Members Only

Ballistic Bobcat's Sponsor Backdoor: A Deep Dive into the Sponsoring Access Campaign


Published on Sep 13, 2023   —   3 min read

In a digital world that never sleeps, the theater of cybersecurity is an ever-shifting maze of shadows and light. As we navigate through this labyrinth, the emergence of new Advanced Persistent Threat (APT) groups and the innovative stratagems deployed by established players serve as stark reminders: complacency is the enemy of security. One such development is the "Sponsoring Access" campaign led by the APT group Ballistic Bobcat, which has been meticulously documented by ESET Research. This article aims to dissect the campaign's intricacies, offering a nuanced interpretation of its technical aspects, victimology, and implications for cybersecurity.

The Genesis: Ballistic Bobcat and Sponsor Backdoor

Ballistic Bobcat, previously known as APT35/APT42 (Charming Kitten, TA453, or PHOSPHORUS), is suspected to be Iran-aligned and targets a range of sectors including education, government, and healthcare. The group has been particularly active in Israel, the Middle East, and the United States.

The Sponsor backdoor is a novel malware deployed by Ballistic Bobcat. It was discovered during an investigation into a compromised system in Israel. The backdoor is part of a broader campaign that has affected at least 34 victims across Brazil, Israel, and the United Arab Emirates.

Technical Anatomy of Sponsor

Initial Access

Ballistic Bobcat exploits known vulnerabilities in Microsoft Exchange servers for initial access. The group conducts meticulous scans to identify potential weaknesses and then exploits them. This behavior is not new for the group but is significant because it indicates a "scan-and-exploit" model rather than a highly targeted approach.

This post is for subscribers only

Subscribe now and have access to all our stories, enjoy exclusive content and stay up to date with constant updates.


Already have an account? Sign in

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.