Powerstar

Malware updated 23 days ago (2024-11-29T14:03:23.461Z)
Download STIX
Preview STIX
Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities since May 2023, according to The Hacker News. Powerstar, which is also referred to as CharmPower and GorjolEcho, is part of a family of malware that includes GORBLE, both of which are designed to enable espionage activities via spear-phishing campaigns. Charming Kitten's operations are sophisticated, leveraging phishing and malware deployment strategies. GreenCharlie, associated with Charming Kitten, uses malware like Powerstar and GORBLE in multi-stage infection processes to compromise systems. These tools assist the backdoor operator by automating basic tasks, making the cyber-espionage more efficient. Notably, Powerstar has undergone updates to enhance its capabilities, as reported by BankInfoSecurity. The malware Powerstar should not be confused with the Chinese PC Maker Powerstar, which rebranded an Intel CPU as the P3-01105, as noted by Tom's Hardware. In addition, different cybersecurity firms have their own names for these threats; Proofpoint refers to Powerstar as "GorjolEcho," while Volexity researchers use the term "PowerStar" to describe a particular Windows code payload used in these campaigns. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower, also known as GhostEcho or Powerstar.
Description last updated: 2024-08-20T12:16:11.002Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CharmPower is a possible alias for Powerstar. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an
5
GorjolEcho is a possible alias for Powerstar. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Malware
Backdoor
Apt
Phishing
Espionage
Implant
Antivirus
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Charming Kitten Threat Actor is associated with Powerstar. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infecthas used
3