Security News > 2021 > June > A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran
Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan capable of stealing sensitive information from targets' devices since at least 2015.
Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar.
"The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind," Kaspersky's Global Research and Analysis Team said.
Another recent variant involves a plain downloader that retrieves an executable from a hardcoded domain, with the researchers noting that the "Use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs.".
What's more, the command-and-control infrastructure is also said to have hosted Android applications in the form of DEX and APK files, raising the possibility that the threat actor is also simultaneously developing malware aimed at mobile users.
Interestingly, the tactics adopted by the adversary overlap with other groups that operate against similar targets, such as Domestic Kitten and Rampant Kitten, with Kaspersky finding parallels in the way the actor used the same set of C2 servers over extended periods of time and attempted to gather information from KeePass password manager.