By fabricating a phony webinar gateway, the threat actor Charming Kitten, who is of Iranian descent, has been connected to a fresh round of attacks targeting Middle East policy experts using a new backdoor known as BASICSTAR.

In the past, Charming Kitten—also known as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda—has organized a variety of social engineering efforts that target a broad range of targets, frequently focusing on journalists, think tanks, and non-governmental organizations.

Researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash of Volexity noted that "CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content."

Microsoft disclosed last month that prominent figures involved in Middle Eastern issues have been singled out by the adversary for the deployment of malware, including MischiefTut and MediaPl, which can extract private data from a compromised host.

Over the past year, the group—which is believed to be connected to Iran's Islamic Revolutionary Guard Corps (IRGC)—has also distributed several other backdoors, including PowerLess, BellaCiao, POWERSTAR (also known as GorjolEcho), and NokNok. This indicates the group's resolve to carry out its cyberattack and adapt its strategies despite exposure to the public.

To commence and establish confidence with targets, Charming Kitten operators pretended to be the Rasanah International Institute for Iranian Studies (IIIS) in the phishing attempts that were seen between September and October 2023.

The use of hacked email accounts from verified contacts and email accounts under the control of numerous threat actors—a tactic known as multi-persona impersonation (MPI)—are other characteristics of phishing attempts.

The use of hacked email accounts from verified contacts and email accounts under the control of numerous threat actors—a tactic known as multi-persona impersonation (MPI)—are other characteristics of phishing attempts.

The virus known as BASICSTAR is a Visual Basic Script (VBS) that may collect fundamental system data, remotely carry out commands that are transmitted from a command-and-control (C2) server, and download and show a fake PDF file.

Furthermore, depending on the operating system of the device, some of these phishing attempts are designed to provide distinct backdoors. While victims of Windows are infiltrated by POWERLESS, users of Apple macOS are targeted by an infection chain that leads to NokNok through a functional but malware-filled VPN application.

"This threat actor is highly committed to conducting surveillance on their targets to determine how best to manipulate them and deploy malware," the investigators stated. "Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts."

The revelation coincides with Recorded Future's discovery of the IRGC's targeting of Western nations through a network of contracting firms that are also experts in transferring technologies to Iraq, Syria, and Lebanon for offensive and surveillance objectives.

Iran-based contractors work with intelligence and military agencies to provide a variety of cyber centers that serve as "firewalls" to hide the identity of the sponsoring agency.

These include the Parnian Telecommunication and Electronic Company, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, DSP Research Institute, and Ayandeh Sazan Sepher Aria (who is allegedly connected to Emennet Pasargad).

"Iranian contracting companies are established and run by a tight-knit network of personas, who, in some cases, represent the contractors as board members," the business stated. "The individuals are closely associated with the IRGC, and in some cases, are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation)."