Hackers use stealthy ShellClient malware on aerospace, telco firms


Level 84
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.

Dubbed ShellClient, the malware is a previously undocumented remote access trojan (RAT) built with a focus on being stealthy and for “highly targeted cyber espionage operations.”

Researchers attributed ShellClient to MalKamak, a previously undisclosed threat actor that used it for reconnaissance operations and for stealing sensitive data from targets in the Middle East, the U.S., Russia, and Europe.
In its investigation, Cybereason looked for details that would link ShellClient to a known adversary but concluded that the malware is operated by a new nation-state group they named MalKamak, which is likely connected to Iranian hackers, as indicated by code style overlap, naming conventions, and techniques.

“While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors” - Cybereason