TemptingCedar Spyware

Spyware

⚠️ Overview

TemptingCedar Spyware is a sophisticated espionage tool attributed to the Iranian-linked threat group tracked as TA453, also known as Charming Kitten or Phosphorus. First publicly documented by Proofpoint in August 2023, this malware falls under the Spyware and Remote Access Trojan (RAT) category, primarily used for intelligence gathering against academic researchers, journalists, and activists. The group operates under the auspices of Iran’s Islamic Revolutionary Guard Corps (IRGC).

🔧 Technical Capabilities

TemptingCedar is delivered via spear-phishing emails containing malicious LNK files that download a PowerShell-based dropper. The dropper executes a secondary payload—a .NET-based RAT—that establishes encrypted C2 communication over HTTPS using hardcoded server IPs. Persistence is achieved through a scheduled task masquerading as a Google Update service. Evasion techniques include using legitimate services like OneDrive for staging, and encoding payloads in base64 to bypass static signatures. The spyware captures keystrokes, exfiltrates browser credentials and cryptocurrency wallet data, and takes screenshots. It also uses DNS-over-HTTPS to resolve C2 domains, making detection via traditional DNS sinkholes more difficult.

📜 History & Notable Incidents

The campaign began in late 2022 with targeted attacks against Middle East policy analysts and U.S. government contractors. In July 2023, Proofpoint linked TemptingCedar to a wave of credential phishing via compromised university email accounts (MITRE ATT&CK technique T1566.002). No CVEs are directly associated with the spyware, but it exploits unpatched Microsoft Office vulnerabilities like CVE-2017-11882 in macro-based lures. There have been no public law enforcement actions against the group as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 4a8cec9a1b2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8 from a campaign in August 2023. Behavioral indicators include unusual scheduled tasks named GoogleUpdate or AdobeUpdateChecker, outbound HTTPS connections to IPs in the 185.165.29.0/24 range, and creation of a mutex named GlobalSCGlobalMutex. The User-Agent string often mimics a recent Chrome version, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.110 Safari/537.36.

☠️ Risk & Impact

The malware enables long-term surveillance, leading to data exfiltration of sensitive research, personal communications, and authentication tokens. Victims in the academic, media, and human-rights sectors have reported compromised email accounts and financial losses from cryptocurrency theft. The impact is primarily reputational and operational, with stolen intelligence potentially leveraged for further targeting.

🛡️ Mitigation

Organizations should block macro execution in Office documents from external sources, enable multi-factor authentication on all accounts, and deploy endpoint detection rules for the identified IOCs. Proofpoint provides YARA rules and Sigma detection logic in their August 2023 analysis (proofpoint.com/us/blog/threat-insight/ta453-targets-academics-and-human-rights-defenders). Regular user training on spear-phishing tactics is essential.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.