Numerous organizations in the U.S., Europe, India, and the Middle East have been subjected to attacks by the Iranian state-sponsored threat operation Charming Kitten, also known as APT35, Mint Sandstorm, Educated Manticore, TA453, Yellow Garuda, and ITG18, with the new BellaCiao dropper malware, reports The Hacker News. Vulnerable Microsoft Exchange Server or Zoho ManageEngine instances exposed to the internet may have been targeted to facilitate the deployment of BellaCiao, with Microsoft Defender then deactivated after a successful compromise, according to a report from Bitdefender Labs. Two Internet Information Services modules with instruction processing and credential exfiltration capabilities have also been downloaded in the Charming Kitten attacks, while BellaCiao facilitates additional malware delivery through hard-coded instructions. The report also noted another BellaCiao variant leveraging the Plink tool instead of a web shell for file uploads, arbitrary file downloads, and command execution. "The best protection against modern attacks involves implementing a defense-in-depth architecture," said Bitdefender researcher Martin Zugec.