Cybereason exposes Iranian state-sponsored cyber espionage

The attacks were identified in a report that revealed aerospace and telecommunication companies as targets

James Spiro 15:2806.10.21
Israeli cybersecurity firm Cybereason has published a report that revealed a cyber-espionage operation that targeted aerospace and telecommunication companies around the world. According to the company, the report identified a newly discovered Iranian threat actor called MalKamak that has been operating since at least 2018. It is still active and leverages a Remote Access Trojan called ShellClient which can evade antivirus tools and abuse Dropbox services.


The report, called Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms, reveals the attacks against companies in the Middle East, United States, Europe, and Russia. It confirms that there are possible connections to Iranian state-sponsored threat actors such as Chafer APT (APT39) and Agrius APT. The findings come after an August publication called DeadRinger that uncovered Chinese APT campaigns also against telecommunication providers.


Cybereason co-founders Yonatan Striem Amit (left), Lior Div and Yossi Naar Photo: Cybereason Cybereason co-founders Yonatan Striem Amit (left), Lior Div and Yossi Naar Photo: Cybereason


“The Operation GhostShell report revealed a complex RAT capable of evading detection since as early as 2018, and the recent DeadRinger report also uncovered a similarly evasive threat from as early as 2017, which tells us a lot about how advanced attackers are continuously defeating security solutions,” said Cybereason CEO and co-founder Lior Div. “Layering on more tools to produce even more alerts that overwhelm defenders is not helping us stop sophisticated attacks, which is why Cybereason takes an operation-centric approach that detects based on very subtle chains of behavior where the adversary’s own actions work against them to reveal the attack at the earliest stages.”

Key findings in the report highlighted MalKamak and ShellClient, as well as the abuse of cloud-based storage services for Command and Control such as Dropbox. The authors of the ShellClient campaign ensured that it evades detection by leveraging obfuscation techniques and could perform various espionage activities on the targeted networks such as additional reconnaissance, lateral movement in the environment, and the collection and exfiltration of sensitive data.


Cybereason provides operation-centric attack protection by combining AI-powered detection and response (EDR and XDR), next-gen antivirus (NGAV), Anti-Ransomware Protection, and Proactive Threat Hunting. It is headquartered in Boston but has customers in 50 countries.