{ "id": "5e0857fa-c0bd-4044-a5b5-e6a44d333960", "created_at": "2026-04-06T00:18:16.769361Z", "updated_at": "2026-04-10T03:34:00.615519Z", "deleted_at": null, "sha1_hash": "7b6405496052931cb3986179bf2dc1be9d341dba", "title": "ITG18 operational security errors plague Iranian threat group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1157308, "plain_text": "ITG18 operational security errors plague Iranian threat group\r\nBy Allison Wikoff, Richard Emerson, Wei Gao\r\nPublished: 2021-08-04 · Archived: 2026-04-05 16:59:36 UTC\r\nAllison Wikoff\r\nStrategic Cyber Threat Analyst\r\nIBM Security\r\nRichard Emerson\r\nCyber Threat Intelligence Analyst\r\nWei Gao\r\nMalware Reverse Engineer\r\nThis blog supplements a Black Hat USA 2021 talk given August 2021. \r\nIBM Security X-Force threat intelligence researchers continue to track the infrastructure and activity of a\r\nsuspected Iranian threat group ITG18. This group’s tactics, techniques and procedures(TTPs) overlap with groups\r\nknown as Charming Kitten, Phosphorus and TA453.\r\nSince our initial report on the group’s training videos in May 2020, X-Force has uncovered additional operational\r\nsecurity errors by this group. Our continued analysis led to the discovery of a malicious tool that has not been\r\npreviously linked to this threat actor, a custom Android backdoor we named “LittleLooter.” LittleLooter has only\r\nbeen observed being used by ITG18. X-Force is not aware of other threat actors leveraging this backdoor.\r\nAdditionally, from August 2020 through May 2021, X-Force observed ITG18 successfully compromise multiple\r\nvictims aligned with the Iranian reformist movement. Given the timing and focus of the activity, this may have\r\nbeen in support of surveillance objectives leaving up to the June 2021 presidential elections in Iran. Finally,\r\ndespite continued OPSEC errors, ITG18 appears to conduct a sizeable and often successful operation that heavily\r\nfocuses on compromising personal webmail and social media accounts.\r\nLittleLooter, ITG18’s Android surveillance tool\r\nX-Force researchers discovered a file named “WhatsApp.apk” (md5: a04c2c3388da643ef67504ef8c6907fb) on\r\ninfrastructure associated with ITG18 operations.\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 1 of 7\n\nFigure 1: Open Directory listing for ITG18 server hosting victim exfil and LittleLooter (Source: X-Force)\r\nUpon further analysis, X-Force determined “WhatsApp.apk” was Android malware that we named “LittleLooter”\r\nbased on its information stealing capabilities..\r\nFor C2 communication, LittleLooter attempts to establish communication to the C2 server via HTTP POST\r\nrequests and responses. The C2 server masquerades as an American flower shop and has been active since July\r\n2020. The communication between the malware and the C2 server is compressed via GZIP, AES encrypted and\r\nBASE64 encoded. The AES key and initialization vector (IV) are hardcoded into the sample:\r\nKEY:3544c085656c997\r\nIV:4fcff6864c594343\r\nLittleLooter is functionally rich, providing ITG18 operators the following capabilities on an infected Android\r\ndevice:\r\nRecord video Call a number\r\nRecord live screen Upload/download/delete a file\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 2 of 7\n\nRecord sound List storage information\r\nRecord voice call Gather GPS- or GSM-based location\r\nList device information Show network activity\r\nDeterminate whether screen is on or off Show network speed\r\nList installed apps Show network connectivity\r\nSend browser history Turn on/off Wi-Fi\r\nTurn on/off Bluetooth Turn mobile data on/off\r\nList contact information List SIM card information\r\nList SMS inbox/outbox/drafts Take a picture\r\nList calls including received and missed calls\r\nThe LittleLooter sample X-Force analyzed had the version number “5”, as well as an update capability if\r\nLittleLooter detected it was running a previous version. The tool updates itself by downloading a zip file from a\r\nURL on the C2 server: “http[:]//[C2server]/updates/update_[class name].zip” and replacing the old “classes.dex”\r\nfile with the newer version from the zip file. Finally, LittleLooter is a modified version of Android\r\nmalware reported by third party researchers several years ago and has likely been in use by ITG18 for years prior\r\nto our association with this threat group.\r\nNew targeting supports possible surveillance objectives\r\nIn addition to the discovery of LittleLooter, X-Force researchers discovered ITG18 targeted Iranian individuals\r\nfrom late summer 2020 through spring 2021, which supports ITG18’s long-standing operations against Iranian\r\ncitizens of interest. X-Force has found that despite public reporting of their OPSEC mistakes, ITG18 continues to\r\nleave archive files containing exfiltrated victim information on open servers and in open directories. The new\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 3 of 7\n\nanalysis by X-Force revealed ITG18 exfiltrated roughly 120 gigabytes of information from approximately 20\r\nindividuals aligned with the Reformist movement in Iran.\r\nSimilar to exfiltrated information X-Force observed ITG18 steal last summer, this new stolen data was frequently\r\nextracted using legitimate utilities associated with the compromised accounts. Most recently, those were Telegram\r\naccounts, one of the most popular instant messaging services used in Iran. Telegram is one of the only foreign\r\nsocial media services permitted for use in Iran and was heavily used during the 2009 Green Movement to organize\r\nprotests. X-Force researchers believe the victims’ Telegram data was possibly targeted during the summer 2020\r\nthrough spring-2021 time frame to support monitoring any dissent or protests around Iran’s 2021 June Presidential\r\nElection.