Charming Kitten goes retro and consolidates its backdoor into a tighter package, abandoning the malware framework trend.
August 20, 2024 By Nate Nelson
A state-level Iranian APT is turning back the clock by consolidating its modular backdoor into a monolithic PowerShell Trojan.
Recently, TA453 (aka APT42, CharmingCypress, Mint Sandstorm, Phosphorus, Yellow Garuda), which overlaps broadly with Charming Kitten, executed a phishing attack against an Israeli rabbi. Masquerading as the research director of the Institute for the Study of War (ISW), the group engaged with the religious leader over email, inviting him to feature on a fake podcast.
At the end of its infection chain, TA453 delivered its victim the newest in its line of modular PowerShell backdoors. This time, though, unlike in prior campaigns, the group bundled its entire malware package into a single script.
