S0674: CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]
Analyst context for executives and security teams
CharmPower is a Windows PowerShell-based modular backdoor documented by MITRE as used by Magic Hound since at least 2022. Its mapped behaviors span execution, discovery, command-and-control, collection, exfiltration, registry activity, and cleanup. For leaders, the decision value is that this is not just a malware name: it represents a post-compromise operating pattern where PowerShell, WMI, web traffic, registry access, local data discovery, screenshots, and file transfer can determine whether an intrusion is visible early or only after data loss.
Executive priority
Prioritize validation of Windows endpoint and network visibility for PowerShell-heavy intrusions, especially where sensitive data, regulated systems, or high-value users are present. Because ATT&CK provides no official detection text for this object, executives should ask whether current SOC coverage is technique-based rather than malware-name-based: PowerShell execution, WMI use, registry modification, discovery commands, web-based C2, fallback channels, and exfiltration over C2 or unencrypted non-C2 protocols. This also supports audit and incident readiness by proving that telemetry exists before an investigation depends on it.
Technical view
CharmPower is mapped to Windows and uses techniques including PowerShell, Windows Command Shell, WMI, registry query and modification, system/network/process/software/file discovery, Wi-Fi discovery, screen capture, ingress tool transfer, web protocols, web services, dead drop resolver behavior, fallback channels, standard encoding, deobfuscation/decoding, file deletion, and exfiltration over C2 or unencrypted non-C2 protocols. SOC and IR teams should validate behavior-level analytics across these mapped techniques rather than relying on a specific signature. Key pivots include unusual PowerShell invocation, encoded or decoded script content, WMI execution, registry reads/writes, discovery command bursts, unexpected screenshot activity, tool downloads, outbound web traffic to unusual or newly observed services, and data transfer patterns consistent with exfiltration.
Likely telemetry
- Windows process creation telemetry for powershell.exe, cmd.exe, WMI-related processes, and discovery utilities
- PowerShell script block, module, and command-line logging where available
- Windows Management Instrumentation event telemetry and remote/local WMI execution evidence
- Windows Registry access and modification events, especially suspicious query or persistence-related changes
- Endpoint file system telemetry for tool transfer, staging, screenshot files, local data collection, and file deletion
Detection direction
- Build detections around the mapped ATT&CK techniques because the official object provides no detection guidance.
- Correlate PowerShell execution with discovery activity, registry access, WMI use, file staging, and outbound web communications to reduce false positives from normal administration.
- Tune PowerShell detections carefully: administrative scripts can look similar, so prioritize unusual parent processes, encoded commands, unexpected network connections, rare destinations, and execution by non-administrative users.
- Review network detections for common blind spots: web-based C2, legitimate web service abuse, fallback channels, and standard encoding can blend into normal outbound traffic.
- Validate that registry query and modification events are retained long enough for incident response; registry-only evidence may be lost if endpoint logging is incomplete.
Mitigation priorities
- Establish baseline controls for Windows scripting: restrict unnecessary PowerShell use, enable relevant logging, and monitor encoded or obfuscated command execution.
- Limit unnecessary WMI and command shell use through least privilege and administrative access controls.
- Harden egress controls so outbound web traffic, web services, and unencrypted protocols are not implicitly trusted from all endpoints.
- Ensure endpoint protection and EDR policies preserve process, script, registry, file, and network evidence needed for post-compromise investigation.
- Apply least privilege to reduce access to sensitive local files, registry areas, and administrative tooling.
Analyst notes and limits
The strongest operational takeaway is the breadth of behaviors mapped to this malware: execution through PowerShell/cmd/WMI, discovery, C2 resilience, web service use, collection, exfiltration, registry activity, decoding, and cleanup. The relationship to Magic Hound is supplied by MITRE, but local relevance should be assessed against the organization’s threat model, exposed Windows estate, high-value users, and telemetry maturity.
MITRE provides no official detection text for CharmPower in the supplied object. The object platform is Windows, while several related techniques list broader ATT&CK platforms; this take treats CharmPower operationally as Windows-supported based on the malware object. No claim is made about current exploitation, customer exposure, guaranteed detection, or indicators beyond the supplied ATT&CK fields, external reference, and relationships.
CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | CharmPower can remove persistence-related artifacts from the Registry.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1082 | System Information Discovery | CharmPower can enumerate the OS version and computer name on a targeted system.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1518 | Software Discovery | CharmPower can list the installed applications on a compromised host.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | CharmPower can send victim data via FTP with credentials hardcoded in the script.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CharmPower can decrypt downloaded modules prior to execution.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1083 | File and Directory Discovery | CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | CharmPower can use `netsh wlan show profiles` to list specific Wi-Fi profile details.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | CharmPower can use PowerShell for payload execution and C2 communication.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | CharmPower can delete created files from a compromised system.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CharmPower can use HTTP to communicate with C2.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1008 | Fallback Channels | CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1057 | Process Discovery | CharmPower has the ability to list running processes through the use of `tasklist`.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1102 | Web Service | CharmPower can download additional modules from actor-controlled Amazon S3 buckets.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1005 | Data from Local System | CharmPower can collect data and files from a compromised host.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | The C# implementation of the CharmPower command execution module can use |
| Enterprise | T1016 | System Network Configuration Discovery | CharmPower has the ability to use |
| Enterprise | T1113 | Screen Capture | CharmPower has the ability to capture screenshots.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | CharmPower has the ability to download additional modules to a compromised host.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | CharmPower can send additional modules over C2 encoded with base64.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | CharmPower can use `wmic` to gather information from a system.CitationCheck Point APT35 CharmPower January 2022 |
| Enterprise | T1012 | Query Registry | CharmPower has the ability to enumerate `Uninstall` registry values.CitationCheck Point APT35 CharmPower January 2022 |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1669be2068d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point APT35 CharmPower January 2022
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Open source URL -
[2]
mitre-attack S0674Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.