IRGC-Linked Hackers Package Modular Malware in Monolithic Trojan

Charming Kitten goes retro and consolidates its backdoor into a tighter package, abandoning the malware framework trend.

A state-level Iranian APT is turning back the clock by consolidating its modular backdoor into a monolithic PowerShell Trojan.
Recently, TA453 (aka APT42, CharmingCypress, Mint Sandstorm, Phosphorus, Yellow Garuda), which overlaps broadly with
Charming Kitten
, executed a phishing attack against an Israeli rabbi. Masquerading as the research director of the Institute for the Study of War (ISW), the group engaged with the religious leader over email, inviting him to feature on a fake podcast.
At the end of its infection chain, TA453 delivered its victim the newest in its line of modular PowerShell backdoors. This time, though, unlike in prior campaigns, the group bundled its entire malware package into a single script.
This is the first time I have personally seen malware thats been modular, in many different pieces, then consolidated into one piece, says Josh Miller, threat researcher at Proofpoint, which published
a blog about the case
on Tuesday.
Around a half decade ago
, a major new trend spread among malware authors. Taking a page from legitimate software developers — who, at the time, were increasingly adopting microservices architectures in place of monolithic ones — bad guys began to design their malicious tools not as single files, but as frameworks with pluggable parts.
The flexibility of
modular malware
offered a variety of benefits. Hackers could now more easily fine tune the same malware for different targets by simply adding and dropping components ad hoc, even after an infection had already taken place.
Modular malware is kind of neat, because I can start with just the core functionality, says Steven Adair, founder of Volexity. Then once Ive validated the target machine is actually real and not a researchers sandbox system, I can push down additional tooling and functions.
Its newest backdoor, dubbed AnvilEcho, is a successor to the groups previous espionage tools: GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The difference: rather than parts sold separately, all of AnvilEchos component parts come squished into a single PowerShell Trojan. Why?
You could have a backdoor that has literally every feature under the sun, but sometimes that may raise the size of the malware download, and it may be better detected, Adair says. Besides taking up a smaller footprint, malware delivered in more disparate chunks can also confuse analysts who see only the trees, not the forest.
On the other hand, monolithic malware is simpler to deploy. And in the course of its attack on the Israeli rabbi, TA453 compensated for any resultant lack of secrecy in all kinds of other ways along its attack path.
In the past, Miller explains, weve seen that after getting a response back from someone, TA453 just immediately sends an attachment which loads malware. Now theyre sending a ZIP file that has an LNK inside of it, that then deploys all of these additional stages too. It seems almost unnecessarily complicated in some ways.
He adds that, this time, It wasnt deployed until theyd already known that the target was engaging with them, and willing to click on links and download stuff from file sharing websites and enter passwords into files. I think they had confidence that the malware would be run when delivered.
Ultimately, when it comes to bundling versus separating malware components, Theres not necessarily a super pro or con to one or the other — both approaches work fine, Adair says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
IRGC-Linked Hackers Package Modular Malware in Monolithic Trojan