GreenCharlie Infrastructure Linked to US Political Campaign Targeting
· Published 21/08/2024 10:48 · Modified 21/08/2024 11:00
Essential information
Description
An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations involving malware like GORBLE and POWERSTAR. Their infrastructure employs dynamic DNS providers and deceptive domain themes to facilitate phishing attacks. Recorded Future's Network Intelligence identified Iran-based IP addresses communicating with GreenCharlie's infrastructure, further suggesting Iranian involvement in these operations.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (111)
91.232.105.18594.74.175.20954.39.143.1125.106.202.1015.106.219.2435.106.185.985.106.169.2355.106.153.24538.180.91.21338.180.146.25238.180.146.21438.180.146.21238.180.146.19438.180.146.17438.180.123.23438.180.123.18738.180.123.23138.180.123.13538.180.123.11337.148.63.24193.111.236.130185.241.61.86172.86.77.8594.74.145.18493.119.48.60146.70.95.25137.1.194.25037.255.251.17www.selfpackage.infowww.chatsynctransfer.infoworldstate.duia.usviewdestination.vpndns.netvector.kozow.comuptimezonemetadta.run.placeuptime-timezone.dns-dynamic.nettranslatorupdater.dns-dynamic.nettracedestination.duia.eutowerreseller.dns-dynamic.nettimezone-update.duckdns.orgtimelinepage.dns-dynamic.netthisismydomain.chickenkiller.comthisismyapp.accesscam.orgtermsstatement.duckdns.orgsynctimezone.dns-dynamic.netstreaml23.duia.eustorageprovider.duia.eusourceusedirection.mypi.cosoftservicetel.ddns.netsharestoredocs.theworkpc.comsmartview.dns-dynamic.netsearchstatistics.duckdns.orgreviewedition.duia.eureadquickarticle.dns-dynamic.netrealpage.redirectme.netpreparingdestination.fixip.orgnextcloudzone.dns-dynamic.netoverflow.duia.eunextcloud.duia.usmobiletoolssdk.dns-dynamic.netlonglivefreedom.ddns.netlinereview.duia.eulineeditor.mypi.colineeditor.32-b.itlineeditor.001www.comjoincloud.mypi.cojoincloud.duckdns.orgicenotebook.ddns.nethugmefirstddd.ddns.nethighlightsreview.line.pmfinaledition.redirectme.netfilereader.dns-dynamic.netentryconfirmation.duckdns.orgeditioncloudfiles.dns-dynamic.netdynamictranslator.ddnsgeek.comdynamicrender.line.pmdocumentcloudeditor.ddnsgeek.comdoceditor.duckdns.orgdev.cheap-case.sitedestinationzone.duia.eudemo.cheap-case.sitecontinueresource.forumz.infocontinue.duia.eucoldwarehexahash.dns-dynamic.netcontentpreview.redirectme.netcloudtools.duia.eucallfeedback.duia.robackend.cheap-case.siteapi.cheap-case.siteapi.overall-continuing.siteapp.cheap-case.sitewebviewerpage.infoselfpackage.infoadmin.cheap-case.siteprojectdrivevirtualcloud.co.ukresearchdocument.inforealcloud.infopkglessplans.xyzpersonalcloudparent.infopersonalwebview.infoonetimestorage.infoonlinecloudzone.infomessagepending.infoitemselectionmode.infodirectfileinternal.infocloudregionpages.infoactiveeditor.infocloudarchive.infochatsynctransfer.infoc3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf34ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:32 · Modified 21/12/2025 06:32
Techniques (MITRE) (12)
-
Gather Victim Org Information
-
Dynamic Resolution
-
Obtain Capabilities
-
Stage Capabilities
-
Trusted Relationship
-
Phishing for Information
-
Service Stop
-
Data Encrypted for Impact
-
Exploitation for Client Execution
-
User Execution
-
Phishing
-
Proxy
Malware (2)
Others (3)
- United States of America
- Technology
- Government