In mid-May 2023, TA453 - also known publicly as Charming Kitten, APT42, Mint Sandstorm, Yellow Garuda - sent a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review. The initial email also mentioned participation from other well-known nuclear security experts TA453 has previously masqueraded as, in addition to offering an honorarium. TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain called NokNok by Proofpoint. TA453 also employed multi-persona impersonation in its unending espionage quest.
Link to full Proofpoint report: IR-23-189-001_TA453.pdf