Iranian hackers have established a new network aimed at targeting U.S. political campaigns.

Cybersecurity researchers have discovered new network infrastructure established by Iranian threat actors to facilitate activities associated with the recent targeting of U.S. political campaigns.

The Insikt Group from Recorded Future has attributed this infrastructure to a threat group known as GreenCharlie, which is connected to other Iran-based cyber groups such as APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.

According to the cybersecurity company, “GreenCharlie’s infrastructure is carefully designed, using dynamic DNS (DDNS) providers such as Dynu, DNSEXIT, and Vitalwerks to register domains for phishing attacks.”

These domains often use misleading themes related to cloud services, file sharing, and document viewing to trick victims into disclosing sensitive information or downloading malicious software.

Some examples include terms like “cloud,” “uptimezone,” “doceditor,” “joincloud,” and “pageviewer.” Most of the domains have been registered with the .info top-level domain (TLD), marking a change from previously observed TLDs like .xyz, .icu, .network, .online, and .site.

GreenCharlie has a history of conducting highly targeted phishing attacks that use extensive social engineering to spread malware such as POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, which was recently identified by Mandiant (a Google company) in campaigns against Israel and the U.S.

GORBLE, TAMECAT, and POWERSTAR are considered to be variants of the same malware family, which consists of evolving PowerShell implants deployed by GreenCharlie over time. Notably, Proofpoint has detailed a POWERSTAR successor called BlackSmith, which was used in a spear-phishing attack against a prominent Jewish figure in late July 2024.

The infection process typically involves multiple stages, starting with gaining initial access through phishing, followed by establishing communication with command-and-control (C2) servers, and eventually exfiltrating data or delivering additional malicious payloads.

Recorded Future’s findings reveal that GreenCharlie registered numerous DDNS domains starting in May 2024, with the company also identifying communications between Iranian IP addresses (38.180.146[.]194 and 38.180.146[.]174) and GreenCharlie infrastructure between July and August 2024.

Additionally, a direct connection has been found between GreenCharlie clusters and C2 servers associated with GORBLE. It is believed that these operations are conducted using Proton VPN or Proton Mail to conceal their activities.

“GreenCharlie’s phishing operations are highly targeted, often leveraging social engineering techniques that take advantage of current events and political tensions,” Recorded Future stated.

“The group has registered numerous domains since May 2024, many of which are likely intended for phishing activities. These domains are tied to DDNS providers, enabling rapid changes in IP addresses, making it difficult to trace the group’s actions.”

This revelation comes amid an increase in Iranian cyber attacks against the U.S. and other international targets. Earlier this week, Microsoft disclosed that various sectors in the U.S. and the U.A.E. are being targeted by an Iranian threat actor known as Peach Sandstorm (also called Refined Kitten).

Furthermore, U.S. government agencies reported that another Iranian state-backed hacking group, Pioneer Kitten, has been operating as an initial access broker (IAB), facilitating ransomware attacks on the education, finance, healthcare, defense, and government sectors in the U.S., in collaboration with NoEscape, RansomHouse, and BlackCat groups.