CharmPower

Malware updated a month ago (2024-11-29T14:03:32.193Z)
Download STIX
Preview STIX
CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, and the security community across North America, Europe, and Israel. Volexity, a cybersecurity firm, discovered that Charming Kitten was distributing this updated PowerShell-based modular backdoor, which it dubbed POWERSTAR (also known as CharmPower), exploiting the Log4j vulnerability to establish persistence, gather information, and execute commands. The advanced persistent threat (APT) group has continuously evolved its malware arsenal alongside their spear-phishing techniques. In addition to CharmPower, other tools previously utilized by the group include GorjolEcho/PowerStar, TAMECURL, MischiefTut, AnvilEcho, and GhostEcho. Notably, there are code similarities between CharmPower, GorjolEcho, NokNok, and MacDownloader, suggesting these malwares were developed by the same group. Furthermore, Volexity's analysis led to the discovery of the group's newest backdoor, "AnvilEcho," which is considered a successor to previous espionage tools. GreenCharlie, another entity associated with malware, has been linked to POWERSTAR (CharmPower and GorjolEcho) and GORBLE. The functionality of identified NokNok modules mirrors that of the modules associated with CharmPower, with some source code overlaps noted with macOS malware attributed to the group in 2017. These findings provide critical indicators of compromise (IoCs) that can be used to detect and defend against these threats. It is clear from these developments that Charming Kitten is committed to refining its cyber-espionage tactics, making ongoing vigilance and robust cybersecurity measures essential.
Description last updated: 2024-10-17T12:00:58.906Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Powerstar is a possible alias for CharmPower. Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinc
5
Noknok is a possible alias for CharmPower. NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
2
GorjolEcho is a possible alias for CharmPower. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Phishing
exploitation
Exploit
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Charming Kitten Threat Actor is associated with CharmPower. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infectUnspecified
3
The Mint Sandstorm Threat Actor is associated with CharmPower. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and cUnspecified
2
Source Document References
Information about the CharmPower Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more