Google’s Threat Analysis Group (TAG) shared details about a novel tool used by an Iran-linked state-sponsored threat actor known as APT35 or Charming Kitten to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts.
Dubbed “Hyperscrape,” the tool is written in .NET for Windows PCs and is designed to run on the attacker's machine and download victims’ inboxes using previously obtained credentials. First spotted in December 2021, Hyperscrape is said to be under active development. The TAG team says that the malware was deployed against less than two dozen accounts located in Iran.
“Hyperscrape requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” TAG said.
Once an attacker is able to log in the tool changes the account’s language settings to English and searches through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After downloading the inbox the malware reverts language settings back to original settings and deletes any security emails from Google.
Additional technical details, as well as Indicators of Compromise (IoCs) associated with the threat can be found in Google’s report here.
