Yellow Garuda

Threat Actor updated 8 days ago (2024-08-30T17:17:58.571Z)

Download STIX

Preview STIX

Yellow Garuda, also known as Charming Kitten, APT35, Mint Sandstorm, Cobalt Illusion, and TA453 among other names, is a threat actor believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group has been active in various cyber espionage campaigns over the years. In July 2022, PWC reported that Yellow Garuda was distributing malicious DOCX files hosted on Dropbox and AWS. The cybersecurity industry has observed this threat actor using various tactics and techniques, including spear-phishing attacks and the use of backdoors like POWERSTAR and BASICSTAR. The group escalated its activities in 2023, launching a new wave of spear-phishing attacks deploying the POWERSTAR backdoor since May. These attacks were part of a broader campaign by the Iranian state-sponsored operation targeting nuclear security experts. Proofpoint, a cybersecurity firm, detailed these actions, highlighting the threat actor's focus on high-profile targets. The group also executed a phishing attack against an Israeli rabbi, demonstrating its wide range of targets. In 2024, Yellow Garuda further diversified its attack methods, deploying a novel backdoor called BASICSTAR. This new tool was used against Middle East policy experts between September and October of the previous year. The group impersonated the Rasanah International Institute for Iranian Studies, tricking victims into joining a fake webinar that facilitated the download of the BASICSTAR malware. This allowed the threat actor to exfiltrate system data and execute commands remotely, according to a report by Volexity. Given the continuous evolution and persistence of Yellow Garuda's tactics, the threat actor remains a significant concern in the realm of cybersecurity.

Description last updated: 2024-08-30T17:17:08.314Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Charming Kitten	4	Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
TA453	2	TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Yellow Garuda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	8 days ago	Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign \| Malwarebytes
DARKReading	18 days ago	IRGC-Linked Hackers Roll Malware into Monolithic Trojan
CERT-EU	7 months ago	Secure email gateways increasingly evaded by malicious emails
CERT-EU	7 months ago	Novel backdoor used in Charming Kitten attacks
BankInfoSecurity	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
CERT-EU	a year ago	Cyber Security Week in Review: July 7, 2023
CERT-EU	a year ago	Threat actors quick to exploit proof-of-concept code
CERT-EU	a year ago	New Charming Kitten attacks involve POWERSTAR backdoor
CERT-EU	a year ago	Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU	a year ago	Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU	a year ago	Iranian APT Group Charming Kitten Updates Powerstar Backdoor \| IT Security News