Researchers at cybersecurity firm Check Point have unravelled an ongoing surveillance operation by Iranian entities who have used multiple tools including an Android backdoor that extracts two-factor authentication (2FA) codes from SMS messages and records the phone's voice surroundings. The hacking group, nicknamed Rampant Kitten by Check Point, largely managed to keep the operations under the radar for at least six years.
The hackers have been taking advantage of multiple attack vectors to spy on their victims, attacking victims' personal computers and mobile devices, and their supposedly private, secure communications via Telegram and other social networks, Check Point said in a blog post on Friday.
According to Check Point, the tools deployed by the hacking group appear to be mainly used against Iranian minorities, anti-regime organisations and resistance movements such as Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization and Balochistan residents.
Among the different attacks, Check Point found were four variants of Windows info stealers intended to steal victims' personal documents as well as access their Telegram Desktop and KeePass (an open-source password manager) account information.
The tool and methods used by the threat actors also included an Android backdoor mentioned earlier and malicious Telegram phishing pages, distributed using fake Telegram service accounts.
"Since most of the targets we identified are Iranian nationals, it appears that in common with other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regime," said the blog post.