Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor

Hackers Likely Exploited ProxyLogon to Gain Access, Says Eset
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
It's best not to let bobcats indoors. (Image: Shutterstock)

Hackers aligned with the Iranian state are targeting vulnerable Microsoft Exchange Servers to deploy a new malware backdoor that has already victimized over two dozen Israeli organizations as part of an ongoing espionage campaign.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The campaign has been active since 2021 and uses a previously unseen malware backdoor that researchers at Eset dubbed Sponsor. The cybersecurity firm tracks the hacking group as "Ballistic Bobcat." It is also known as Charming Kitten, APT35 and Mint Sandstorm - formerly known as Phosphorus. The group has spied on journalists, defense contractors and diplomats.

In the latest campaign, the group targeted 32 organizations in Israel, and two other victims were spotted in the Middle East and Brazil. Among the indicators Eset said led it to attributing the attacks to Ballistic Bobcat is an active command-and-control server with an IP address of, the same that the U.S. Cybersecurity and Infrastructure Security Agency in late 2021 flagged as infrastructure belonging to Iranian government-sponsored hackers.

The Sponsor backdoor is a version of PowerLess, a Ballistic Bobcat backdoor first documented in 2021.

The hackers' initial access point into systems likely was a widely exploited Exchange flaw uncovered in 2021 designated as CVE-2021-26855 and known as ProxyLogon. Once the group gained initial access, it began to drop batch files to evade detection.

"Many of the 34 victims identified in Eset telemetry might best be described as victims of opportunity rather than preselected and researched victims," the report says.

The group deployed a range of open-source tools including Plink for automated logins and a post-exploitation framework called MerlinAgent, which the group disguised as software updates to avoid its potential detection.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.