GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
Insikt Group has identified a significant increase in cyber threat activity from GreenCharlie, an Iran-nexus group that overlaps with Mint Sandstorm, Charming Kitten, and APT42. Targeting US political and government entities, GreenCharlie utilizes sophisticated phishing operations and malware like GORBLE and POWERSTAR. The group's infrastructure, which includes domains registered with dynamic DNS (DDNS) providers, enables the group’s phishing attacks.
GreenCharlie’s Persistent Threat
Since June 2024, Insikt Group has tracked infrastructure linked to GreenCharlie, an Iran-nexus cyber threat group with connections to Mint Sandstorm, Charming Kitten, and APT42. Insikt Group analysis linked GreenCharlie infrastructure to malware which is reported to have been used to target US political campaign officials, government entities, and strategic assets.
GreenCharlie is associated with malware, including POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, the latter of which was identified by Google-Mandiant. Both GORBLE and POWERSTAR are variants of the same malware family, designed to enable espionage activity via spearphishing campaigns.
Iran and its associated cyber-espionage actors have consistently demonstrated both the intent and capability to engage in influence and interference operations targeting US elections and domestic information spaces. These campaigns are likely to continue utilizing hack-and-leak tactics aimed at undermining or supporting political candidates, influencing voter behavior, and fostering discord.
The group’s infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks. These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.
Recorded Future’s Network Intelligence has identified multiple Iran-based IP addresses communicating with GreenCharlie’s infrastructure. The use of ProtonVPN and ProtonMail further indicates an attempt to obfuscate the group’s activities, a common tactic among Iranian APTs.
GreenCharlie’s phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions. The group has registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, which allow for rapid changes in IP addresses, making it difficult to track the group’s activities.
The malware deployed by GreenCharlie, including GORBLE and POWERSTAR, follows a multi-stage infection process. After initial access through phishing, the malware establishes communication with command-and-control (C2) servers, enabling the attackers to exfiltrate data or deliver additional payloads.
To read the entire analysis, click here to download the report as a PDF.
Appendix A — Indicators of Compromise
|
Domains: activeeditor[.]info personalwebview[.]info longlivefreedom.ddns[.]net hugmefirstddd.ddns[.]net icenotebook.ddns[.]net softservicetel.ddns[.]net configtools.linkpc[.]net webviewerpage[.]info www.selfpackage[.]info selfpackage[.]info itemselectionmode[.]info termsstatement.duckdns[.]org mobiletoolssdk.dns-dynamic[.]net researchdocument[.]info timelinepage.dns-dynamic[.]net searchstatistics.duckdns[.]org messagepending[.]info www.chatsynctransfer[.]info synctimezone.dns-dynamic[.]net chatsynctransfer[.]info timezone-update.duckdns[.]org onetimestorage[.]info towerreseller.dns-dynamic[.]net translatorupdater.dns-dynamic[.]net api.overall-continuing[.]site backend.cheap-case[.]site admin.cheap-case[.]site demo.cheap-case[.]site dev.cheap-case[.]site app.cheap-case[.]site api.cheap-case[.]site editioncloudfiles.dns-dynamic[.]net fileeditiontools.linkpc[.]net entryconfirmation.duckdns[.]org doceditor.duckdns[.]orgv projectdrivevirtualcloud.co[.]uk continueresource.forumz[.]info destinationzone.duia[.]eu onlinecloudzone[.]info storageprovider.duia[.]eu lineeditor.32-b[.]it lineeditor.001www[.]com lineeditor.mypi[.]co dynamicrender.line[.]pm nextcloudzone.dns-dynamic[.]net realpage.redirectme[.]net sharestoredocs.theworkpc[.]com thisismyapp.accesscam[.]org thisismydomain.chickenkiller[.]com pagerendercloud.linkpc[.]net splitviewer.linkpc[.]net pageviewer.linkpc[.]net preparingdestination.fixip[.]org joincloud.mypi[.]co joincloud.duckdns[.]org realcloud[.]info directfileinternal[.]info sourceusedirection.mypi[.]co viewdestination.vpndns[.]net overflow.duia[.]eu tracedestination.duia[.]eu continue.duia[.]eu linereview.duia[.]eu highlightsreview.line.pm nextcloud.duia[.]us smartview.dns-dynamic.net contentpreview.redirectme[.]net finaledition.redirectme[.]net dynamictranslator.ddnsgeek[.]com personalstoragebox.linkpc[.]net personalcloudparent[.]info cloudarchive[.]info cloudregionpages[.]info streaml23.duia[.]eu pkglessplans[.]xyz worldstate.duia[.]us callfeedback.duia[.]ro reviewedition.duia[.]eu filereader.dns-dynamic[.]net vector.kozow[.]com cloudtools.duia[.]eu uptimezonemetadta.run[.]place documentcloudeditor.ddnsgeek[.]com coldwarehexahash.dns-dynamic[.]net readquickarticle.dns-dynamic[.]net uptime-timezone.dns-dynamic[.]net IP Addresses: 185.241.61[.]86 172.86.77[.]85 146.70.95[.]251 91.232.105[.]185 54.39.143[.]112 38.180.91[.]213 38.180.123[.]135 38.180.123[.]113 38.180.123[.]187 38.180.146[.]214 38.180.146[.]212 38.180.146[.]194 38.180.146[.]174 38.180.123[.]231 38.180.123[.]234 38.180.146[.]252 37.1.194[.]250 Iran-based IP Addresses: 193.111.236[.]130 185.143.233[.]120 94.74.175[.]209 94.74.145[.]184 93.119.48[.]60 37.148.63[.]24 37.255.251[.]17 5.106.153[.]245 5.106.169[.]235 5.106.185[.]98 5.106.202[.]101 5.106.219[.]243 Malware Hash: C3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f |
Appendix B — Mitre ATT&CK Techniques
| Tactic: Technique | ATT&CK Code |
| Resource Development: Acquire Infrastructure: Domains | T1583.001 |
| Resource Development: Establish Accounts: Email Accounts | T1585.002 |
| Initial Access: Spearphishing Attachment | T1566.001 |
| Initial Access: Spearphishing Link | T1566.002 |
| Execution: Command and Scripting Interpreter: PowerShell | T1059.001 |
| Execution: Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Persistence: Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder | T1547.001 |
| Persistence: Scheduled Task/Job: Scheduled Task | T1053.005 |
| Discovery: System Information Discovery | T1082 |
| Discovery: Process Discovery | T1057 |
| Command and Control: Application Layer Protocol: Web Protocols | T1071.001 |
Related