GORBLE

GORBLE is a multi-stage PowerShell-based malware variant associated with the Iran-based threat group GreenCharlie. The reported framework includes GORBLE, TAMECAT, and POWERSTAR, and is described as using layered obfuscation, layered decryption, and in-memory execution to evade detection. In the documented execution chain, an initial stage decodes a hardcoded URL and downloads a second-stage script; a subsequent stage exposes a function referred to as KeyMaster or Borjol through Base64 decoding and a bitwise NOT operation, then uses AES with a hard-coded key and IV to decrypt an embedded data blob. Unlike TAMECAT and POWERSTAR, which reportedly execute decrypted payloads with Invoke-Expression, GORBLE is specifically described as executing decrypted payloads via ScriptBlock.Create. A later stage performs initial command-and-control by collecting victim OS and computer name, formatting that host data as JSON, encrypting it with AES, Base64-encoding it, and sending it via HTTP POST to the C2 server. GreenCharlie has used this malware ecosystem in cyber-espionage and phishing operations active since at least 2020 and continuing through late 2024, supported by rapidly rotated infrastructure and lure-themed domains registered through commercial registrars and DDNS providers. Reported lure and infrastructure examples tied to the broader GreenCharlie activity include activeeditor[.]info, webviewerpage[.]info, documentcloudeditor.ddnsgeek[.]com, coldwarehexahash.dns-dynamic[.]net, uptime-timezone.dns-dynamic[.]net, and translatorupdater.dns-dynamic[.]net; documentcloudeditor.ddnsgeek[.]com was observed resolving to 38.180.146[.]174 and hosting a PhishTest portal. The activity is mapped in the source content to MITRE ATT&CK techniques including T1566.002 (spearphishing link), T1059.001 (PowerShell), T1568 (dynamic resolution), T1583.001 (acquire infrastructure: domains), and T1665 (hide infrastructure).