CharmPower

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
CharmPower, also known as POWERSTAR or GhostEcho, is a PowerShell-based modular backdoor malware attributed to the Iranian hacking group Charming Kitten. This malicious software is designed to infiltrate computer systems, establish persistence, gather information, and execute commands. It was recently updated and distributed via spear-phishing campaigns, exploiting the Log4j vulnerability. These updates were discovered by Volexity, a cybersecurity firm, which noted that Charming Kitten has been evolving their malware in parallel with their spear-phishing techniques. The new version of CharmPower mirrors the functionality of the modules associated with an implant called NokNok, sharing some source code overlaps with macOS malware previously attributed to the group in 2017. The updated version of CharmPower was delivered through targeted spear-phishing campaigns, primarily targeting individuals with ties to the security community and those affiliated with think tanks or universities in Israel, North America, and Europe. Proofpoint, another cybersecurity firm, attributes the attack to the Iranian group with high confidence, based on code similarities between GorjolEcho, NokNok, and malware previously attributed to the group, including GhostEcho, CharmPower, and MacDownloader. In the most recent campaign, the PowerStar malware was delivered via an email containing an .LNK file inside a password-protected .RAR file. This strategy showcases the group's focus on stealth and bespoke attacks to improve the return on investment. Furthermore, Microsoft tracked a group newly designated as Mint Sandstorm using the CharmPower implant. The constant evolution of this malware and its distribution methods highlight the necessity for ongoing vigilance and proactive measures in cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Powerstar
3
Powerstar is a malicious software (malware) deployed by the Iranian Advanced Persistent Threat (APT) group known as Charming Kitten, also referred to as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware was used in a series of spear-phishing attacks launched by the group since
Noknok
2
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Phishing
Malware
exploitation
Exploit
Implant
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Charming KittenUnspecified
3
Charming Kitten is a threat actor group, believed to be of Iranian origin, known for its advanced and sophisticated cyberattacks. The group has been active in launching attacks against various entities in Brazil, Israel, and the United Arab Emirates using a new backdoor method, as reported by Securi
Mint SandstormUnspecified
2
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CharmPower Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
CERT-EU
a year ago
Hacking Groups Rapidly Weaponizing N-Day Vulnerabilities to Attack Enterprise Targets
CERT-EU
a year ago
Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU
a year ago
Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
BankInfoSecurity
a year ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU
10 months ago
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
CERT-EU
a year ago
Charming Kitten APT Group Uses Innovative Spear-phishing Methods
CERT-EU
10 months ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor | IT Security News
CERT-EU
a year ago
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Securityaffairs
a year ago
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor
Securityaffairs
10 months ago
Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU
10 months ago
Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
CERT-EU
a year ago
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist