Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Collecting Intelligence on Potential Opponents to Iranian Regime

Iranian Cyber Attacks

Iranian Group Found Spying on Dissidents

Iranian Cyber Attacks

Iranian Group Found Spying on Dissidents

An Iran linked group, named Rampant Kitten by researchers, has been discovered targeting anti-regime organizations in a campaign that has likely been running since 2014.

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran. These targets, together with WHOIS records suggesting that associated malicious websites had been registered by Iranian individuals, and the discovery of one registrant’s email address linked to Iranian hacking forums, is enough for the Check Point researchers to conclude that Rampant Kitten is an Iranian group, which itself implies a link to the Iranian government. Its purpose is to seek intelligence on members of the dissident groups and their activities.

The attack vectors used in the campaign, which has largely remained under the radar for six years, include four variants of Windows infostealers (stealing documents, and Telegram Desktop and KeePass account information); an Android backdoor used to steal 2FA codes from SMS messages and take voice recordings; and Telegram phishing pages distributed using fake Telegram service accounts. 

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server. The template contains a macro that executes a batch script that attempts to download the next stage payload. The payload checks to see if Telegram is installed, and if so, extracts three additional executables from its resources. These are the Loader, which injects the main payload into explorer.exe; an infostealer payload; and updater.exe, which is a modified Telegram updater.

The last provides a unique persistence mechanism, based on Telegram’s internal update procedure. Periodically, the malware copies the Telegram main executable into ‘Telegram Desktoptupdates’. This triggers an update procedure for the Telegram application once it starts. However, the default updater file (Telegram DesktopUpdater.exe) has already been amended, most notably to run the payload again.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites operated by the same group. Some of these websites hosted phishing pages impersonating Telegram. Surprisingly, this phishing attack seems to have been known to Iranian Telegram users — several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. The channels suggested that the phishing messages were sent by a Telegram bot. The messages warned the recipients that they were making an improper use of Telegram’s services, and that their account will be blocked if they do not enter the phishing link.

The researchers also discovered a malicious Android app tied to the same attack group. The app masquerades as a service to help Persian speakers in Sweden get their driver’s license. Two versions have been discovered — one apparently compiled as a test version, and the other the release version to be deployed on the target device.

The Android backdoor can steal existing SMS messages; forward 2FA SMS messages to a phone number provided by the attacker-controlled C&C server; retrieve personal information like contacts and accounts details; initiate a voice recording of the phone’s surroundings; perform Google account phishing; and retrieve device information such as installed applications and running processes. 

Lotem Finkelsteen, Manager of Threat Intelligence at Check Point, commented, “After conducting our research, several things stood out. First, there is a striking focus on instant messaging surveillance. Although Telegram is un-decryptable, it is clearly hijackable. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of. Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges.”

Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups. It seems almost certain that this is another example of Iranian threat actors — quite possibly with some affiliation to the Iranian regime — collecting intelligence on potential opponents to the regime. 

Related: U.S. Charges Three Iranian Hackers for Attacks on Satellite Companies 

Related: Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files 

Related: Iran Says US Vote Hack Allegation ‘Absurd’ 

Related: Google Says Iran-Linked Hackers Targeted WHO

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.