Security News > 2021 > February > Detailed: Here's How Iran Spies on Dissidents with the Help of Hackers
Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives.
Tracing the extensive espionage operations to two advanced Iranian cyber-groups Domestic Kitten and Infy, cybersecurity firm Check Point revealed new and recent evidence of their ongoing activities that involve the use of a revamped malware toolset as well as tricking unwitting users into downloading malicious software under the guise of popular apps.
Spotting four active campaigns, the most recent of which began in November 2020 according to Check Point, the APT-C-50 actor has been found to leverage a wide variety of cover apps, counting VIPRE Mobile Security, Exotic Flowers, and Iranian Woman Ninja, to distribute a piece of malware called FurBall.
The latest November operation is no different, which takes advantage of a fake app for Mohsen Restaurant located in Tehran to achieve the same objective by luring victims into installing the app by multiple vectors - SMS messages with a link to download the malware, an Iranian blog that hosts the payload, and even shared via Telegram channels.
First discovered in May 2016 by Palo Alto Networks, Infy's renewed activity in April 2020 marks a continuation of the group's cyber operations that have targeted Iranian dissidents and diplomatic agencies across Europe for over a decade.
"The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past - they simply don't stop," said Yaniv Balmas, head of cyber research at Check Point.