Chasing the Kitten: A Closer Look at Targeted Threat Hunting with Ekco

At Ekco, we’re actively involved in a wide range of cybersecurity initiatives, but one area where we’re especially hands-on is threat hunting, especially during an incident response investigation. While it’s a popular topic in the industry, there’s a significant difference between discussing threat hunting in theory and executing a meaningful, intelligence-driven hunt.

We take a tailored approach to threat hunting. Rather than using generic playbooks, we customise each hunt to fit the customer’s sector, technology stack, and threat landscape. This means identifying which threat actors are most likely to target a specific organisation, then hunting for their known tactics, techniques, and procedures (TTPs) within that environment.

Let’s walk through a recent example involving a well-known adversary: APT35, also known as Charming Kitten.

Understanding the Adversary: APT35 / Charming Kitten

APT35 is an Iranian state-sponsored threat group with a long history of cyber-espionage operations. Also tracked under names such as Phosphorus and Mint Sandstorm. This group typically targets:

• Military, diplomatic, and government personnel
• Media and telecommunications organisations
• Energy and defence industrial base entities
• Engineering and business services firms
• Academic and medical research institutions

APT35 is an Iranian state-sponsored cyber-espionage group, also known as Charming Kitten, Phosphorus, Mint Sandstorm, and Newscaster Team. They commonly initiate operations with spear-phishing campaigns, employing lures such as healthcare alerts, job postings, and password policy updates to deliver malicious documents or credential-harvesting links. After gaining initial access, APT35 deploys a diverse toolkit—including HYPERSCRAPE (used for email inbox exfiltration), BROKEYOLK, PUPYRAT, and HOUSEBLEND—to establish persistence and exfiltrate sensitive data.

Our Methodology: Tailored Threat Hunting in Action

In this engagement, we were tasked with proactively hunting for indicators of APT35 activity within a customer’s environment. Rather than searching for specific malware binaries, our approach focused on detecting behaviours and techniques associated with APT35’s tradecraft. This included patterns of execution, persistence, and exfiltration that adversaries commonly employ.

To achieve this, we developed targeted queries for scenarios such as LNK-based PowerShell execution, obfuscated PowerShell RAT activity (CharmPower), stealthy process manipulation (MediaPl Loader), persistent surveillance modules (NokNok), IIS webshell behavior (Bellaciao), staged payload execution (FUELDUMP Loader), post-exploitation backdoors (PowerLess), and early-stage obfuscation (POWERSTAR).

1) CharmPower Toolkit – Modular PowerShell RAT

Techniques observed:

• Heavy PowerShell obfuscation using .Replace() patterns and base64 encoding
• Usage of wildcard parameters and custom blocks (-like “*shar*”)

2) MediaPl Loader

Techniques observed:

• Use of obscure APIs and libraries such as _popen, WS2_32.dll, and hidden process manipulation
• Command redirection to spawn stealthy subprocesses

3) NokNok Modules – Persistent Surveillance

Techniques observed:

• Use of unique strings like SendLog, $ServerAdd, and $ModuleName for stealthy communication
• Designed for long-term modular deployment

4) ASPX Webshell (Bellaciao Variant) – IIS Lateral Movement

Techniques observed:

• Webshell logic in ASPX; ProcessWindowStyle.Hidden; Request.Files manipulation; w3wp.exe spawning CLI tools.

5) FUELDUMP Loader – Initial Execution Tool

Techniques observed:

• Hardcoded file paths (e.g., C:\Users\pc\) and use of the Temp directory
• Download and execution of external payloads

6) FUELDUMP Stealer – Targeted Data Collection

Techniques observed:

• Designed to identify and exfiltrate .docx, .xlsx, .pdf, and configuration files
• Incorporates keywords such as uploadURL, exceptionDirs, and get_Path

7) PowerLess Backdoor – Post-Exploitation RAT

Techniques observed:

• Remote command functions like Invoke-Cmd and data exfiltration methods (DropBox-Upload)
• Use of variables such as $stealerresponse and $Global:BotId

9) POWERSTAR Stage-1 Loader – Early Obfuscation

Techniques observed:

• Complex PowerShell obfuscation using Base64, @(‘,, and -bnot logic
• Early-stage code loading functions like ;function Gor

Final Thoughts

This operation reinforced the critical importance of customised threat hunting. By focusing on the known TTPs associated with APT35 and tailoring our approach to the client’s specific industry and infrastructure, we were able to significantly reduce potential dwell time and bring forward any suspicious behaviour that might have otherwise gone unnoticed.

All of the actions outlined above, ranging from intelligence-driven threat hunting to tailored detection logic and proactive containment planning, are carried out by Ekco’s Cyber Resilience Incident Response Team. Our mission is to ensure that every engagement not only validates the security posture of our customers but also strengthens their ability to detect, respond, and recover from advanced threats like APT35.

By embedding these practices into our IR lifecycle, we deliver measurable resilience and reduce the likelihood of material impact from sophisticated adversaries. Whether your organisation operates in the energy sector, defence, healthcare, finance, or beyond, understanding your adversary and hunting with precision and intent makes all the difference in building a truly resilient security posture.

Defender Hunting queries

1) CharmPower – Modular PS RAT / obfuscation

DeviceProcessEvents

| where FileName =~ “powershell.exe”

| where ProcessCommandLine has_any (“-enc”,”-EncodedCommand”,”FromBase64String”,”.Replace(“)

or ProcessCommandLine has_any (“-join”,”-split”,”Invoke-Expression”,”iex “)

or ProcessCommandLine matches regex @”(?i)[A-Za-z0-9+/]{200,}={0,2}”

 

2) MediaPl Loader – API abuse / stealthy subprocess redirection

WS2_32.dll loads from unusual locations

DeviceFileEvents

| where FileName =~ “WS2_32.dll”

| where FolderPath has_any (@”:\Users\”, @”:\ProgramData\”, @”:\Temp\”, @”:\AppData\”)

 

3) NokNok Modules – Persistent surveillance strings

DeviceProcessEvents

| where ProcessCommandLine has_any (“SendLog”,”$ServerAdd”,”$ModuleName”)

 

4) ASPX Webshell (Bellaciao) – IIS spawning CLI / hidden windowing

DeviceProcessEvents

| where InitiatingProcessParentFileName =~ “w3wp.exe”

| where InitiatingProcessFileName in~ (“cmd.exe”,”powershell.exe”,”wscript.exe”,”cscript.exe”,”mshta.exe”)

| where ProcessCommandLine has_any (“ProcessWindowStyle.Hidden”,” -w hidden”,”/windowstyle hidden”,” -NoP “,” -NonI “)

 

Optional: look for newly written .aspx in webroots (reduce false positives with execlusions).

DeviceFileEvents

| where FileName endswith “.aspx”

| where FolderPath has_any (@’C:\inetpub\wwwroot’, @’C:\Windows\System32\inetsrv’)

| where ActionType in (“FileCreated”,”FileModified”)

 

5) FUELDUMP Loader – Hardcoded paths & download/exec

DeviceProcessEvents

| where FolderPath has_any (@’C:\Users\pc\’, @’C:\Users\’, @’\AppData\Local\Temp\’)

| where ProcessCommandLine has_any (“http”,”https”,”bitsadmin”,”curl”,”wget”,”Invoke-WebRequest”,”iwr”,”Start-BitsTransfer”,”certutil -urlcache”,”DownloadFile(“)

 

6) FUELDUMP Stealer – Document targeting, archive, upload

DeviceProcessEvents

| where ProcessCommandLine has_any (“.docx”,”.xlsx”,”.pdf”,”.config”,”.cfg”,”.ini”)

| where ProcessCommandLine has_any (“7z”,”zip”,”rar”,”Compress-Archive”)

| where ProcessCommandLine has_any (“upload”,”PUT”,”POST”,”–data-binary”,”Invoke-RestMethod”,”curl -F”,”multipart/form-data”)

 

7) PowerLess Backdoor – PS RAT with cloud exfil (Dropbox)

DeviceProcessEvents

| where FileName =~ “powershell.exe”

| where ProcessCommandLine has_any (“Invoke-Cmd”,”DropBox-Upload”,”$Global:BotId”,”$stealerresponse”)

 

8) POWERSTAR Stage-1 Loader – Early PS obfuscation

DeviceProcessEvents

| where FileName =~ “powershell.exe”

| where ProcessCommandLine has_any (“FromBase64String”,”@(‘”,” -bnot “,”;function Gor”)

or ProcessCommandLine matches regex @”(?i)\b(?:-join|-split|-bxor|-bor|-band)\b”