Charming Kitten, an Iranian-based threat actor, has resurfaced with a new campaign targeting Middle East policy experts using a sophisticated backdoor named BASICSTAR. Also known as APT35, CharmingCypress, and Yellow Garuda, this group has a history of employing advanced social engineering tactics to infiltrate organizations, particularly think tanks, NGOs, and journalists. Despite previous exposure and public scrutiny, Charming Kitten continues to adapt its methods, emphasizing its determination to conduct cyber espionage operations.
The recent attacks, disclosed by Volexity researchers, involve Charming Kitten posing as the Rasanah International Institute for Iranian Studies to establish trust with targets. These phishing attempts utilize compromised email accounts and multi-persona impersonation to lure victims into downloading malicious content. The attack chains often initiate with RAR archives containing LNK files, which distribute malware such as BASICSTAR and KORKULOADER.
BASICSTAR, a Visual Basic Script malware, exhibits capabilities to gather system information, execute remote commands, and download decoy PDF files from a command-and-control server. The attackers’ modus operandi involves tailoring the phishing attacks to serve different backdoors based on the target’s operating system. Windows users are infected with POWERLESS, while macOS victims are targeted with NokNok, via a VPN application embedded with malware.
