Powerstar

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Powerstar is a malicious software (malware) deployed by the Iranian Advanced Persistent Threat (APT) group known as Charming Kitten, also referred to as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware was used in a series of spear-phishing attacks launched by the group since May 2023. The payload in this campaign was a Windows code named PowerStar by Volexity researchers, while Proofpoint refers to it as GorjoEcho. This backdoor malware aids its operators by automating basic tasks, making it a powerful tool for cyber espionage. In recent updates, Powerstar has evolved into a more sophisticated threat. It now includes new features such as remote execution of PowerShell and CSharp commands, establishing persistence via various methods, dynamically updating configurations, using multiple Command and Control (C2) channels, and conducting system reconnaissance and monitoring of existing persistence mechanisms. These enhancements point towards an increasingly complex malware structure that suggests the presence of a customized server-side component, which further simplifies operations for the malware operator. The latest iteration of Powerstar demonstrates improved operational security measures, complicating analysis and intelligence gathering efforts on this malware. According to Volexity, these developments indicate a significant progression in the technical capabilities of the Charming Kitten group, presenting an escalating cybersecurity threat. As such, organizations are advised to maintain robust security protocols and remain vigilant against potential spear-phishing attacks deploying the Powerstar backdoor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Charming Kitten
3
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
CharmPower
3
CharmPower, also known as POWERSTAR or GhostEcho, is a PowerShell-based modular backdoor malware attributed to the Iranian hacking group Charming Kitten. This malicious software is designed to infiltrate computer systems, establish persistence, gather information, and execute commands. It was recent
Yellow Garuda
1
Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, and various other aliases, is a malware associated with an Iranian state-sponsored threat operation. It has been active since at least 2011, operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The malware is des
Ghostecho
1
None
APT35
1
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Apt
Backdoor
Malware
Espionage
Phishing
Implant
Antivirus
Reconnaissance
Log4j
Exploit
Vulnerability
State Sponso...
Windows
Proofpoint
Volexity
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GorjolEchoUnspecified
1
GorjolEcho is a malicious software, or malware, linked to the Iranian group TA453 and identified by Proofpoint researchers. This sophisticated backdoor malware is designed to infiltrate computer systems, establish persistence, and exfiltrate information to command-and-control servers. The stealthy n
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
NewscasterUnspecified
1
APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage group that conducts extensive operations to gather strategic intelligence. The group, which has been active since at least 2014, has been linked to a series of advanced persistent threat (APT) campaigns targetin
WildcardUnspecified
1
ThreatActor Wildcard is a sophisticated entity known for its malicious activities, including phishing, malware distribution, and other cyber threats. The group employs innovative tactics such as using the /mo parameter to specify the last day of the month and the /m parameter with the wildcard chara
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
Source Document References
Information about the Powerstar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a year ago
APT35 Develops Mac Bespoke Malware
CERT-EU
a year ago
Links 08/05/2023: FEX 2305 Tagged, Twitter Waning
CERT-EU
a year ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor | IT Security News
CERT-EU
a year ago
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
BankInfoSecurity
a year ago
Breach Roundup: Iranian Group Targets Nuclear Experts
CERT-EU
a year ago
Threat actors quick to exploit proof-of-concept code
CERT-EU
a year ago
Charming Kitten’s POWERSTAR Malware Boosts its Techniques
CERT-EU
a year ago
New Charming Kitten attacks involve POWERSTAR backdoor
BankInfoSecurity
a year ago
Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU
a year ago
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Securityaffairs
a year ago
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor
CERT-EU
a year ago
Charming Kitten APT Group Uses Innovative Spear-phishing Methods
CERT-EU
a year ago
Charming Kitten’s POWERSTAR Malware Evolves with Advanced Techniques
CERT-EU
a year ago
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist