{ "id": "87513758-0cc8-4a47-9b9f-706bdf7364ad", "created_at": "2026-04-06T00:07:04.081112Z", "updated_at": "2026-04-10T13:13:01.582432Z", "deleted_at": null, "sha1_hash": "b8545dc59c4f11ebe08f0c9af60aa25c5ae8f3c5", "title": "Charming Kitten Updates POWERSTAR with an InterPlanetary Twist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1957478, "plain_text": "Charming Kitten Updates POWERSTAR with an InterPlanetary\r\nTwist\r\nBy mindgrub\r\nPublished: 2023-06-28 · Archived: 2026-04-02 10:49:24 UTC\r\nVolexity works with many individuals and organizations often subjected to sophisticated and highly targeted\r\nspear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has\r\nobserved threat actors dramatically increase the level of effort they put into compromising credentials or systems\r\nof individual targets. Spear-phishing campaigns now often involve individual, tailored messages that engage in\r\ndialogue with each target, sometimes over a period of several days, before a malicious link or file attachment is\r\never sent.\r\nOne threat actor Volexity frequently sees employing these techniques is Charming Kitten, who is believed to be\r\noperating out of Iran. Charming Kitten appears to be primarily concerned with collecting intelligence by\r\ncompromising account credentials and, subsequently, the email of individuals they successfully spear phish. The\r\ngroup will often extract any other credentials or access they can, and then attempt to pivot to other systems, such\r\nas those accessible via corporate virtual private networks (VPNs) or other remote access services.\r\nVolexity often uncovers spear-phishing campaigns from Charming Kitten against its own customers. These\r\nobserved spear-phishing attacks are typically aimed at credential harvesting rather than deploying malware.\r\nHowever, in a recently detected spear-phishing campaign, Volexity discovered that Charming Kitten was\r\nattempting to distribute an updated version of one of their backdoors, which Volexity calls POWERSTAR (also\r\nknown as CharmPower).\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 1 of 12\n\nThis new version of POWERSTAR was analyzed by the Volexity team and led the to the discovery that Charming\r\nKitten has been evolving their malware alongside their spear-phishing techniques. Notably, there have been\r\nimproved operational security measures placed in the malware to make it more difficult to analyze and collect\r\nintelligence. Fortunately, Volexity had all the necessary pieces and was able to fully analyze this new\r\nPOWERSTAR variant.\r\nVolexity found the latest POWERSTAR variant to be more complex and assesses that it is likely supported by a\r\ncustom server-side component, which automates simple actions for the malware operator. It is also notable that\r\nthis latest version of the malware has a variety of interesting features, including the use of the InterPlanetary File\r\nSystem (IPFS), as well as remotely hosting its decryption function and configuration details on publicly accessible\r\ncloud hosting.\r\nThis blog post discusses Charming Kitten’s spear-phishing activity, but it largely focuses on detection and analysis\r\nof the new variant of the POWERSTAR backdoor.\r\nPOWERSTAR Timeline\r\nIn an effort to see how the malware has evolved, Volexity reviewed historic activity related to POWERSTAR\r\nsince Volexity first encountered it in 2021. Various security companies have also encountered POWERSTAR, and\r\nCharming Kitten has been observed distributing POWERSTAR in a surprising number of different ways, as\r\ndescribed in the timeline below.\r\n2023\r\nMay: Volexity observes Charming Kitten\r\nattempting to distribute POWERSTAR via a\r\nspear-phishing campaign involving an LNK\r\nfile inside a password-protected RAR file.\r\nThis LNK, when executed by the user,\r\ndownloads POWERSTAR from Backblaze\r\nand attacker-controlled infrastructure.\r\nApril: Microsoft reports Mint Sandstorm\r\ndistributing OneDrive-hosted PDF files\r\ncontaining URLs to download a DOTM from\r\nDropbox. Once executed, template injection is\r\nabused to execute POWERSTAR which is\r\nhosted on OneDrive.\r\n2022\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 2 of 12\n\nJuly: PWC reports Yellow Garuda\r\ndistributing DOCX files hosted on Dropbox\r\nand AWS. These documents abused template\r\ninjection to execute DOTM files from\r\nOneDrive or attacker-controlled\r\ninfrastructure. Decryption keys were fetched\r\nfrom S3 buckets to decrypt POWERSTAR.\r\nJanuary: Check Point publicly reports on the\r\nexploitation of the Log4J vulnerability by\r\nCharming Kitten, resulting in subsequent\r\nexecution of POWERSTAR hosted on an\r\nAmazon S3 bucket.\r\n2021\r\nVolexity observes a rudimentary version of\r\nPOWERSTAR distributed by a malicious\r\nmacro embedded in DOCM file.\r\nIt is notable that in recent months, Charming Kitten appears to be straying from their previously preferred cloud-hosting providers (OneDrive, AWS S3, Dropbox) in favor of privately hosted infrastructure, Backblaze and IPFS,\r\nto deliver their malware. It is possible that the group regards this as less likely to lead to their tools being exposed,\r\nor that these other providers are less likely to act against their accounts and infrastructure.\r\nAnalysis\r\nWill You Please Review My Malware?\r\nThe target of the recently observed attack had published an article related to Iran. The publicity appears to have\r\ngarnered the attention of Charming Kitten,  who subsequently created an email address to impersonate a reporter\r\nof an Israeli media organization in order to send the target an email. Prior to sending malware to the target, the\r\nattacker simply asked if the target would be open to reviewing a document they had written related to US foreign\r\npolicy. The target agreed to do so, since this was not an unusual request; they are frequently asked by journalists to\r\nreview opinion pieces relating to their field of work.\r\nIn an effort to further gain the target’s confidence, Charming Kitten continued the interaction with another benign\r\nemail containing a list of questions, to which the target then responded with answers. After multiple days of\r\nbenign and seemingly legitimate interaction, Charming Kitten finally sent a “draft report”; this was the first time\r\nanything opaquely malicious occurred. The “draft report” was, in fact, a password-protected RAR file containing a\r\nmalicious LNK file. The password for the RAR file was provided in a subsequent email.\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 3 of 12\n\nVolexity assesses that the phishing operator was following a common playbook for phishing operations:\r\n1. Establish contact with the target, posing as a real individual with an easily verifiable public profile, and\r\nbuild a basic rapport with the target.\r\nThe sender email resembles the personal account of the impersonated individual and uses a\r\ngenerally trusted webmail provider.\r\nThe initial email lacks any malicious content, and as a result there is no reason for the email to be\r\nfiltered by security software or raise any concerns for the recipient.\r\n2. Once the target responds, send another email asking a series of questions.\r\nThis further builds rapport and trust between the attacker and the victim.\r\nAdditionally, any answers to these questions can be used in phishing emails against third-party\r\ntargets.\r\n3. After a response from the target, or if they fail to respond for a period of time, send an additional email,\r\nthis time containing a malicious, password-protected attachment.\r\nSending the password separately hinders automated attachment extraction and scanning.\r\nControlling Operational Scope via Limiting Distribution of Decryption Functions\r\nMalware authors often encrypt data used by malware to hinder static detection when files are stored on disk. The\r\nmost obvious weakness of this technique is that an analyst could simply execute the malware; decrypted code will\r\neventually be visible via memory analysis. Another weakness is that often, to successfully decrypt the data, the\r\nmalware will contain a decryption method and key. If that is present on disk alongside the encrypted data, an\r\nanalyst can decrypt the data. With POWERSTAR, Charming Kitten sought to limit the risk of exposing their\r\nmalware to analysis and detection by delivering the decryption method separately from the initial code and never\r\nwriting it to disk. This has the added bonus of acting as an operational guardrail, as decoupling the decryption\r\nmethod from its command-and-control (C2) server prevents future successful decryption of the corresponding\r\nPOWERSTAR payload.\r\nThe method POWERSTAR uses to achieve this is as follows:\r\n1. A malicious LNK file downloads the initial POWERSTAR script from a Backblaze B2 bucket, executed in\r\nmemory via an obfuscated call to the Invoke-Expression alias, gcm i*x (Figure 1).