Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The IRGC is trying to influence the US elections.
The Insikt Group team has recorded a significant increase in the activity of the GreenCharlie group, which is aimed at the political and government structures of the United States. The group's activities overlap with another Iranian group, APT42, and include sophisticated phishing campaigns to deliver the GORBLE and POWERSTAR backdoors.
Since June 2024, Insikt Group specialists have been monitoring the infrastructure associated with GreenCharlie. This group uses specially designed domains registered with dynamic DNS (DDNS) providers to carry out its phishing attacks. Domains are often disguised as legitimate cloud storage, file sharing, and document visualization services, allowing the group to access sensitive information and distribute malicious files.
GreenCharlie is associated with several malicious programs, among which POWERSTAR (CharmPower, GorjolEcho) and GORBLE stand out. The programs were designed to carry out espionage operations through spear phishing campaigns. According to Mandiant, GORBLE and POWERSTAR are different variants of the same malware family used to gain unauthorized access to data and then exfiltrate it.
GreenCharlie's infrastructure uses dynamic DNS to allow hackers to quickly change IP addresses and interferes with activity tracking. The group also actively uses social engineering, relying on current events and political tensions to lure victims.
Insikt Group has identified several Iranian IP addresses interacting with GreenCharlie's infrastructure. The use of ProtonVPN and ProtonMail services also indicates attempts to hide their activities, which is a typical tactic for Iranian hacking groups.
GreenCharlie's phishing attacks are targeted in nature, their goal being data extraction or the installation of GORBLE and POWERSTAR, which are deployed in several stages. After successful phishing, backdoors establish communication with C2 servers to extract data or download additional modules.
Researchers suggest that GreenCharlie is conducting phishing attacks commissioned by the Islamic Revolutionary Guard Corps (IRGC). GreenCharlie's victims include research and policy analysts, government officials, diplomats, and high-value strategic targets. Although Insikt Group was unable to find direct evidence of attacks on U.S. government officials and political campaign staff, an analysis of open sources "made a credible connection."
Insikt Group experts note that Iranian cyberspies have long established themselves as masters of conducting information campaigns aimed at interfering in the US elections and influencing the domestic political agenda. Such operations continue, pursuing the goal of maintaining or undermining the authority of candidates in elections, influencing voter behavior and creating a split in society.
Source
The Insikt Group team has recorded a significant increase in the activity of the GreenCharlie group, which is aimed at the political and government structures of the United States. The group's activities overlap with another Iranian group, APT42, and include sophisticated phishing campaigns to deliver the GORBLE and POWERSTAR backdoors.
Since June 2024, Insikt Group specialists have been monitoring the infrastructure associated with GreenCharlie. This group uses specially designed domains registered with dynamic DNS (DDNS) providers to carry out its phishing attacks. Domains are often disguised as legitimate cloud storage, file sharing, and document visualization services, allowing the group to access sensitive information and distribute malicious files.
GreenCharlie is associated with several malicious programs, among which POWERSTAR (CharmPower, GorjolEcho) and GORBLE stand out. The programs were designed to carry out espionage operations through spear phishing campaigns. According to Mandiant, GORBLE and POWERSTAR are different variants of the same malware family used to gain unauthorized access to data and then exfiltrate it.
GreenCharlie's infrastructure uses dynamic DNS to allow hackers to quickly change IP addresses and interferes with activity tracking. The group also actively uses social engineering, relying on current events and political tensions to lure victims.
Insikt Group has identified several Iranian IP addresses interacting with GreenCharlie's infrastructure. The use of ProtonVPN and ProtonMail services also indicates attempts to hide their activities, which is a typical tactic for Iranian hacking groups.
GreenCharlie's phishing attacks are targeted in nature, their goal being data extraction or the installation of GORBLE and POWERSTAR, which are deployed in several stages. After successful phishing, backdoors establish communication with C2 servers to extract data or download additional modules.
Researchers suggest that GreenCharlie is conducting phishing attacks commissioned by the Islamic Revolutionary Guard Corps (IRGC). GreenCharlie's victims include research and policy analysts, government officials, diplomats, and high-value strategic targets. Although Insikt Group was unable to find direct evidence of attacks on U.S. government officials and political campaign staff, an analysis of open sources "made a credible connection."
Insikt Group experts note that Iranian cyberspies have long established themselves as masters of conducting information campaigns aimed at interfering in the US elections and influencing the domestic political agenda. Such operations continue, pursuing the goal of maintaining or undermining the authority of candidates in elections, influencing voter behavior and creating a split in society.
Source
