Cybereason Nocturnus researchers recently reported on an investigation performed in July which they attribute to a new Iranian APT group they are labeling as “MalKamak.” Per the research findings, one of the notable tactics, techniques, and procedures (TTP) employed in targeted attacks against globally based telecom and aerospace companies is the use of a previously undocumented Remote Access Trojan (RAT) called ShellClient. This portable, moduler RAT is used for Command and Control (C2) communications, data exfiltration, and reconnaissance. The RAT currently utilizes cloud-based services, specifically DropBox, for C2 and data exfiltration in order to blend into legitimate network traffic. It is written as .NET malware obfuscated by the Costura packer.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in