Threat Watch

New Iranian APT “MalKamak” Running ShellClient RAT Disclosed by Cybereason

Cybereason Nocturnus researchers recently reported on an investigation performed in July which they attribute to a new Iranian APT group they are labeling as “MalKamak.” Per the research findings, one of the notable tactics, techniques, and procedures (TTP) employed in targeted attacks against globally based telecom and aerospace companies is the use of a previously undocumented Remote Access Trojan (RAT) called ShellClient. This portable, moduler RAT is used for Command and Control (C2) communications, data exfiltration, and reconnaissance. The RAT currently utilizes cloud-based services, specifically DropBox, for C2 and data exfiltration in order to blend into legitimate network traffic. It is written as .NET malware obfuscated by the Costura packer.


The attribution to the new MalKamak group as an Iranian APT is supported by the concentration of the group’s activities in the Middle East, although Cybereason provides evidence of additional attacks on telecom and aerospace companies in the US, Russia, and Europe as well. The malicious binary was found by Cybereason researchers to be running as svchost.exe on infected computers, with an internal name of RuntimeBroker.exe. Versions of this binary were found to have been in active use with frequent updates since 2018, demonstrating the rapid cycle of improvement adopted by APT groups in today’s threat environment. Long-term malware usage can be addressed via the adoption of MDR and threat hunting solutions that focus on comprehensive post-exploitation mitigation and detection.