\r\nFigure 1. Command-line argument embedded in the original, malicious LNK file\r\n2. Various unreferenced variables containing encrypted code are present in this script alongside an unused\r\ndecryption key. This script also contains a small amount of code responsible for decoding a second\r\nBackblaze B2 URL, requesting its contents, and then decoding and executing the resulting PowerShell\r\nscript within the same PowerShell instance as the original script (Figure 2).\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 4 of 12\n\nFigure 2. Initial decode, deobfuscate, and download functions used by POWERSTAR’s first-stage script,\r\ncettj34c.txt\r\n3. This PowerShell script contains an AES decryption function, key, and initialization vector (IV) that is used\r\nby POWERSTAR to decrypt the previously referenced encrypted code. If this script is not available,\r\nPOWERSTAR crashes. This also contains a hardcoded C2 address which can either be a domain or an IP\r\naddress (Figure 3).\r\nFigure 3. PowerShell decrypt function and config produced from decrypting the contents of k24510.txt\r\n4. The decrypted code is then executed in memory within the same PowerShell instance. This is the primary\r\nPOWERSTAR backdoor payload.\r\nThe same general technique is repeated throughout the POWERSTAR framework, with additional modules\r\ndownloaded and executed in memory.\r\nBackdoor Analysis\r\nAt a high level, the latest version of POWERSTAR has the following features:\r\nRemote execution of PowerShell and CSharp commands and code blocks\r\nPersistence via Startup tasks, Registry Run keys, and Batch/PowerShell scripts\r\nDynamically updating configuration settings, including AES key and C2\r\nMultiple C2 channels, including cloud file hosts, attacker-controlled servers, and IPFS-hosted files\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 5 of 12\n\nCollection of system reconnaissance information, including antivirus software and user files\r\nMonitoring of previously established persistence mechanisms\r\nWhen successfully executed, the primary POWERSTAR backdoor payload collects a small amount of system\r\ninformation from the compromised machine and sends it via a POST request to the C2 address downloaded from\r\nBackblaze. For the analyzed sample, this was a subdomain on the “platform-as-a-service” provider, Clever Cloud,\r\nfuschia-rhinestone.cleverapps[.]io . Crucially, this information contains a hardcoded victim identifier token\r\nused by Charming Kitten to track distinct compromises (Figure 4).\r\nFigure 4. Initial system information and victim identifier sent via POST request to the C2\r\nThe victim identifier used by this sample is written to %APPDATA\\%Microsoft\\Windows\\npv.txt .\r\nInterestingly, while an AES key and IV are set in the original config, Volexity observed the C2 dynamically\r\nupdating the key after the initial beacon traffic. Additionally, POWERSTAR proceeds to set the IV to a random\r\nvalue, and then pass this to the C2 via the “Content-DPR” header of each request. In previous versions of\r\nPOWERSTAR, instead of AES, a custom cipher was used to encode data during transit. The adoption of AES\r\ncould be considered an improvement on the malware’s operation from previous versions.\r\nThe backdoor follows a predefined command structure:\r\nMultiple commands can be present in a single response.\r\nEach command in the response is separated by a special character (“¶”).\r\nEvery command has four separate fields that are separated by a special character (“~”).\r\nThe four separate fields in each command are language , Command , threadname , and startstop .\r\nThe command loop (Figure 5) helps to understand these separate fields contained in every command.\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 6 of 12\n\nFigure 5. POWERSTAR command loop\r\nPOWERSTAR can execute commands in two programming languages, PowerShell and CSharp, per the wildcard\r\nmatches in Figure 5. The subcommands available for these languages are as follows:\r\nSubcommand\r\nSupported\r\nLanguage\r\nFunction\r\nstart\r\nPowerShell,\r\nCSharp\r\nExecutes a code block in a new thread\r\nstop\r\nPowerShell,\r\nCSharp\r\nExecutes a command via Invoke-Expression\r\ndownloadutils PowerShell\r\nExecutes a new module in the original PowerShell instance via\r\nInvoke-Expression; used to extend the running POWERSTAR\r\npayload with new functionality\r\nModules\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 7 of 12\n\nVolexity was able to gain access to nine POWERSTAR modules. Four of these have not been previously reported;\r\none, which is used to remove forensic artifacts, is significantly expanded from previous reporting. A summary of\r\nthe nine modules is as follows:\r\nModule\r\nPreviously\r\ndocumented by Check\r\nPoint?