The Iranian nation-state group Charming Kitten, associated with the Islamic Revolutionary Guard Corps (IRGC), has developed a C++ variant of its BellaCiao malware, named BellaCPP. This new version, discovered by Kaspersky during an investigation into an infected system in Asia, retains BellaCiao's core functionalities but omits the web shell component. BellaCPP is a DLL file designed to load another DLL ("D3D12_1core.dll") to create an SSH tunnel for covert communication. BellaCiao, a .NET-based dropper, has been used to exploit vulnerabilities in applications like Microsoft Exchange Server and Zoho ManageEngine, targeting regions such as the U.S., the Middle East, and India.

‍