The Iranian-linked threat actor TA453 (also known as Charming Kitten) has been observed launching a sophisticated phishing attack using a PowerShell-based malware toolkit dubbed “BlackSmith.”
The campaign, observed by Proofpoint, began in July 2024 and targeted a prominent Jewish figure through a series of emails spoofing the Institute for the Study of War (ISW).
Social Engineering Tactics
Posing as the ISW’s Research Director, TA453 invited the target to participate in a podcast, a tactic aimed at building trust. Once rapport was established, the group sent a malicious link disguised as a legitimate podcast URL, ultimately delivering the BlackSmith malware.
“TA453 uses many different social engineering techniques to try and convince targets to engage with malicious content,” Proofpoint explained.
“Like multi-persona impersonation, sending legitimate links to a target and referencing a real podcast from the spoofed organization can build user trust. When a threat actor builds a connection with a target over time before delivering the malicious payload, it increases the likelihood of exploitation.”
BlackSmith Malware Capabilities
BlackSmith is a modular PowerShell Trojan designed to collect intelligence and exfiltrate sensitive data. This malware represents an evolution of previous TA453 toolsets, streamlining various functions into a single script, dubbed “AnvilEcho.” AnvilEcho performs tasks such as network communication, data encryption and reconnaissance, all while evading detection by antivirus software.
Proofpoint’s analysis shows that the BlackSmith malware includes multiple stages, from an initial infection vector using a malicious LNK file to the deployment of AnvilEcho. This PowerShell Trojan is capable of advanced activities, including file exfiltration, screenshot capture and even potential audio recording.
According to Proofpoint, TA453’s campaign underscores the group’s continued focus on espionage and intelligence gathering, likely in support of the Iranian government. The report highlights the group’s ability to adapt and refine its techniques, posing a significant threat to organizations and individuals worldwide.
Read more on state-sponsored hacking: Russia’s FSB Behind Massive Phishing Espionage Campaign
“While Proofpoint analysts cannot link TA453 directly to individual members of the Islamic Revolutionary Guard Corps (IRGC), Proofpoint does continue to assess that TA453 operates in support of the IRGC, specifically the IRGC Intelligence Organization (IRGC-IO),” the firm wrote.
“This assessment is based on a variety of evidence, including overlaps in unit numbering between Charming Kitten reports and IRGC units.”