06\r\nKnown ShellClient RAT version history\r\nOverview of ShellClient Evolution \r\nEarliest Variant (November 2018)\r\nThe earliest variant traced was compiled on November 06, 2018, and was purposefully named svchost.exe to allow it to\r\nmasquerade as a legitimate Windows binary. This early variant is not very rich in features and lacks the sophistication and\r\nfunctionality that are manifested in its successors. In essence, it is a rather simple reverse shell. \r\nMain Features:\r\nFile name: svchost.exe\r\nFile description: Windows Defender Service\r\nCore functionality: Simple websocket-based reverse shell\r\nHardcoded C2 domain: azure.ms-tech[.]us:80\r\nVariant V1 (November 2018)\r\nThe second oldest variant emerged about 3 weeks after the initial version. This variant is more mature and contains\r\ncapabilities of both of a client and a server, including a new service persistence method disguising as a Windows Defender\r\nUpdate service. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 \r\nMain Updates:\r\nFile description: Host Process For Windows Processes\r\nCore functionalities: \r\nPredefined set of C2 commands\r\nExecuting arbitrary commands via CMD shell or PowerShell\r\nClient and Server components\r\nPersistence via Windows Service, masquerading as Windows Defender\r\nBase64 encoding/decoding for data sent from / to C2\r\nVersion V2.1 (December 2018)\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 13 of 24\n\nCompiled approximately 2 weeks after variant V1, this variant keeps the same name and description attributes but shows\r\nfurther progress in development by adding a variety of new capabilities, including FTP and Telnet clients, AES encryption,\r\nself-update capabilities and more. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 \r\nMain Changes:\r\nCore functionalities: \r\nImplementing FTP and Telnet clients\r\nAES encryption of data sent to the C2\r\nSelf-updating feature\r\nClient ID and versioning attributes added\r\nExtended set of predefined C2 commands\r\nVariant V3.1 (January 2019)\r\nAbout a month after the emergence of variant V2.1, the V3.1 variant was seen in January of 2019. It has mostly minor\r\nchanges in regards to functionality. The main difference is the removal of the “Server” component from the executable, as\r\nwell as new code obfuscation and an upgraded commands menu. This version of ShellClient also communicates with the\r\nfollowing C2 domain: azure.ms-tech[.]us:80 \r\nMain Changes:\r\nCore functionality: \r\nRemoval of the Server component\r\nIntroduction of command-line arguments\r\nFirst attempts of code obfuscation\r\nMore predefined C2 commands\r\nOS fingerprinting via WMI\r\nVariant V4.0.0 (August 2021)\r\nPerhaps one of the biggest advancements in the ShellClient evolution came with version V4.0.0 and continued with its\r\nsuccessor V4.0.1, in which the malware authors implemented many changes and improvements, adding new capabilities,\r\nenhancing code obfuscation and code protection using Costura packer, as well as abandoning the C2 domain that was active\r\nsince 2018. \r\nThe traditional C2 communications were replaced with a Dropbox built-in client, abusing the popular online platform to\r\nsend commands to ShellClient as well as storing the stolen data exfiltrated to a designated Dropbox account. This ultimately\r\nmakes it harder to detect since the network traffic would appear legitimate to security analysts as well as most security\r\nsolutions. \r\nNote: For full analysis of the variants, please refer to Appendix A in the IOCs popup in lower right of your screen. \r\nAttribution\r\nDuring the investigation, efforts were made to identify instances of the ShellClient code and to determine its origin or\r\naffiliation with known threat actors. Given the fact that ShellClient was previously undocumented and unknown at the time\r\nof the investigation, and the identity of the threat actor behind the attack was unclear, the Nocturnus Team first attempted to\r\nfind links to known adversary groups that have carried out similar attacks in the past against this industry and the affected\r\nregions. \r\nWhile some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new\r\nand distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors. In\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 14 of 24\n\npublishing this data, it is hoped that more attention will be given to this threat and over time more information about\r\nShellClient origins will emerge. \r\nLikely Nation State-Sponsored Threat Actor\r\nThe current working assumption is that ShellClient was created and maintained by a nation-state sponsored threat actor, or\r\nAdvanced Persistent Threat (APT). The intrusions analyzed by Cybereason suggest that the motivation is cyber espionage\r\nagainst a very small set of carefully selected targets. This is supported by the fact that there