Iranian cyberespionage group Charming Kitten
also known as APT35, TA453, Cobalt Mirage, Phosphorus, NewsBeef, Magic Hound, and Newscaster has been launching financially-motivated attacks against U.S. entities in the last few months, according to SecurityWeek
Secureworks Counter Threat Unit researchers identified that a U.S. philanthropic organization had its network infiltrated by Charming Kitten in January using previously secured access, which then prompted web shell deployment for dropping more files, including dllhost.exe, which facilitates system information gathering and command-and-control server communications. BitLocker was then leveraged to encrypt user workstations at the organization.
"This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data," said researchers.
Moreover, Charming Kitten also attacked a local U.S. government network in March, although the intrusion did not involve ransomware deployment.
"After the March 2022 intrusion was detected and disrupted, no additional malicious activity was observed. CTU researchers have not directly observed ransomware attacks linked to [the activity], but there is evidence that those threat actors may be experimenting with ransomware," researchers added.