Threats Feed
- Public
Decoding Charming Kitten's POWERSTAR Deployment in Recent Cyber Attack
The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.
read more about Decoding Charming Kitten's POWERSTAR Deployment in Recent Cyber Attack - Public
Unveiling BellaCiao: Charming Kitten's Sophisticated Malware Tailored For Individuals
Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.
read more about Unveiling BellaCiao: Charming Kitten's Sophisticated Malware Tailored For Individuals - Public
Charming Kitten's HYPERSCRAPE Tool Found Stealing User Data from Email Accounts
A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.
read more about Charming Kitten's HYPERSCRAPE Tool Found Stealing User Data from Email Accounts - Public
Unwrapping Charming Kitten's Holiday Phishing Campaign
During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.
read more about Unwrapping Charming Kitten's Holiday Phishing Campaign