are very few samples found in\r\nthe telemetry or in-the-wild since 2018, in contrast to commodity malware that can usually be found in abundance. \r\nIn addition, the PDB path that is embedded in some of the ShellClient samples suggests that this malware is part of a\r\nrestricted or classified project that could be related to military or intelligence agency operations: \r\nE:\\Projects (Confidential)\\07 - Reverse Shell\\ShellClientServer_HTTP.v2\\obj\\Release\\svchost.pdb\r\nRussian Turla Connection or a Yara False Positive? \r\nIn examining some “low hanging fruit, ”the first clue examined was a Yara rule comment that appeared in VirusTotal along\r\nwith some of the older variants of ShellClient. The Yara rule that was indicated is named\r\nAPT_Turla_MSTCSS_Malware_Jun19_1:\r\nYara rule comment that appeared in VirusTotal\r\nThe Nocturnus Team examined the possibility that the ShellClient malware might have been created by the Russian APT\r\ngroup Turla. However, upon careful analysis of known Turla malware, and even more specifically the ones indicated in a\r\nSymantec report referenced in the Yara rule, the team did not find any significant similarities or evidence that can tie Turla\r\nto ShellClient or the activity that was observed in the intrusion investigated. \r\nAn Iranian Connection\r\nGiven that most of the victims were located in the Middle East region and considering the affected industries, the unique\r\nprofile of the attacked organizations, as well as other characteristics related to the intrusion and the malware, the team also\r\nexamined the possibility that an Iranian state-sponsored threat actor might be behind the Operation GhostShell intrusions. \r\nThe Nocturnus team compared our observations with previous campaigns that were attributed to known Iranian threat\r\nactors, and was able to point out some interesting similarities between ShellClient and previously reported Iranian malware\r\nand threat actors. \r\nHowever, at this point, our estimation is that this operation was carried out by a separate activity group, dubbed MalKamak,\r\nwhich has its own distinct characteristics that distinguish it from the other groups.\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 15 of 24\n\nNonetheless, we believe that highlighting the possible connections between various Iranian threat actors could be beneficial.\r\nWhether such connection is a result of a direct collaboration among these threat actors is currently unknown. \r\nThese connections can also be explained in other ways, which are less direct, for example - a cyber mercenary who codes\r\nfor multiple threat actors - could also be a likely explanation that can account for some of these observed overlaps. \r\nMeet MalKamak: A New Iranian Threat Actor\r\nMalKamak Diamond Model Summary\r\nUsing the famous diamond model of attribution, the Nocturnus team was able to determine that the attacks were carried out\r\nby a new activity group, dubbed MalKamak, which was unknown thus far and believed to be operating on behalf of Iranian\r\ninterests. Following is a quick summary of its main characteristics: \r\nCountry of Origin: Iran \r\nYears of Activity: Since at least 2018\r\nMotivation: Cyber Espionage\r\nVictimology: \r\nAffected Regions: Predominantly the Middle East, with victims in the US, Europe and Russia. \r\nAffected Industries: Aerospace and Telecommunications\r\nUnique Tools: ShellClient (evolving from a simple reverse shell to a complex RAT)\r\nGeneric Tools: SafetyKatz, PAExec, ping, ipconfig, tasklist, net, and WinRAR.\r\nKnown Infrastructure:\r\n2018-2020: ms-tech[.].us \r\n2021: DropBox C2\r\n*MalKamak is derived from Kamak, the name of an ancient Persian mythological creature thought responsible for droughts\r\nand spreading chaos.\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 16 of 24\n\nSimilarities to Previous Chafer APT-Related Campaigns\r\nDuring the analysis, it was observed that there were some potentially interesting links and similarities to an Iranian threat\r\nactor called Chafer APT (also known as APT39, ITG07 or Remix Kitten). \r\nThe group has been active since at least 2014, and is believed to be linked to the Rana Intelligence Computing Company, a\r\nTeheran-based company, previously known to serve as a front company for the Iranian Ministry of Intelligence and Security\r\n(MOIS). The Chafer APT is known to attack targets in the Middle East as well as the U.S. and Europe. \r\nExamining past campaigns, such as the one analyzed in Bitdefender’s Chafer APT report, the team noticed interesting\r\noverlaps with observations in this investigation, as detailed in the following sections.\r\nOur current assessment is that while these overlaps are interesting, they are not enough to establish attribution with an\r\nadequate certainty.\r\nCredential Dumping\r\nChafer has been known to use the SafetyKatz tool to harvest credentials from compromised endpoints. As mentioned\r\npreviously in this report, there are indications that the threat actor analyzed here used the same tool. \r\nObfuscated Persistence\r\nIn both of the investigations, the threat actors maintained persistence by obfuscating the malware as legitimate Windows-related components on victims’ systems. To achieve that, both operations used the Windows Defender Update name to\r\ndisguise their activity:\r\nShellClient Disguised Persistence Previous Chafer APT Disguised Persistence\r\nWIndows Defender Update service Defender Update scheduled task\r\nObfuscated Persistence\r\nPDBs\r\nExecutable in both of the operations were found to be compiled from similar paths, particularly containing the “projects”\r\nfolder under a root drive:\r\nShellClient PDB Paths Chafer APT Disguised Persistence\r\nD:\\projects\\07 - Reverse\r\nShell\\ShellClientServer_HTTP\\obj\\Release\\svchost.pdb\r\nF:\\Projects\\94-\r\n06\\RCE\\bin\\Release\\x64\\mas.pdb\r\nE:\\Projects (Confidential)\\07 - Reverse\r\nShell\\ShellClientServer_HTTP.v2\\obj\\Release\\svchost.pdb\r\nF:\\Projects\\94-\r\n08\\XNet\\bin\\Release\\Win32\\XNet.pdb\r\nPDB Evidence\r\nSimilarities to Agrius APT-Related Campaigns\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 17 of 24\n\nAnother Iranian threat actor that was examined is a relatively new activity group known as Agrius APT. The group has been\r\nknown to attack mainly Israeli organizations and companies, carrying out destructive operations under the guise of\r\nransomware attacks. \r\nA report about Agrius attacks mentions a custom .NET backdoor called IPsec Helper. Although the IPsec Helper backdoor\r\nand ShellClient are quite different, there were some interesting similarities in the coding style and naming conventions,\r\nwhich may indicate a link between the two malware and the possibility that they were authored by developers from the same\r\nor adjacent teams. \r\nThese interesting code similarities could indicate a similar developer was also behind the ShellClient, or at the very least\r\nindicate a person who had access to the code of the two malware. That being said, the TTPs and the intrusions conducted by\r\nAgrius seem very different than the TTPs and intrusions observed in Operation GhostShell - and therefore we concluded that\r\nit is unlikely that Agrius is behind this operation. \r\nPossible Coding Style Overlap\r\nWhen comparing the command parsing function of both IPsec Helper and ShellClient, a similar code structure and logic can\r\nbe seen: \r\nCode similarities between IPsec Helper and ShellClient\r\nNaming Conventions \r\nBoth ShellClient and IPsec Helper use a similar naming convention for the classes used to launch the malware as a service:\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 18 of 24\n\nSimilarities between ShellClient and IPsec Helper naming conventions\r\nKill Techniques \r\nBoth ShellClient and IPsec Helper use InstallUtil.exe in the self kill mechanism. When ShellClient receives a self kill\r\ncommand, It executes InstallUtil.exe in order to delete the service created and remove itself from the infected machine.\r\nWhen IPsec Helper receives a self kill command, it creates and executes a batch script named “remover.bat”. The script uses\r\nInstallUtil.exe to delete the service created for the malware.\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 19 of 24\n\nData Decoding and Encryption \r\nBoth ShellClient and IPsec Helper use Base64 and AES to encode and encrypt data sent to the C2. In addition, both\r\nmalware have a separate class for Base64 encoding and decoding, and for AES encryption and decryption:\r\nShellClient and IPsec Helper data decoding and encryption similarities\r\nOther Similar Functions \r\nSome functions of ShellClient, IPsec Helper and Apostle malware are very similar, for example the Serialize function,\r\nwhich is found on all three malware variants.\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 20 of 24\n\nShellClient, IPsech Helper and Apostle malware similarities\r\nPossible Infrastructure Connection\r\nAnother interesting connection identified between these malware is based on past IP address resolutions of the domain used\r\nby ShellClient azure.ms-tech[.]us and a domain used by IPsec Helper whynooneistherefornoneofthem[.]com. Both of these\r\ndomains have been resolved to both of the IP addresses 139.162.120.150 and 50.116.17.41. \r\nUpon examination of these IP addresses, they function as a sinkhole. Further examination of other domains that were\r\nresolved to these IP addresses in the past revealed a significant number of malicious domains that were used by Iranian\r\nAPTs.