Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Hackers Expand Arsenal With New Android Backdoor

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

Also tracked as Phosphorus, TA435, and ITG18, Charming Kitten has been active since at least 2011, targeting government organizations, journalists, activists, and various other entities, including the World Health Organization (WHO), and presidential campaigns.

Last year, the group accidentally exposed approximately 40 GB of videos and other content associated with its operations, including training videos on how to exfiltrate data from online accounts, and clips detailing the successful compromise of certain targets.

Between August 2020 and May 2021, it conducted successful attacks against targets aligned with the Iranian reformist movement, but also continued to make various operational security errors, IBM reveals.

Dubbed LittleLooter, the recently discovered Android backdoor appears to be exclusive to Charming Kitten, providing the threat actor with extensive information-stealing capabilities, including video and live screen recording, number calling, file upload/download, voice call recording, GPS data gathering, device information harvesting, browser history harvesting, connectivity manipulation, contact information stealing, picture snapping, and retrieving SMS and call list details.

The observed activity, IBM says, aligns with the group’s “long-standing operations against Iranian citizens of interest.” As part of the activity, the hackers “exfiltrated roughly 120 gigabytes of information from approximately 20 individuals aligned with the Reformist movement in Iran,” using legitimate utilities associated with the hacked accounts.

IBM says it did not observe how the group compromised the targeted accounts, but believes that LittleLooter or phishing/social engineering might have been employed to harvest account credentials from their targets. The stolen information includes photos, contact lists, conversations, and group memberships.

“The information X-Force has gleaned on ITG18’s activity, in conjunction with the training videos X-Force found in the summer of 2020, continues to paint a picture of a threat actor that likely leverages a considerable number of personnel. This is underpinned by how manual and labor-intensive ITG18 operations appear to be, from gaining initial access to individual victim accounts to carefully reviewing exfiltrated data,” IBM notes.

The security researchers point out that the group often goes beyond just sending phishing messages to its victims, attempting to chat, call, and even video conference with the victims, which suggests hands-on work from numerous operators.

This year, IBM discovered more than 60 servers employed by the group to host over 100 phishing domains, suggesting a large number of victims. What the researchers couldn’t estimate, however, is how many operators the group has.

“X-Force alone has observed almost 2 terabytes of compressed exfiltrated data on publicly accessible ITG18 servers since 2018. This likely represents only a small portion of the data actually stolen by this adversary,” IBM notes.

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: Iranian Hackers Target Medical Personnel in US, Israel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona