The Iran-backed nation state threat actor Charming Kitten has been reported using a new tool which allows them to download and steal emails from Gmail, Yahoo, and Microsoft Outlook. For the attack to work, the threat actor must first acquire credentials for the account that is being targeted. After initial access is obtained, the threat actors utilized a tool named HYPERSCRAPE, which was identified by Google TAG last December. This malware appears to have been deployed and under active development since 2020. Once logged in, the tool changes the default language to English and individually downloads the emails within the mailbox. After the download is complete, the default language is reverted to its original, and all security email warnings are deleted. HYPERSCRAPE is written in .NET in order to target Windows PCs, and is designed to run on the attacker’s machine.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in