New Charming Kitten attacks involve POWERSTAR backdoor

Iranian state-sponsored threat operation Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda, has launched a new wave of spear-phishing attacks deploying the POWERSTAR backdoor since May, according to The Hacker News. Additional measures to prevent detection have been employed by Charming Kitten in the latest POWERSTAR attacks, which involved the use of an LNK file within a password-protected RAR file to facilitate backdoor download from Backblaze, a report from Volexity revealed. Researchers also discovered that the backdoor does not only allow remote PowerShell and C# command execution but also the collection of system data and screenshots, as well as further module downloads and execution, while removing persistence-related registry keys and other indicators of malicious activity. Another POWERSTAR variant that allows hard-coded C2 server retrieval through decentralized InterPlanetary Filesystem-stored file decoding. "The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage," said researchers.