A new threat actor has been discovered conducting cyberespionage campaigns targeting telecom and aerospace industries across the globe. Its attacks are aimed majorly at the aerospace and telecom sectors across Western nations.

Looking into the MalKamak

Dubbed MalKamak, the APT has been active since 2018 and is believed to be based in Iran.
  • MalKamak, which uses ShellClient RAT, has targeted only a small number of targets since 2018.
  • The path for debugging files in some ShellClients samples implies it to be part of an operation by a military/intelligence agency.
  • The group uses some generic tools identified as PAExec, SafetyKatz, Ping, Ipconfig, Tasklist, and WinRar.

Who’s the target?

The group has been targeting firms in the aerospace and telecommunications sectors with most of their targets based in the Middle East, Russia, the U.S., and Europe.

About ShellClient RAT

MalKamak has used ShellClient to perform reconnaissance operations and steal sensitive information. The RAT was first spotted by researchers in July during an incident response engagement against a cyberespionage operation named as GhostShell.


MalKamak is a sophisticated state-sponsored actor that managed to stay under the radar for almost two years. With targeted attacks on Western countries, it seems like a dangerous threat that may reappear in the future. Security teams are suggested to keep a track of it to stay safe.

Cyware Publisher