Blacksmith

Operation Blacksmith is a sophisticated cyber campaign orchestrated by the Iranian-linked threat actor TA453, also known as Charming Kitten. The operation employed at least three new malware families written in DLang, a less common programming language, including a Remote Access Trojan (RAT) called NineRAT that uses Telegram for command-and-control (C2), DLRAT, and a downloader named BottomLoader. The campaign's primary weapon is a modular PowerShell Trojan, BlackSmith, designed to collect intelligence and exfiltrate sensitive data. In 2021, researchers demonstrated a BlackSmith attack that showed it was possible to bypass RowHammer protections and cause failures under certain conditions. The BlackSmith malware includes multiple stages, from an initial infection vector using a malicious LNK file to the deployment of AnvilEcho, a single script that performs tasks such as network communication, data encryption, and reconnaissance while evading detection by antivirus software. This malware represents an evolution of previous TA453 toolsets, streamlining various functions into one script. Once rapport was established with the target, the group sent a malicious link disguised as a legitimate podcast URL, ultimately delivering the BlackSmith malware. There is some overlap between Operation Blacksmith and attacks disclosed by Microsoft in October involving a North Korean hacking operation known as Onyx Sleet, or Andariel. These attacks exploited a vulnerability in the JetBrains TeamCity server software first disclosed in September 2023. Furthermore, Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems. Despite these advanced tactics, the likelihood of a RowHammer, BlackSmith, or RowPress attack on home users remains miniscule.