An Iranian government-backed hacking group known as Charming Kitten has updated its malware arsenal to include an email inbox scraping tool, proof of the group’s dedication to developing and maintaining purpose-built capabilities.
Google’s Threat Analysis Group on Tuesday described how the tool, dubbed Hyperscrape, works. The hackers run it on their own machines to download emails from victim inboxes using previously acquired credentials and delete the activity from the application, it says.
Charming Kitten is also known as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18 and Yellow Garuda. It has spied on journalists and activists since at least 2013.
Google first stumbled on the tool in December 2021 although the oldest known sample dates from the year before. Hyperscrape has been deployed against fewer than two dozen Iranian user accounts. “We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings,” Google security engineer Ajax Bash says.
