GreenCharlie

GreenCharlie is an Iran-based advanced persistent threat (APT) group involved in cyber-espionage and phishing operations. The provided content states the group has been active since at least 2020 and remained active through late 2024. It expanded its infrastructure beginning in May 2024 by registering numerous dynamic DNS (DDNS) domains themed to mimic legitimate cloud, document, and authentication services, supporting targeted phishing and rapid infrastructure turnover. The content specifically notes use of commercial registrars including Namecheap, DDNS providers including Dynu, DNSEXIT, Vitalwerks, Cloud DNS, FreeDNS, and Dia Systems, and TLDs including .info, .xyz, .icu, .network, .online, and .site. Example lure domains include activeeditor[.]info, webviewerpage[.]info, and documentcloudeditor.ddnsgeek[.]com; example DDNS domains include coldwarehexahash.dns-dynamic[.]net, uptime-timezone.dns-dynamic[.]net, and translatorupdater.dns-dynamic[.]net. The group’s malware framework is described as a multi-stage PowerShell toolset with variants named GORBLE, TAMECAT, and POWERSTAR. The malware uses layered obfuscation, Base64 decoding, bitwise transformation, AES decryption with hard-coded keying material, and in-memory execution to evade detection. The execution chain described in the content includes an initial downloader/decoder, a decryptor/executor referred to as KeyMaster or Borjol, and a C2 beacon. TAMECAT and POWERSTAR reportedly execute decrypted payloads via Invoke-Expression, while GORBLE uses ScriptBlock.Create. The final stage collects host details including operating system and computer name, formats them as JSON, encrypts and Base64-encodes the data, and exfiltrates it via HTTP POST to command-and-control infrastructure. The content maps GreenCharlie activity to MITRE ATT&CK techniques including T1583.001 (Acquire Infrastructure: Domains), T1566.002 (Phishing: Spearphishing Link), T1059.001 (Command and Scripting Interpreter: PowerShell), T1568 (Dynamic Resolution), and T1665 (Hide Infrastructure). Telemetry cited in the content links infrastructure usage to Iranian IP addresses and to communications involving privacy services including ProtonVPN and Proton Mail, which the source assesses as deliberate operational concealment. No aliases or sub-groups beyond the name GreenCharlie are provided in the content.