In December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. They have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. They have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.
ADVERSARY: Charming Kitten
MALWARE FAMILY: HYPERSCRAPE
ATT&CK IDS: T1566 - Phishing, T1127 - Trusted Developer Utilities Proxy Execution, T1114 - Email Collection, T1136 - Create Account