CharmPower

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
CharmPower, also known as POWERSTAR or GhostEcho, is a PowerShell-based modular backdoor malware attributed to the Iranian hacking group Charming Kitten. This malicious software is designed to infiltrate computer systems, establish persistence, gather information, and execute commands. It was recently updated and distributed via spear-phishing campaigns, exploiting the Log4j vulnerability. These updates were discovered by Volexity, a cybersecurity firm, which noted that Charming Kitten has been evolving their malware in parallel with their spear-phishing techniques. The new version of CharmPower mirrors the functionality of the modules associated with an implant called NokNok, sharing some source code overlaps with macOS malware previously attributed to the group in 2017. The updated version of CharmPower was delivered through targeted spear-phishing campaigns, primarily targeting individuals with ties to the security community and those affiliated with think tanks or universities in Israel, North America, and Europe. Proofpoint, another cybersecurity firm, attributes the attack to the Iranian group with high confidence, based on code similarities between GorjolEcho, NokNok, and malware previously attributed to the group, including GhostEcho, CharmPower, and MacDownloader. In the most recent campaign, the PowerStar malware was delivered via an email containing an .LNK file inside a password-protected .RAR file. This strategy showcases the group's focus on stealth and bespoke attacks to improve the return on investment. Furthermore, Microsoft tracked a group newly designated as Mint Sandstorm using the CharmPower implant. The constant evolution of this malware and its distribution methods highlight the necessity for ongoing vigilance and proactive measures in cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Powerstar
3
Powerstar is a malicious software (malware) deployed by the Iranian Advanced Persistent Threat (APT) group known as Charming Kitten, also referred to as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware was used in a series of spear-phishing attacks launched by the group since
Noknok
2
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
GorjolEcho
1
GorjolEcho is a malicious software, or malware, linked to the Iranian group TA453 and identified by Proofpoint researchers. This sophisticated backdoor malware is designed to infiltrate computer systems, establish persistence, and exfiltrate information to command-and-control servers. The stealthy n
Ghostecho
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Backdoor
Malware
exploitation
Implant
Exploit
Log4j
Volexity
PowerShell
Microsoft
Iran
Proofpoint
Macos
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Charming KittenUnspecified
3
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Mint SandstormUnspecified
2
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
APT35Unspecified
1
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CharmPower Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a year ago
Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU
a year ago
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
CERT-EU
a year ago
Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
CERT-EU
a year ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor | IT Security News
BankInfoSecurity
a year ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU
a year ago
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Securityaffairs
a year ago
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor
CERT-EU
a year ago
Charming Kitten APT Group Uses Innovative Spear-phishing Methods
CERT-EU
a year ago
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
MITRE
a year ago
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
CERT-EU
a year ago
Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
CERT-EU
a year ago
Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU
a year ago
Hacking Groups Rapidly Weaponizing N-Day Vulnerabilities to Attack Enterprise Targets