\r\nFunctionality\r\nScreenshot\r\nYes, but uses different\r\nAPIs\r\nTakes a screenshot and uploads to C2\r\nProcesses Yes\r\nEnumerates running processes via “tasklist”, saves to\r\n%appdata%\\Microsoft\\Notepad\\Processes.txt and uploads\r\nto C2\r\nShell No\r\nNot used in any observed sample; identifies running antivirus\r\nsoftware, writes to Shell.txt\r\nApplications Yes\r\nUnchanged from Check Point report; retrieves installed\r\nprograms by traversing registry key paths\r\nPersistence No\r\nEstablishes persistence for the IPFS variant of POWERSTAR\r\nvia a Registry Run key\r\nPersistence\r\nMonitor\r\nNo\r\nChecks whether various Registry keys and files dropped by\r\nPOWERSTAR components are still intact; relays this\r\ninformation to the C2 (Figure 6)\r\nSystem\r\nInformation\r\nYes\r\nUnchanged from Check Point report; executes the\r\nsysteminfo command and relays information to C2\r\nFile Crawler\r\nNo, but contains\r\nfunctionality from\r\npreviously discussed\r\n“Command Execution\r\nModule” which was not\r\npresent in this version of\r\nPOWERSTAR\r\nRetrieves drives via Get-PSDrive PowerShell cmdlet, and\r\nproceeds to recursively traverse all directories to search for\r\nfiles matching specific extensions while ignoring certain\r\ndirectories; metadata on identified files is relayed to the C2\r\nCleanup\r\nYes, but significantly\r\nexpanded and modified;\r\ntwo further levels have\r\nbeen added with\r\nreferences to executable\r\nmalware\r\nDiscussed in detail below\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 8 of 12\n\nFor brevity, this blog post will summarize only the most significant changes to POWERSTAR; a full writeup of\r\npreviously developed modules is available in the Check Point report.\r\nShell Module\r\nThe name of this module appears to be misleading. While it contains code to execute arbitrary commands, in the\r\nversion received by Volexity it is never called. Instead, the module retrieves information about antivirus software\r\nrunning on the compromised machine using Get-CimInstance . The information is temporarily stored in a file\r\nnamed Shell.txt , and it is deleted once the data is sent to the C2 server. Volexity theorizes that this function\r\nmay be overwritten based on the type of identified antivirus software by subsequent modules. This pattern of\r\ndefining and then overwriting functions is used by other POWERSTAR modules.\r\nPersistence Module\r\nThis module establishes persistence for an additional POWERSTAR payload. During the observed activity, this\r\nwas the IPFS variant of POWERSTAR (discussed later in this post). This file is written to disk, and a Run key is\r\nadded to execute the file.\r\nPersistence Monitor Module\r\nThis module checks if the registry keys and files dropped by various POWERSTAR components are still intact.\r\nAll information is recorded and sent back to the C2 server. Figure 6 shows some of the persistence artifacts this\r\nmodule searches for.\r\nFigure 6. Registry keys and files searched for by the Persistence Monitor module.\r\nCleanup Modules\r\nThis module has been extended since the original Check Point writeup. This module now contains seven\r\nhardcoded methods (named by the attacker).\r\nLevel 1: Runs the command wevtutil el which lists local logs\r\nLevel 2: Kills all malware related processes and then deletes the corresponding files; also deletes a\r\nscheduled task that was not created by any file observed by Volexity during this investigation\r\nLevel 3: Deletes all the persistence-related registry keys and corresponding files\r\nLevel 4: Kills all processes whose executable resides in the directory %appdata%/Microsoft/Notepad ,\r\nthen deletes all files recursively in this directory\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 9 of 12\n\nLevel 5: Deletes various files and kills processes related to filenames and paths, which were not observed\r\nby Volexity during the investigationBased on this information, Volexity concludes there are modules that\r\nare only delivered in certain circumstances. Figure 7 shows some of the files and processes this module\r\nsearches for. Notably, this module searches for files with EXE and DLL extensions. Volexity did not\r\nreceive copies of these files, but it is likely they represent later stages of Charming Kitten’s toolset.\r\nFigure 7. Level 5 method of Cleanup module\r\nLevel 6: Searches for a variety of artifacts likely to be related to additional payloads that Volexity was not\r\nable to retrieveFigure 8 shows the core code. As with Level 5, this module searches for another DLL file\r\nand attempts to stop a process named rundll32 , supporting the assertion that subsequent stages are\r\nexecutable files rather than PowerShell based.\r\nFigure 8. Level 6 method of Cleanup module\r\nLevel 7: Executes all previous levels in numerical order\r\nPOWERSTAR Goes Out of This World: IPFS Variant\r\nAs described previously, the Persistence module drops another PowerShell file to disk, and writes a Run key to\r\nexecute it on system restart. This version is slightly different from the first analyzed POWERSTAR sample. In this\r\nversion, POWERSTAR initially tries to retrieve its C2 server by decoding a file stored on the IPFS. The IPFS is a\r\ndecentralized network for storing files or data. Anyone can upload a file to IPFS, and then that file can be accessed\r\nby anyone using its Content Identifier (CID). POWERSTAR contains a list of IPFS providers it tries, in series, to\r\nretrieve a hardcoded CID containing a subsequent C2 address to use. Figure 9 shows the code used to retrieve a\r\nC2 address from IPFS.\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 10 of 12\n\nFigure 9. Code used to attempt to receive a new C2 address via IPFS\r\nThis C2 address-retrieval mechanism is designed to allow the attacker to update the C2 if the original C2 is\r\nblocked or taken down. If the IPFS data is not present, the malware uses a hardcoded C2 address. This is also a\r\ngeneral twist on use of BackBlaze or AWS to host similar data files used at other points in the infection chain. For\r\nthe attacker, the main benefit of using IPFS is that their file cannot be removed by a third-party system owner\r\n(such as Google, Amazon, or BackBlaze).\r\nNotably, in some cases the attacker includes sections of code that were not functional. For example, the\r\nscreenshots taken by the malware can be exfiltrated via HTTP or FTP, but the observed FTP code lacks any\r\ncredentials or remote destination to send data to.\r\nConclusion\r\nSince Volexity first observed POWERSTAR in 2021, Charming Kitten has reworked the malware to make\r\ndetection more difficult. The most significant change is the downloading of the decryption function from remotely\r\nhosted files. As previously discussed, this technique hinders detection of the malware outside of memory, and it\r\ngives the attacker an effective kill switch to prevent future analysis of the malware’s key functionality.\r\nVolexity regularly observes operations from Charming Kitten but finds they rarely deploy malware as part of their\r\nattacks. This sparing use of malware in their operations likely increases the difficulty of tracking their attacks. The\r\nuse of cloud-hosting providers to host both malware code and phishing content is a continued theme from\r\nCharming Kitten. The references to persistence mechanisms and executable payloads within the POWERSTAR\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 11 of 12\n\nCleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled\r\nespionage.\r\nThe general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR remain\r\nconsistent. This suggests that Charming Kitten is successful enough not to warrant modifying these aspects of\r\ntheir operations.\r\nTo detect and investigate these attacks, Volexity recommends the following:\r\nUse the YARA rules provided here to detect related activity.\r\nBlock the IOCs provided here.\r\nIf your organization does not require use of IPFS, consider blocking the list of IPFS providers here, as they\r\ncan be abused by malware authors to host malicious files.\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via its Threat\r\nIntelligence service. This analysis was covered in TIB-20211018, TIB-20230519, and MAR-20230605.\r\nSource: https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nhttps://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/" ], "report_names": [ "charming-kitten-updates-powerstar-with-an-interplanetary-twist" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434024, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8545dc59c4f11ebe08f0c9af60aa25c5ae8f3c5.pdf", "text": "https://archive.orkl.eu/b8545dc59c4f11ebe08f0c9af60aa25c5ae8f3c5.txt", "img": "https://archive.orkl.eu/b8545dc59c4f11ebe08f0c9af60aa25c5ae8f3c5.jpg" } }