GORBLE and POWERSTAR: New Backdoors Unleashed on US Government
The Insikt Group team has observed a significant surge in activity from the GreenCharlie group, targeting political and governmental entities in the United States. This group’s operations intersect with another Iranian group, APT42, and include sophisticated phishing campaigns designed to deliver the GORBLE and POWERSTAR backdoors.
Since June 2024, Insikt Group experts have been monitoring the infrastructure associated with GreenCharlie. This group employs custom-designed domains, registered with dynamic DNS (DDNS) providers, to conduct their phishing attacks. These domains are often disguised as legitimate cloud storage, file-sharing, and document visualization services, enabling the group to access confidential information and distribute malicious files.
GreenCharlie is linked to several malware programs, most notably POWERSTAR (CharmPower, GorjolEcho) and GORBLE. These programs are designed for espionage operations through spear-phishing campaigns. According to Mandiant, GORBLE, and POWERSTAR are different variants of the same malware family, used for unauthorized data access and subsequent exfiltration.
GreenCharlie’s use of dynamic DNS infrastructure allows hackers to rapidly change IP addresses, complicating efforts to track their activities. The group also heavily relies on social engineering, exploiting current events and political tensions to lure victims.
Insikt Group has identified several Iranian IP addresses interacting with GreenCharlie’s infrastructure. The use of ProtonVPN and ProtonMail services further suggests attempts to conceal their activities, a common tactic among Iranian hacking groups.
GreenCharlie’s phishing attacks are highly targeted, aimed at extracting data or installing GORBLE and POWERSTAR, which are deployed in multiple stages. After successful phishing, the backdoors establish communication with C2 servers for data extraction or downloading additional modules.
Researchers speculate that GreenCharlie conducts phishing attacks on behalf of the Islamic Revolutionary Guard Corps (IRGC). Experts note that GreenCharlie’s victims include research and policy analysts, government officials, diplomats, and high-value strategic targets. While Insikt Group has not found direct evidence of attacks on U.S. government officials or political campaign staff, open-source analysis “has established credible links.”
Insikt Group specialists point out that Iranian cyber spies have long been recognized as masters of information campaigns aimed at interfering in U.S. elections and influencing domestic political agendas. Such operations continue with the goal of either bolstering or undermining the authority of election candidates, influencing voter behavior, and sowing societal discord.
