Powerstar

Malware updated 2 months ago (2024-08-23T09:17:41.712Z)

Download STIX

Preview STIX

Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities since May 2023, according to The Hacker News. Powerstar, which is also referred to as CharmPower and GorjolEcho, is part of a family of malware that includes GORBLE, both of which are designed to enable espionage activities via spear-phishing campaigns. Charming Kitten's operations are sophisticated, leveraging phishing and malware deployment strategies. GreenCharlie, associated with Charming Kitten, uses malware like Powerstar and GORBLE in multi-stage infection processes to compromise systems. These tools assist the backdoor operator by automating basic tasks, making the cyber-espionage more efficient. Notably, Powerstar has undergone updates to enhance its capabilities, as reported by BankInfoSecurity. The malware Powerstar should not be confused with the Chinese PC Maker Powerstar, which rebranded an Intel CPU as the P3-01105, as noted by Tom's Hardware. In addition, different cybersecurity firms have their own names for these threats; Proofpoint refers to Powerstar as "GorjolEcho," while Volexity researchers use the term "PowerStar" to describe a particular Windows code payload used in these campaigns. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower, also known as GhostEcho or Powerstar.

Description last updated: 2024-08-20T12:16:11.002Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CharmPower is a possible alias for Powerstar. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an	5
GorjolEcho is a possible alias for Powerstar. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Malware

Backdoor

Apt

Phishing

Espionage

Implant

Antivirus

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Charming Kitten Threat Actor is associated with Powerstar. Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is a threat actor linked to Iran that has been involved in various cyberattacks targeting entities in Brazil, Israel, and the U.A.E. using a new backdoor. This group has been implicated in sophisti	has used	3

Source Document References

Information about the Powerstar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	2 months ago	GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Links 08/05/2023: FEX 2305 Tagged, Twitter Waning
CERT-EU	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor \| IT Security News
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
BankInfoSecurity	a year ago	Breach Roundup: Iranian Group Targets Nuclear Experts
CERT-EU	a year ago	Threat actors quick to exploit proof-of-concept code
CERT-EU	a year ago	Charming Kitten’s POWERSTAR Malware Boosts its Techniques
CERT-EU	a year ago	New Charming Kitten attacks involve POWERSTAR backdoor
BankInfoSecurity	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU	a year ago	Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Securityaffairs	a year ago	Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor
CERT-EU	a year ago	Charming Kitten APT Group Uses Innovative Spear-phishing Methods
CERT-EU	a year ago	Charming Kitten’s POWERSTAR Malware Evolves with Advanced Techniques
CERT-EU	a year ago	Charming Kitten Updates POWERSTAR with an InterPlanetary Twist