Yellow Garuda

Threat Actor updated 3 months ago (2024-08-30T17:17:58.571Z)
Download STIX
Preview STIX
Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, Cobalt Illusion, and TA453 among other names, is a threat actor believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been active in various cyber espionage campaigns over the years. In July 2022, PWC reported that Yellow Garuda was distributing malicious DOCX files hosted on Dropbox and AWS. The cybersecurity industry has observed this threat actor using various tactics and techniques, including spear-phishing attacks and the use of backdoors like POWERSTAR and BASICSTAR. The group escalated its activities in 2023, launching a new wave of spear-phishing attacks deploying the POWERSTAR backdoor since May. These attacks were part of a broader campaign by the Iranian state-sponsored operation targeting nuclear security experts. Proofpoint, a cybersecurity firm, detailed these actions, highlighting the threat actor's focus on high-profile targets. The group also executed a phishing attack against an Israeli rabbi, demonstrating its wide range of targets. In 2024, Yellow Garuda further diversified its attack methods, deploying a novel backdoor called BASICSTAR. This new tool was used against Middle East policy experts between September and October of the previous year. The group impersonated the Rasanah International Institute for Iranian Studies, tricking victims into joining a fake webinar that facilitated the download of the BASICSTAR malware. This allowed the threat actor to exfiltrate system data and execute commands remotely, according to a report by Volexity. Given the continuous evolution and persistence of Yellow Garuda's tactics, the threat actor remains a significant concern in the realm of cybersecurity.
Description last updated: 2024-08-30T17:17:08.314Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Charming Kitten is a possible alias for Yellow Garuda. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect
4
TA453 is a possible alias for Yellow Garuda. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Yellow Garuda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Malwarebytes
3 months ago
DARKReading
3 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago