BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten.
One important aspect of the BellaCiao samples is how they exhibit a wealth of information through their respective PDB paths, including a versioning scheme we were able to work out once we analyzed historical records. Recently, Kaspersky researchers were investigating an intrusion that involved a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) on a computer in Asia. The telemetry indicated another suspicious, and possibly related, sample on the same machine. After further investigation of the sample, it turned out to be a reimplementation of an older BellaCiao version, but written in C++.
Read more…
Source: Kaspersky
Related:
- Ghostcommit attack hides malicious AI instructions in images
July 13, 2026
Ghostcommit is a proof of concept that shows how AI assistants used to review software code can be tricked by hidden instructions embedded in images. The academic ASSET Research Group showed that an attacker can place instructions inside an image file, point to it in an AGENTS.md file, and get an AI coding agent to follow those instructions during a ...
- EU-UK sanctions target Russia over Europe-wide ‘vast cyber campaign’
July 13, 2026
The European Union and the UK have announced coordinated sanctions against Russia after accusing Moscow’s FSB intelligence agency of carrying out a cyber attack in December targeting Poland’s energy grid and orchestrating a wider campaign of digital sabotage across Europe. The joint measures focus on individuals and organisations linked to Russia’s security services, with the EU ...
- Trump administration subpoenas New York Times journalists over new Air Force One reporting
July 11, 2026
The Trump administration has issued subpoenas to several New York Times journalists after the newspaper reported on security concerns with the president’s new plane. The Times said its journalists were subpoenaed on Friday by the US justice department to testify before a federal grand jury in Manhattan five days later, marking the latest effort by the Trump White ...
- Ukrainians are using VPNs to cause havoc in Russia by changing fuel station statuses on maps in a bid to cause chaos and confusion
July 11, 2026
A coordinated online campaign has reportedly encouraged users to alter fuel station information on digital maps across Russia, creating confusion among drivers. The activity involves changing station statuses by marking locations with available fuel as empty or showing closed stations as operational. Supporters of the campaign claim the effort is designed to disrupt travel decisions, increase uncertainty, ...
- Supermarket chain Lidl warns customers after data leak
July 10, 2026
Unknown individuals managed to gain access to customer data held by the supermarket chain Lidl. The German company informed affected customers of this via email this week. Thus far, the supermarket chain has declined to say how many customers were affected. However, the discount retailer did state that it has notified the Dutch Data Protection Authority. Read ...
- No Manners Here: The Ruthless Rise of The Gentlemen Ransomware
July 10, 2026
The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling ...

