Security News > 2020 > September > Iran's RampantKitten spy crew were snooping on expats and dissidents for six years

Infosec outfit Check Point says it has uncovered a six-year Iranian cyber-spying campaign directed at expats and dissidents worldwide.

"The handpicked targets included supporters of Mujahedin-e Khalq and the Azerbaijan National Resistance Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran," said Check Point in its research report on RampantKitten.

The malware compromised the Telegram accounts before uploading Telegram files, as well as "Any file it could find which ends with pre-defined extensions" to servers controlled by the attackers, in addition to screenshotting the Windows desktop and logging clipboard data.

A malware payload replaces the default Telegram updater file with malware, running the malware itself again every time Telegram is reopened.

Check Point said it found variations of the malware dating back to 2014, speculating that other publicly known attacks originating from Iran or targeting Iranian-linked victims may have come from the RampantKitten crew as well.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/09/18/iran_rampantkitten_telegram_malware/