Threat Research

“GreenCharlie Infrastructure: Targeting US Political Entities with Sophisticated Phishing and Malware”

RecordedFuture

Insikt Group documents GreenCharlie, an Iran-nexus threat group linked to Mint Sandstorm, Charming Kitten, and APT42, targeting US political and government entities with sophisticated phishing and malware campaigns. The operation relies on dynamic DNS infrastructure, multi-stage infection, and obfuscation via ProtonVPN and ProtonMail to conduct espionage and data exfiltration. #GreenCharlie #MintSandstorm #CharmingKitten #APT42 #GORBLE #POWERSTAR #GorjolEcho #Dynu #DNSEXIT #Vitalwerks #ProtonVPN #ProtonMail #USPolitics #USGovernment

Keypoints

  • GreenCharlie is an Iran-nexus group linked to Mint Sandstorm, Charming Kitten, and APT42.
  • Targets include US political campaign officials, government entities, and strategic assets.
  • Malware used includes GORBLE and POWERSTAR, designed for espionage via spearphishing.
  • Infrastructure relies on dynamic DNS (DDNS) providers to register domains for phishing.
  • Phishing campaigns leverage social engineering tied to current events and political tensions.
  • Obfuscation methods include ProtonVPN and ProtonMail to hide activities; infection is multi-stage with C2 communication.

MITRE Techniques

  • [T1566] Phishing – Exploits social engineering through cloud-service themed lures to lure targets. Quote: [‘Utilizes deceptive themes related to cloud services and document visualization to lure targets.’]
  • [T1071] Command and Control – Establishes communication with C2 servers after initial access. Quote: [‘Establishes communication with C2 servers after initial access.’]
  • [T1041] Data Exfiltration – Exfiltrates data after establishing C2 communication. Quote: [‘Exfiltrates data after establishing C2 communication.’]
  • [T1027] Obfuscated Files or Information – Uses ProtonVPN and ProtonMail to obfuscate activities. Quote: [‘Employs ProtonVPN and ProtonMail for obfuscation of activities.’]

Indicators of Compromise

  • [IP Address] Iran-based IP addresses communicating with GreenCharlie’s infrastructure – Iran-based IP addresses identified as contacting the group’s infrastructure
  • [Domain] Domains used for phishing infrastructure – registered with DDNS providers (Dynu, DNSEXIT, Vitalwerks)
  • [Malware] GORBLE and POWERSTAR – malware names associated with espionage campaigns

Read more: https://www.recordedfuture.com/research/greencharlie-infrastructure-linked-us-political-campaign-targeting

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint