Iran cyberoperations have increased leading up to the election.
2020_1001 - Iranian Election

Suspected Iranian hacker looks to steal Gmail, Instagram credentials

An Iranian threat actor discovered earlier this year is responsible for attacks against U.S. targets designed to hoover up Gmail and Instagram credentials, according to research released Wednesday by security firm SafeBreach.

While the actor was originally exposed in September, further analysis by the company found phishing attacks that stretched back to July. Almost half of the phishing campaign’s victims are located in the United States.

The research also uncovered the PowerShell code, which researchers dubbed PowerShortShell, that attackers used to pilfer a range of critical data from victims, such as screenshots and Telegram files.

PowerShortShell was typically delivered via Office documents sent via email, with lures like pictures of Iranian soldiers and evidence of the 'Corona massacre' performed by Iran's supreme leader.

SafeBreach said the documents exploited the CVE-2021-40444 vulnerability to drop the malicious PowerShell code, which then gathered data from the infected computer.

Researchers said the actor could be linked to Tehran’s regime “since the Telegram surveillance usage is typical of Iran's threat actors like Infy, Ferocious Kitten and Rampant Kitten,” they said, referring to other Iranian hacking groups that various researchers have unmasked in recent years.

Malicious actors with links to Iran have relied on social media for most of their phishing operations for years. 

One of the most recent instances occurred in July, when Facebook revealed that a group of Iranian hackers targeted U.S. military personnel through a "well-resourced and persistent operation" to trick them into providing sensitive information as part of a broader online espionage campaign.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.