Scroll Top

Iranian hackers deploy sophisticated Malware targeting Windows and MacOS users


Threat group TA453 employs advanced spear-phishing techniques and malware to carry out espionage campaigns.

A prominent Iranian nation-state hacking group, TA453, also known as APT35 or Charming Kitten, has been identified in a new series of spear-phishing attacks that specifically target both Windows and macOS operating systems. The group’s sophisticated tactics involve the deployment of a newly discovered PowerShell backdoor called GorjolEcho, as detailed in a recent report by cybersecurity firm Proofpoint.

According to the report, TA453 utilized various cloud hosting providers to establish an innovative infection chain that delivers the GorjolEcho backdoor. Additionally, the threat actor employed multi-persona impersonation techniques in their relentless pursuit of espionage.

TA453, which is believed to be associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has been active since at least 2011. In a recent discovery made by Volexity, the group was found to have updated its PowerShell implant known as CharmPower (also referred to as GhostEcho or POWERSTAR).

In a targeted attack sequence identified in mid-May 2023, TA453 sent phishing emails to a nuclear security expert working at a U.S.-based think tank focused on foreign affairs. The emails contained a malicious link to a Google Script macro that redirected the target to a Dropbox URL hosting a RAR archive. Within the archive, an LNK dropper initiated a multi-stage process that ultimately led to the deployment of GorjolEcho. The backdoor disguised itself as a decoy PDF document while awaiting further payloads from a remote server.

Upon realizing that the target was using an Apple computer, TA453 adapted its tactics and sent a second email with a ZIP archive containing a Mach-O binary masquerading as a VPN application. However, the binary was, in fact, an AppleScript that connected to a remote server to download a Bash script-based backdoor called NokNok.

NokNok, once activated, retrieves up to four modules capable of collecting information on running processes, installed applications, system metadata, and establishing persistence using LaunchAgents. These modules bear striking similarities to those associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to TA453 in 2017.

The threat group has also been observed using a deceptive file-sharing website, likely to fingerprint visitors and track successful victims.

The researchers noted that TA453 continues to adapt its malware arsenal, deploying new file types, and targeting different operating systems. The group aims to carry out unauthorized reconnaissance while simultaneously complicating detection efforts.

As TA453’s cyber activities become increasingly sophisticated, organizations and individuals using Windows and macOS platforms should remain vigilant against phishing attempts and regularly update their security measures to mitigate the risk of falling victim to these targeted attacks.

(Note: This news article is a fictional creation based on the given text and does not represent real events or information.)

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.