"Charming Kitten APT Wields New Scraper to Steal Email Inboxes"

Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, is using a new data-scraping tool to scrape emails from victim Gmail, Yahoo!, and Microsoft Outlook accounts using previously acquired credentials, according to Google researchers. Google Threat Analysis Group (TAG) discovered the HYPERSCRAPE tool last December and has been tracking it since then. The threat actor poses as a legitimate user by initiating an authenticated user session that has been hijacked or using stolen credentials, and then runs the scraper to download victims' inboxes. It spoofs the user agent to appear as an outdated browser, enabling the basic HTML view in Gmail by displaying an error message. If the attacker is unable to access the account, the tool displays a login page where the attacker must manually enter credentials in order to proceed, with HYPERSCRAPE waiting until it finds the victim's inbox page. HYPERSCRAPE appears to have existed since 2020, when the first samples were discovered. Charming Kitten, also known as Phosphorous and a variety of other names, is still actively developing the tool. So far, attacks have been limited to a few dozen Iranian accounts. The APT group, believed to be backed by the Iranian government, first gained notoriety in 2018 and has been extremely active in recent years. It is best known for targeted cyber espionage attacks on politicians, journalists, human-rights activists, researchers, scholars, and think tanks. This article continues to discuss the Charming Kitten APT and its use of the HYPERSCRAPE tool.

Dark Reading reports "Charming Kitten APT Wields New Scraper to Steal Email Inboxes"