CharmPower

Malware updated 19 days ago (2024-08-20T12:17:44.898Z)

Download STIX

Preview STIX

CharmPower, also known as POWERSTAR or GhostEcho, is a malicious software developed by the Iranian hacking group known as Charming Kitten. This PowerShell-based modular backdoor malware has recently been updated and distributed through spear-phishing campaigns, as discovered by Volexity. The malware is designed to exploit vulnerabilities in systems, establish persistence, gather information, and execute commands. This new version of CharmPower was found to be more evolved, showing that Charming Kitten has been advancing their malware alongside their spear-phishing techniques. In addition to CharmPower, the group is associated with other malware such as GorjolEcho and GORBLE, identified by Google-Mandiant. The NokNok modules mirror much of the functionality of the modules for CharmPower, with some overlaps in source code with macOS malware previously attributed to the group in 2017. Notably, CharmPower shares similarities with malware like GhostEcho and MacDownloader, leading Proofpoint to attribute the attack to the Iranian group with high confidence. The updated version of CharmPower was delivered via spear-phishing campaigns targeting individuals affiliated with the security community, think tanks, or universities in Israel, North America, and Europe. The malware was sent via an email containing an .LNK file inside a password-protected .RAR file, demonstrating the group's evolving spear-phishing techniques. As a stealthy and bespoke group, Charming Kitten aims to stay under the radar while focusing on improving its social engineering tactics to increase return on investment.

Description last updated: 2024-08-20T12:16:17.271Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Powerstar	5	Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinc
Noknok	2	NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
GorjolEcho	2	GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Phishing

exploitation

Exploit

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Charming Kitten	Unspecified	3	Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
Mint Sandstorm	Unspecified	2	Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typica

Source Document References

Information about the CharmPower Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	19 days ago	IRGC-Linked Hackers Roll Malware into Monolithic Trojan
Recorded Future	19 days ago	GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
CERT-EU	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor \| IT Security News
BankInfoSecurity	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU	a year ago	Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Securityaffairs	a year ago	Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor
CERT-EU	a year ago	Charming Kitten APT Group Uses Innovative Spear-phishing Methods
CERT-EU	a year ago	Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
MITRE	2 years ago	APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
CERT-EU	a year ago	Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
CERT-EU	a year ago	Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU	a year ago	Hacking Groups Rapidly Weaponizing N-Day Vulnerabilities to Attack Enterprise Targets