CharmingCypress: Innovating Persistence

Volexity documents targeted CharmingCypress spear-phishing campaigns that employ sophisticated social engineering and technical TTPs—including fake webinar portals and malware-laden VPN clients—to deploy multiple backdoors (POWERLESS, NOKNOK, BASICSTAR, POWERSTAR, EYEGLASS). The report describes infection chains (RAR+LNK, staged PowerShell/.NET components), persistence and exfiltration capabilities, C2 domains and file hashes, and memory-forensic evidence of active compromise against journalists, policy experts, and research organizations.