ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > MalKamak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: MalKamak

NamesMalKamak (Cybereason)
Operation GhostShell (Cybereason)
CountryIran Iran
MotivationInformation theft and espionage
First seen2018
Description(Cybereason) In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.
The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool.
The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.
Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer, APT 39 and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups.
ObservedSectors: Aerospace, Telecommunications.
Countries: Russia, USA and Europe and Middle East.
Tools usedPAExec, SafetyKatz, ShellClient, WinRAR.

Last change to this card: 02 November 2021

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]