BellaCiao
BellaCiao is a malware family publicly associated with Charming Kitten / APT35 (also referenced as Newsbeef and Phosphorus). It is described as .NET-based malware that combines webshell-like persistence with covert tunneling capabilities, and was first publicly reported in April 2023, with telemetry indicating use since at least November 2022. Multiple sources in the content also describe BellaCiao as a malicious script dropper that delivers tailored implants based on victim geolocation.
Reported functionality includes deployment of implants, persistence resembling a webshell, covert tunneling, reaching RDP servers, and credential harvesting from compromised organizations. A documented .NET BellaCiao sample generated domains following the pattern <5 random letters><target identifier>.<country code>.autoupdate[.]uk and, when DNS responses matched a hardcoded IP address, created an SSH tunnel and exposed local port 49450. Historical samples contained descriptive PDB paths with strings such as "MicrosoftAgentServices," "MicrosoftAgentServices2," and "MicrosoftAgentServices3," which researchers assessed may reflect campaign details and versioning.
The malware has been linked to attacks targeting organizations in the U.S., Europe, the Middle East, and India. Kaspersky telemetry cited targeting in Afghanistan, Austria, Israel, and Turkey, with sample content also suggesting targeting of organizations in Italy. BellaCiao has been used against targets to reach RDP servers and harvest credentials.
A newer C++ variant, BellaCPP, is described as a reimplementation of the older BellaCiao implant. Researchers found it on the same machine as a known .NET BellaCiao sample and assessed with medium-to-high confidence that it is associated with Charming Kitten. BellaCPP was identified as a PE32+ x86-64 Windows service DLL named adhapl.dll located in C:\Windows\System32, exporting ServiceMain. It decrypts strings with XOR key 0x7B, loads C:\Windows\System32\D3D12_1core.dll, resolves functions named SecurityUpdate and CheckDNSRecords, and generates domains in the format <5 random letters><target identifier>.<country code>.systemupdate[.]info. It invokes SecurityUpdate only when DNS results match a hardcoded IP. Researchers could not recover the secondary DLL, but assessed with medium confidence that it likely establishes an SSH tunnel based on parameter structure and similarity to known BellaCiao behavior.
Infrastructure and related indicators mentioned in the content include autoupdate[.]uk, systemupdate[.]info, and the BellaCiao-related C2 domain mail-updateservice[.]info. The content also notes that BellaCiao source code was leaked and that leaked reporting suggested the backdoor remained active on more than 300 systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Decrypt three strings using XOR encryption with the key 0x7B : C:\Windows\System32\D3D12_1core.dll SecurityUpdate CheckDNSRecords Load the DLL file at the path decrypted during the previous step and resolve the functions of the two other decrypted strings above with GetProcAddress.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
"original name of the identified binary ( Microsoft SqlServer.exe )" and "Implant filenames (poorly) impersonate server or update services"
Decrypt three strings using XOR encryption with the key 0x7B : C:\Windows\System32\D3D12_1core.dll SecurityUpdate CheckDNSRecords Load the DLL file at the path decrypted during the previous step and resolve the functions of the two other decrypted strings above with GetProcAddress.
Lateral Movement
1 technique
Lateral Movement
Command and Control
4 techniques
Command and Control
Generate a domain using the pattern below and send a DNS request to obtain the IP address.
BellaCiao (a dropper delivering tailored implants based on victim geolocation).
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
APT35 .NET implant characterized as a webshell-tunneling hybrid.
Malware family referenced in connection with Charming Kitten; a C++ variant (BellaCPP) was observed.
A backdoor used in attacks targeting companies in multiple regions, attributed to Iranian threat actors.
Named malware attributed in the text to Iranian development infrastructure (Shuhada base, Tehran); technical functionality is not described in this excerpt.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.