\r\nConclusion\r\nIn the Operation GhostShell report, the Cybereason Nocturnus and Incident Response Teams discovered a sophisticated new\r\nRemote Access Trojan (RAT) dubbed ShellClient that was used in highly targeted attacks against a select few Aerospace and\r\nTelecommunications companies mainly in the Middle East, with other victims located in the U.S., Russia and Europe. Our\r\ncurrent assessment is that the attacks were perpetrated by a newly discovered Iranian activity group dubbed MalKamak that\r\nhas been operating since at least 2018 and remained in the dark until now.\r\nThe investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been\r\ncontinuously evolving ever since while successfully evading most security tools and remaining completely unknown. By\r\nstudying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time\r\nfrom a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining\r\nundetected. \r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 21 of 24\n\nThe most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage\r\nservices, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and\r\nreplace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using\r\nDropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted\r\nby many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic. \r\nIt is the intention of the researchers that the information provided in the Operation GhostShell report will inspire further\r\nresearch regarding ShellClient and the newly identified MalKamak activity group, and that it will ultimately assist in\r\nshedding more light on this mysterious malware that was kept well-hidden for many years. \r\nauthors\r\nTOM FAKTERMAN, THREAT RESEARCHER\r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting critical\r\nnetworks and incident response. Tom has experience in researching malware, computer forensics and developing scripts and\r\ntools for automated cyber investigations.\r\nDANIEL FRANK, SENIOR MALWARE RESEARCHER\r\nWith a decade in malware research, Daniel uses his expertise with malware analysis and reverse engineering to understand\r\nAPT activity and commodity cybercrime attackers. Daniel has previously shared research at RSA Conference, the Microsoft\r\nDigital Crimes Consortium, and Rootcon.\r\nCHEN ERLICH, INCIDENT RESPONSE ENGINEER\r\nChen has almost a decade of experience in Threat Intelligence \u0026 Research, Incident Response and Threat Hunting. Before\r\njoining to Cybereason, Chen spent three years dissecting APTs, investigating underground cybercriminal groups and\r\ndiscovering security vulnerabilities in known vendors. Previously, he served as a Security Researcher in the military forces.\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 22 of 24\n\nASSAF DAHAN, HEAD OF THREAT RESEARCH\r\nAssaf has over 15 years in the InfoSec industry. He started his career in the military forces Cybersecurity unit where he\r\ndeveloped extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing\r\nmethodologies, and specialized in malware analysis and reverse engineering.\r\nINDICATORS OF COMPROMISE\r\nOpen the chatbot on the bottom right corner of your screen to access the Ghostshell IOCs and Appendix A.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nCommand-line interface\r\nWindows\r\nService\r\nValid Accounts\r\n  Obfuscated Files or\r\nInformation\r\nCredential\r\nDumping\r\nWindows Management\r\nInstrumentation\r\n    Masquerading  \r\nPowerShell        \r\nDiscovery Lateral Movement Collection\r\nCommand and\r\nControl\r\nExfiltration\r\nSecurity Software\r\nDiscovery\r\nSMB/Windows\r\nAdmin Shares\r\nArchive\r\nCollected Data\r\nData Encoding\r\nExfiltration Over Web\r\nService\r\nSystem Information\r\nDiscovery\r\n   \r\nEncrypted\r\nChannel\r\nExfiltration Over C2\r\nChannel\r\nSystem Network\r\nConfiguration Discovery\r\n   \r\nFile Transfer\r\nProtocols\r\nExfiltration Over\r\nAlternative Protocol\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 23 of 24\n\nWeb Protocols  \r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms" ], "report_names": [ "operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "8205484f-7cf2-4b43-b2de-c1a500ae310e", "created_at": "2022-10-25T16:07:23.861533Z", "updated_at": "2026-04-10T02:00:04.764666Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [ "Operation GhostShell" ], "source_name": "ETDA:MalKamak", "tools": [ "PAExec", "SafetyKatz", "ShellClient", "WinRAR" ], "source_id": "ETDA", "reports": null }, { "id": "7261dbea-1283-4a30-8da6-c30ccfc25024", "created_at": "2023-11-30T02:00:07.289432Z", "updated_at": "2026-04-10T02:00:03.481506Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [], "source_name": "MISPGALAXY:MalKamak", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434519, "ts_updated_at": 1775792113, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5d7f7be2f44518792cfdb3d1d2034ad49ac7667.pdf", "text": "https://archive.orkl.eu/e5d7f7be2f44518792cfdb3d1d2034ad49ac7667.txt", "img": "https://archive.orkl.eu/e5d7f7be2f44518792cfdb3d1d2034ad49ac7667.jpg" } }