{ "name": "GreenCharlie Infrastructure Linked to US Political Campaign Targeting", "slug": "greencharlie-infrastructure-linked-to-us-political-campaign-targeting", "description": "An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations involving malware like GORBLE and POWERSTAR. Their infrastructure employs dynamic DNS providers and deceptive domain themes to facilitate phishing attacks. Recorded Future's Network Intelligence identified Iran-based IP addresses communicating with GreenCharlie's infrastructure, further suggesting Iranian involvement in these operations.", "published": "2024-08-21T08:48:13+00:00", "created_at": "2024-08-21T08:48:13+00:00", "modified_at": "2024-08-21T09:00:41+00:00", "created_at_opencti": "2024-08-21T08:48:13+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-08-21", "apt", "espionage", "gorble", "iran", "malware", "phishing", "powerstar" ], "related_entities": { "observables": [ { "id": "", "name": "91.232.105.185" }, { "id": "", "name": "94.74.175.209" }, { "id": "", "name": "54.39.143.112" }, { "id": "", "name": "5.106.202.101" }, { "id": "", "name": "5.106.219.243" }, { "id": "", "name": "5.106.185.98" }, { "id": "", "name": "5.106.169.235" }, { "id": "", "name": "5.106.153.245" }, { "id": "", "name": "38.180.91.213" }, { "id": "", "name": "38.180.146.252" }, { "id": "", "name": "38.180.146.214" }, { "id": "", "name": "38.180.146.212" }, { "id": "", "name": "38.180.146.194" }, { "id": "", "name": "38.180.146.174" }, { "id": "", "name": "38.180.123.234" }, { "id": "", "name": "38.180.123.187" }, { "id": "", "name": "38.180.123.231" }, { "id": "", "name": "38.180.123.135" }, { "id": "", "name": "38.180.123.113" }, { "id": "", "name": "37.148.63.24" }, { "id": "", "name": "193.111.236.130" }, { "id": "", "name": "185.241.61.86" }, { "id": "", "name": "172.86.77.85" }, { "id": "", "name": "94.74.145.184" }, { "id": "", "name": "93.119.48.60" }, { "id": "", "name": "146.70.95.251" }, { "id": "", "name": "37.1.194.250" }, { "id": "", "name": "37.255.251.17" }, { "id": "", "name": "www.selfpackage.info" }, { "id": "", "name": "www.chatsynctransfer.info" }, { "id": "", "name": "worldstate.duia.us" }, { "id": "", "name": "viewdestination.vpndns.net" }, { "id": "", "name": "vector.kozow.com" }, { "id": "", "name": "uptimezonemetadta.run.place" }, { "id": "", "name": "uptime-timezone.dns-dynamic.net" }, { "id": "", "name": "translatorupdater.dns-dynamic.net" }, { "id": "", "name": "tracedestination.duia.eu" }, { "id": "", "name": "towerreseller.dns-dynamic.net" }, { "id": "", "name": "timezone-update.duckdns.org" }, { "id": "", "name": "timelinepage.dns-dynamic.net" }, { "id": "", "name": "thisismydomain.chickenkiller.com" }, { "id": "", "name": "thisismyapp.accesscam.org" }, { "id": "", "name": "termsstatement.duckdns.org" }, { "id": "", "name": "synctimezone.dns-dynamic.net" }, { "id": "", "name": "streaml23.duia.eu" }, { "id": "", "name": "storageprovider.duia.eu" }, { "id": "", "name": "sourceusedirection.mypi.co" }, { "id": "", "name": "softservicetel.ddns.net" }, { "id": "", "name": "sharestoredocs.theworkpc.com" }, { "id": "", "name": "smartview.dns-dynamic.net" }, { "id": "", "name": "searchstatistics.duckdns.org" }, { "id": "", "name": "reviewedition.duia.eu" }, { "id": "", "name": "readquickarticle.dns-dynamic.net" }, { "id": "", "name": "realpage.redirectme.net" }, { "id": "", "name": "preparingdestination.fixip.org" }, { "id": "", "name": "nextcloudzone.dns-dynamic.net" }, { "id": "", "name": "overflow.duia.eu" }, { "id": "", "name": "nextcloud.duia.us" }, { "id": "", "name": "mobiletoolssdk.dns-dynamic.net" }, { "id": "", "name": "longlivefreedom.ddns.net" }, { "id": "", "name": "linereview.duia.eu" }, { "id": "", "name": "lineeditor.mypi.co" }, { "id": "", "name": "lineeditor.32-b.it" }, { "id": "", "name": "lineeditor.001www.com" }, { "id": "", "name": "joincloud.mypi.co" }, { "id": "", "name": "joincloud.duckdns.org" }, { "id": "", "name": "icenotebook.ddns.net" }, { "id": "", "name": "hugmefirstddd.ddns.net" }, { "id": "", "name": "highlightsreview.line.pm" }, { "id": "", "name": "finaledition.redirectme.net" }, { "id": "", "name": "filereader.dns-dynamic.net" }, { "id": "", "name": "entryconfirmation.duckdns.org" }, { "id": "", "name": "editioncloudfiles.dns-dynamic.net" }, { "id": "", "name": "dynamictranslator.ddnsgeek.com" }, { "id": "", "name": "dynamicrender.line.pm" }, { "id": "", "name": "documentcloudeditor.ddnsgeek.com" }, { "id": "", "name": "doceditor.duckdns.org" }, { "id": "", "name": "dev.cheap-case.site" }, { "id": "", "name": "destinationzone.duia.eu" }, { "id": "", "name": "demo.cheap-case.site" }, { "id": "", "name": "continueresource.forumz.info" }, { "id": "", "name": "continue.duia.eu" }, { "id": "", "name": "coldwarehexahash.dns-dynamic.net" }, { "id": "", "name": "contentpreview.redirectme.net" }, { "id": "", "name": "cloudtools.duia.eu" }, { "id": "", "name": "callfeedback.duia.ro" }, { "id": "", "name": "backend.cheap-case.site" }, { "id": "", "name": "api.cheap-case.site" }, { "id": "", "name": "api.overall-continuing.site" }, { "id": "", "name": "app.cheap-case.site" }, { "id": "", "name": "webviewerpage.info" }, { "id": "", "name": "selfpackage.info" }, { "id": "", "name": "admin.cheap-case.site" }, { "id": "", "name": "projectdrivevirtualcloud.co.uk" }, { "id": "", "name": "researchdocument.info" }, { "id": "", "name": "realcloud.info" }, { "id": "", "name": "pkglessplans.xyz" }, { "id": "", "name": "personalcloudparent.info" }, { "id": "", "name": "personalwebview.info" }, { "id": "", "name": "onetimestorage.info" }, { "id": "", "name": "onlinecloudzone.info" }, { "id": "", "name": "messagepending.info" }, { "id": "", "name": "itemselectionmode.info" }, { "id": "", "name": "directfileinternal.info" }, { "id": "", "name": "cloudregionpages.info" }, { "id": "", "name": "activeeditor.info" }, { "id": "", "name": "cloudarchive.info" }, { "id": "", "name": "chatsynctransfer.info" }, { "id": "", "name": "c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3" }, { "id": "", "name": "4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f" }, { "id": "", "name": "33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156" } ], "malware": [ { "id": "legacy:malware:1ebd0f388c60e6f8", "name": "GORBLE", "slug": "gorble" }, { "id": "legacy:malware:c151cb35b346c32b", "name": "POWERSTAR", "slug": "powerstar" } ], "intrusion_sets": [ { "id": "af559d5d-9ae8-4830-a08a-dcc5b98a00a0", "name": "GreenCharlie", "slug": "greencharlie" } ], "attack_patterns": [ { "id": "ab179192-1c1a-4b7d-9792-b608a9459b71", "name": "T1591" }, { "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4", "name": "T1568" }, { "id": "7616ff60-a18f-4663-9824-b889aa01c8ce", "name": "T1588" }, { "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1", "name": "T1608" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5", "name": "T1203" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/66c5c5edc799c5e0235f4152" ] }