CharmingCypress: Innovating Persistence

Volexity details CharmingCypress campaigns that use highly targeted spear-phishing and a fake webinar portal to force installation of malware-laden VPN clients, leading to Windows backdoors (POWERLESS, BASICSTAR) and a macOS backdoor (NOKNOK). The report describes delivery chains, persistence mechanisms, C2 infrastructure and multiple file IOCs. #CharmingCypress #POWERLESS

Keypoints

CharmingCypress used targeted spear-phishing and a fake webinar portal that required victims to install attacker-supplied VPN clients to access content.
The malicious VPN clients contained platform-specific payloads: Windows clients deployed POWERLESS (PowerShell backdoor) and BASICSTAR-related components, macOS clients deployed NOKNOK.
POWERLESS delivery: VPN.exe → download AES blob (vconf) → cfmon.exe patches AMSI/ETW → decrypts and runs encrypted PowerShell; associated modules include blacksmith.exe, oqeifvb.exe, and AudioRecorder4.exe.
Persistence techniques include adding a Shell registry entry under HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon and hijacking a COM handler for MsCtfMonitor via a downloaded persistence DLL.
Delivery also used RAR archives with malicious LNK shortcuts (BASICSTAR/down.vbs) that launch scripts and NirCmd to execute further commands and modules; BASICSTAR collects system info and executes remote commands.
C2 and hosting infrastructure included domains on glitch[.]me, ddns[.]net, and an observed VPN server at 49.13.15[.]66:1194; several MD5/SHA1 file hashes for deployed binaries are provided.
Defensive-evasion techniques observed: AMSI/ETW patching, heavy encoding (NOKNOK base64 ×5), and obfuscated downloader PowerShell scripts.

MITRE Techniques

[T1566.002] Spearphishing Link – Targeted emails directed victims to a fake webinar portal hosting the lure (‘Emails containing a link to a fake webinar platform, and credentials to enable access to it, were distributed to a small number of targeted individuals.’)
[T1204.002] User Execution: Malicious File – Malicious RAR archives contained shortcut (LNK) files that executed scripts/downloaders (‘URLs that start a redirection chain, culminating in the download of a RAR archive containing malicious shortcut (LNK) files’)
[T1105] Ingress Tool Transfer – Download of additional payloads and modules from attacker-controlled C2/storage (e.g., KORKULOADER, vconf, cfmon.exe) (‘The malware-laden VPN application writes a malicious binary, VPN.exe … It also downloads a base64-encoded blob of data from the C2, writes this to disk at C:UsersPublicvconf, and downloads a .NET binary named cfmon.exe’)
[T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell used as downloader and backdoor runtime (KORKULOADER and POWERLESS execution) (‘KORKULOADER is a very simple PowerShell downloader script’ and POWERLESS executes an obfuscated PowerShell script in memory)
[T1027] Obfuscated Files or Information – Heavy encoding and obfuscation of payloads/scripts (NOKNOK base64 x5, AES-encrypted blobs) (‘CharmingCypress delivers NOKNOK as a string that has been base64 encoded five times’ and ‘downloads a base64-encoded blob of data from the C2’)
[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL – Persistence via Shell registry entry under Winlogon (registry modification used to persist cfmon.exe) (‘Persistence for cfmon.exe is achieved by adding a Shell registry entry in registry key HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon’)
[T1562.001] Impair Defenses: Disable or Modify Tools – Patching AMSI and ETW APIs to evade detection prior to in-memory execution (‘cfmon.exe first patches the AmsiScanBuffer and EtwEventWrite API functions to bypass them, replacing the initial function bytes’)
[T1071.001] Application Layer Protocol: Web Protocols – C2 communication and payload hosting over web infrastructure and hosted services (glitch[.]me, supabase[.]co, defaultbluemarker[.]info) (‘The C2 address used by this sample of POWERLESS is defaultbluemarker[.]info’ and references to supabase[.]co in logs)

Indicators of Compromise

[Domain] C2/hosting – defaultbluemarker[.]info (POWERLESS C2), decorous-super-blender[.]glitch[.]me (NOKNOK C2)
[Domain] Fake portal/typo-squat domains – rasaneh-iiis[.]org, rasaanah-iiis[.]org (fake webinar portal hosts)
[IP:Port] VPN endpoint – 49.13.15[.]66:1194 (OpenVPN server used by malicious VPN client)
[File name] Delivered binaries/scripts – VPN.exe (malicious VPN binary), cfmon.exe (loader that patches AMSI/ETW), vconf (AES blob written to C:UsersPublicvconf)
[File hash MD5] Examples of payloads – VPN.exe MD5: 266305f34477b679e171375e12e6880f; cfmon.exe MD5: 859a9e523c3308c120e82068829fab84 (and several other hashes listed in the report)
[Script/file] LNK/RAR chain artifacts – down.vbs MD5: 2edea0927601ef443fc31f9e9f8e7a77 (BASICSTAR downloader), Informations.vbs MD5: 853687659483d215309941dae391a68f

Volexity observed a multi-step technical procedure where CharmingCypress delivered targeted spear-phishing lures that pointed victims to a realistic fake webinar portal. The portal validated credentials and enforced an IP check, serving a functional but malicious VPN client (Windows or macOS) based on user-agent; only clients connecting via the attacker-controlled OpenVPN endpoint (49.13.15[.]66:1194) passed the check. The Windows VPN wrote VPN.exe into the OpenVPN folder, which authenticated and then downloaded an AES-encoded blob (vconf) and a loader (cfmon.exe); cfmon.exe patches AmsiScanBuffer and EtwEventWrite, decrypts vconf to an obfuscated PowerShell script, and runs POWERLESS in memory. POWERLESS implements AES-encrypted C2, module loading (blacksmith.exe for browser theft, AudioRecorder4.exe for audio capture, oqeifvb.exe for persistence work), file upload/download, command execution, and updates to in-memory config; persistence is achieved by adding a Shell entry under HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon and by hijacking a COM handler for MsCtfMonitor to host a downstream DLL.

Alternative delivery chains included RAR archives containing malicious LNK shortcuts that execute PowerShell downloaders (KORKULOADER) or VBS (down.vbs) that bootstrap BASICSTAR. BASICSTAR is a Visual Basic-based backdoor that fingerprints hosts (computer name, user, OS), opens lure PDFs, downloads NirCmd to execute commands, enters a command loop to poll C2 (prism-west-candy[.]glitch[.]me), and supports remote modules and a cleanup (kill) command. On macOS, the supplied VPN client installs a SOCKS proxy via networksetup and loads NOKNOK, delivered as a script base64-encoded multiple times and executed in memory with C2 at decorous-super-blender[.]glitch[.]me.

Across chains, the actor used defensive evasion (AMSI/ETW patching), obfuscation/encoding (base64 ×5, AES blobs), in-memory execution of PowerShell, standard ingress transfer of tools (downloads from glitch[.]me, supabase[.]co and DDNS hosts), and targeted persistence mechanisms; Volexity enumerated multiple file hashes, domain names, and the VPN endpoint IP to support detection and triage.