GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware

Insikt Group has identified a significant increase in cyber threat activity from GreenCharlie, an Iran-nexus group that overlaps with Mint Sandstorm, Charming Kitten, and APT42. Targeting US political and government entities, GreenCharlie utilizes sophisticated phishing operations and malware like GORBLE and POWERSTAR. The group's infrastructure, which includes domains registered with dynamic DNS (DDNS) providers, enables the group’s phishing attacks.

GreenCharlie’s Persistent Threat

Since June 2024, Insikt Group has tracked infrastructure linked to GreenCharlie, an Iran-nexus cyber threat group with connections to Mint Sandstorm, Charming Kitten, and APT42. Insikt Group analysis linked GreenCharlie infrastructure to malware which is reported to have been used to target US political campaign officials, government entities, and strategic assets.

GreenCharlie is associated with malware, including POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, the latter of which was identified by Google-Mandiant. Both GORBLE and POWERSTAR are variants of the same malware family, designed to enable espionage activity via spearphishing campaigns.

Iran and its associated cyber-espionage actors have consistently demonstrated both the intent and capability to engage in influence and interference operations targeting US elections and domestic information spaces. These campaigns are likely to continue utilizing hack-and-leak tactics aimed at undermining or supporting political candidates, influencing voter behavior, and fostering discord.

The group’s infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks. These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.

Recorded Future’s Network Intelligence has identified multiple Iran-based IP addresses communicating with GreenCharlie’s infrastructure. The use of ProtonVPN and ProtonMail further indicates an attempt to obfuscate the group’s activities, a common tactic among Iranian APTs.

GreenCharlie’s phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions. The group has registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, which allow for rapid changes in IP addresses, making it difficult to track the group’s activities.

The malware deployed by GreenCharlie, including GORBLE and POWERSTAR, follows a multi-stage infection process. After initial access through phishing, the malware establishes communication with command-and-control (C2) servers, enabling the attackers to exfiltrate data or deliver additional payloads.

To read the entire analysis, click here to download the report as a PDF.