Recent cyber operations attributed to state-sponsored Iranian threat actors underline a sustained focus on collecting sensitive information on individuals that may jeopardize the stability of the Islamic Republic. The targets include dissidents, opposition forces, supporters of ISIS, and Kurdish natives, as evidenced by two coordinated cyber campaigns.
The latest findings from cybersecurity firm Check Point link these espionage activities to two advanced Iranian cyber organizations known as Domestic Kitten (APT-C-50) and Infy. Check Point reports that both groups are actively deploying revised malware tools and utilizing social engineering techniques to mislead users into downloading harmful software disguised as legitimate applications.
According to Check Point researchers, these groups have maintained prolonged cyber campaigns, monitoring both mobile and personal computing devices of their targets. The operators are reportedly adept at adapting to the evolving cybersecurity landscape, continually seeking new vulnerabilities and attack methodologies to maintain the efficacy of their operations.
Despite overlaps in target selection and data gathering, these threat actors are believed to operate independently. Check Point emphasizes that the “synergistic effect” of utilizing different attack vectors against the same targets enhances their overall impact.
Domestic Kitten Imitates a Local Tehran Application
Active since 2016, Domestic Kitten specializes in attacking specific demographics via malicious Android applications designed to harvest sensitive information, including SMS, call logs, photos, videos, and device location data. The most recent campaign, started in November 2020, leverages deceptive apps to distribute malware known as FurBall.
This latest operation exploits a counterfeit app associated with a Tehran-based restaurant, enticing potential victims through multiple channels, including SMS links, misleading blogs, and Telegram channels. The campaign has reportedly targeted approximately 1,200 individuals across Iran, the United States, and several European and Asian countries, resulting in over 600 successful infections.
Upon installation, FurBall secures extensive permissions, allowing it to execute automatically at device startup. It collects browsing history, hardware specifics, and files from external storage, transmitting sensitive data like videos and call records at regular intervals. Notably, FurBall appears to derive capabilities from a commercially available spyware called KidLogger, suggesting a degree of sophistication in the actors’ development processes.
Infy Resurfaces With Advanced Malware Techniques
First identified in May 2016, Infy—also referred to as Prince of Persia—has resumed activities after several operational interruptions. Their renewed efforts are focused on Iranian dissidents and foreign diplomatic entities, employing innovative tactics and malware. Researchers have documented how Infy suffered setbacks due to countermeasures but adapted and evolved, strengthening their operational security and technical capabilities since their last noted activity.
The attack strategy typically involves phishing attempts, where malicious documents written in Persian convey embedded macros that activate upon opening. These macros subsequently deploy the Foudre backdoor, which connects to the command and control (C2) server to retrieve additional payloads.
Notably, Tonnerre, the latest identified implant, operates with two distinct C2 servers—a strategic choice that facilitates both update retrieval and data exfiltration. This innovation allows the attackers to bypass traditional detection methods often employed against data theft activities.
While Infy’s operations have targeted a smaller pool of victims, encompassing individuals from various countries including Iraq, Azerbaijan, and several Western nations, the persistent nature of these cyberespionage campaigns highlights the resource commitment from the Iranian regime to exert control over its perceived adversaries.
Experts analyze these ongoing campaigns within the MITRE ATT&CK framework, identifying tactics such as initial access, persistence, and execution as likely employed techniques. By adapting their strategies in response to previous setbacks, these Iranian cyber actors demonstrate a resilient and evolving threat landscape that concerns organizations globally.
As highlighted by Yaniv Balmas, head of cyber research at Check Point, the Iranian cyber operatives remain undeterred by past failures, continuously refining their approaches. This trend underscores the need for businesses, especially those with connections to at-risk regions, to remain vigilant and proactive in strengthening their cybersecurity measures.
