Iran’s APT35 Unleashes Dual Malware Arsenal: Inside the Shadow War of Saqeb System and RAT-2AC2

The New Face of State-Backed Cyber Warfare

In the ever-evolving battlefield of cyberspace, Iran’s APT35—also known as “Charming Kitten”—has once again raised the stakes. A recent revelation exposes two advanced remote access trojans (RATs) being deployed in stealthy, multi-layered attacks across the Middle East. The tools, known as Saqeb System and RAT-2AC2, represent a sophisticated evolution in cyber-espionage—built to infiltrate, persist, and extract intelligence from critical targets.

APT35’s campaign is not a hit-and-run operation. It’s a long, strategic offensive targeting over 300 Middle Eastern organizations, including government institutions, defense contractors, energy corporations, and tech infrastructure firms. These attacks are carefully orchestrated, using a multi-hop command-and-control (C2) network and custom-built malware frameworks designed to bypass traditional security defenses.

According to cybersecurity researchers, Saqeb System, written in C++, is a modular Windows-based RAT engineered for flexibility and stealth. It can dynamically load modules for tasks like credential theft, keylogging, and data exfiltration. Meanwhile, RAT-2AC2, developed in C with a Flask-based C2 server, enhances persistence, automates lateral movement, and enables command execution across compromised systems.

What’s chilling is how these two tools complement each other. Saqeb System acts as the infiltrator—silent, low-level, and built for deep access—while RAT-2AC2 functions as the controller, orchestrating post-compromise actions. Together, they form a dual-layer espionage mechanism, offering APT35 unparalleled visibility into its victims’ digital ecosystems.

The campaign also employs advanced multi-hop C2 routing, meaning stolen data doesn’t travel directly from victim to attacker. Instead, it bounces through several proxy servers—often compromised machines themselves—making attribution and tracking extremely difficult.

Experts suggest that this operation is part of a broader Iranian strategy to increase cyber leverage in geopolitical rivalries, particularly against neighboring countries and Western allies. The timing of these attacks, coupled with regional tensions and energy market instability, points to coordinated state-level intent.

While attribution to Iran has been consistent across multiple cybersecurity reports, what’s new here is the technical complexity of these RATs. They demonstrate that Iran’s cyber division is evolving—from basic phishing campaigns into a highly resourced, modular, and adaptive intelligence apparatus.

APT35’s tactics also include the use of decoy websites, fake login portals, and social engineering lures masquerading as media or academic institutions. These lures are often tailored to specific individuals, reflecting a growing emphasis on targeted psychological manipulation alongside technical intrusion.

For many cybersecurity professionals, this marks a turning point: Iran’s cyber operations are no longer simply reactive—they’re proactive, long-term, and highly adaptive.

What Undercode Say:

APT35’s latest campaign illustrates a fundamental truth about modern cyber warfare—power is no longer measured by military might alone, but by data dominance. In this shadow conflict, nations compete not through open confrontation but through silent infiltration.

The Saqeb System and RAT-2AC2 toolkit embodies the maturing of Iran’s digital warfare doctrine. It’s modular, compartmentalized, and versatile—traits reminiscent of Western and Russian APT design philosophies. This indicates Iran is not just catching up; it’s learning, evolving, and hybridizing global tactics into its own playbook.

What stands out most is the multi-hop C2 infrastructure. This design signals a deep understanding of operational security (OpSec). Each layer of proxy adds plausible deniability and resilience, making takedowns nearly impossible without international coordination. For defenders, this represents a nightmare scenario: every compromised node becomes both victim and vector.

Furthermore, the dual-language nature of these RATs—C++ and C—suggests a division of labor within APT35’s developer ecosystem, possibly pointing to multiple teams working in parallel. This kind of internal structure reflects an increasingly industrialized cyber program, not a small hacker collective.

From an intelligence perspective, the choice of targets across governmental and energy sectors underscores a data-driven objective: strategic surveillance and influence, not simple sabotage. Iran appears to be constructing a digital intelligence grid—a silent observatory to monitor geopolitical adversaries in real time.

But there’s another layer to this story: psychological warfare. By exposing these operations publicly, cybersecurity analysts are forcing Iran into a visibility paradox. The more sophisticated their malware becomes, the more scrutiny it attracts. Yet, for APT35, even exposure may serve a strategic purpose—demonstrating capability, projecting power, and instilling uncertainty among adversaries.

As global cyber alliances strengthen—particularly between Western and Middle Eastern cybersecurity agencies—the countermeasures will need to evolve just as rapidly. Detection alone is no longer enough; predictive defense models, AI-driven anomaly detection, and zero-trust frameworks must become standard practice.

APT35’s campaign should serve as a wake-up call. This is not a regional threat—it’s a blueprint for how nation-state cyber actors are scaling their influence through persistent, modular, and multi-layered warfare. The future of conflict is already here; it just happens in code, not combat zones.

Fact Checker Results

✅ Saqeb System and RAT-2AC2 confirmed by multiple cybersecurity sources as real APT35 tools.
✅ Over 300 targeted entities verified through independent threat intelligence reports.
❌ No evidence yet of destructive payloads—focus remains on espionage, not disruption.

Prediction 🔮

APT35 will likely expand its reach beyond the Middle East, testing its new RAT frameworks on Western defense contractors and NGOs within the next 12 months. Expect further hybridization of their malware—combining .NET, C++, and Python—to evade AI-based detection tools. The global cyber chessboard is shifting, and Iran’s moves are becoming increasingly difficult to predict—but impossible to ignore.