\r\nWhile X-Force did not observe how initial access to the accounts was gained, ITG18 could have leveraged\r\nLittleLooter’s capabilities or used phishing/social engineering to gather account credentials from their targets.\r\nFigure 2: Victim’s Telegram account data exported by ITG18 (Source: X-Force)\r\nBased on the exfiltrated information X-Force observed, most of the victims were associated with Iran’s Reformist\r\nmovement, a political faction within Iran that supports more leftist policies versus the current, conservative\r\nregime. The stolen data contained photos associated with the victim, contact lists, group memberships and\r\nconversations.\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 4 of 7\n\nA sizable operation marches on\r\nThe information X-Force has gleaned on ITG18’s activity, in conjunction with the training videos X-Force found\r\nin the summer of 2020, continues to paint a picture of a threat actor that likely leverages a considerable number of\r\npersonnel. This is underpinned by how manual and labor-intensive ITG18 operations appear to be, from gaining\r\ninitial access to individual victim accounts to carefully reviewing exfiltrated data.\r\nSeveral open-source reports have noted how ITG18 operators, beyond simply sending phishing messages, will\r\nalso attempt to chat, call, and even video conference with targets. This personalized attention to each\r\ncompromised individual likely requires hands-on work from a large number of operators. While X-Force cannot\r\nconfirm how many individuals and organizations ITG18 has targeted recently, what has been observed so far in\r\n2021 is identification of over 60 servers hosting more than 100 phishing domains, which suggests there may be a\r\nlarge number of victims.\r\nX-Force has also observed how manual ITG18 operations can be when reviewing exfiltrated information. Through\r\nsome of the videos that X-Force discovered last summer, an ITG18 operator was observed spending hours in\r\nmanual work. They were seen validating credentials by copying and pasting stolen victim usernames and\r\npasswords into a wide variety of websites, for just two victims. X-Force alone has observed almost 2 terabytes of\r\ncompressed exfiltrated data on publicly accessible ITG18 servers since 2018. This likely represents only a small\r\nportion of the data actually stolen by this adversary. Coupled with the training videos X-Force discovered,\r\nsuggesting ITG18 has enough turnover or growth to warrant training, this likely indicates ITG18 requires a\r\nsignificant number of personnel for operations, as well as for processing and evaluating exfiltrated information.\r\nAnticipate activity for the foreseeable future\r\nITG18 operations persist despite numerous public disclosures of their insecure activity and stolen data, speaking\r\nto the ability of this group to continue on its mission. X-Force researchers have high confidence that ITG18\r\nactivity will continue regardless of public reporting due to their broad objectives and continued success of their\r\noperations. We recommend reviewing the indicators below to identify potential malicious activity on your\r\nnetworks and on mobile devices.\r\nIf you have experienced a cyber incident and would like immediate assistance from IBM Security X-Force\r\nincident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (global). Learn more\r\nabout X-Force’s threat intelligence and incident response services.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nIndicators of compromise\r\nIndicator Type Context\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 5 of 7\n\nc2c1d804aeed1913f858df48bf89a58b1f9819d7276a70b50785cf91c9d34083\r\nsha256\r\nhash\r\nLittleLooter,\r\nFilename\r\nWhatsApp.apk\r\nc760adecea4dbb4dd262cb3f3848f993d5007b2e\r\nsha1\r\nhash\r\nLittleLooter,\r\nFilename\r\nWhatsApp.apk\r\na04c2c3388da643ef67504ef8c6907fb\r\nComplete list of LittleLooter commands\r\nCommand Description\r\napps_list List installed apps\r\nbrowser_history Send browser history\r\ncall_number Call a number\r\ncalls_log_incoming List received calls\r\ncalls_log_missed List missed calls\r\ncalls_log_outgoing List calls\r\ncalls_recorder Record voice call\r\ncamera_list List camera devices\r\ncontacts List contact information\r\ndevice_info List device information\r\ndirectory_list List files in a directory\r\nerror_list Send error log\r\nfile_delete Delete a file\r\nfile_download Download a file\r\nfile_list List files in storage\r\nfile_upload Upload a file\r\nlive_stream Record live screen\r\nlocation_gps GPS based location\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 6 of 7\n\nlocation_gsm GSM based location\r\nnetwork_activity Show network activity\r\nnetwork_speed Show network speed\r\nnetwork_state Show network connectivity\r\noff_bluetooth Turn off Bluetooth\r\noff_data Turn mobile data off\r\noff_wifi Turn off Wi-Fi\r\non_bluetooth Turn on Bluetooth\r\non_data Turn mobile data on\r\non_wifi Turn on Wi-Fi\r\npicture_take Take a picture\r\nscreen_state Determinate whether screen is on or off\r\nsim_card List SIM card information\r\nsms_drafts List SMS drafts\r\nsms_inbox List SMS inbox\r\nsms_outbox List SMS outbox\r\nsms_send Send SMS message\r\nsound_recorder Record sound\r\nstorage_activity List storage information\r\nvideo_recorder Record video\r\nSource: https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nhttps://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/" ], "report_names": [ "itg18-operational-security-errors-plague-iranian-threat-group" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b6405496052931cb3986179bf2dc1be9d341dba.pdf", "text": "https://archive.orkl.eu/7b6405496052931cb3986179bf2dc1be9d341dba.txt", "img": "https://archive.orkl.eu/7b6405496052931cb3986179bf2dc1be9d341dba.jpg" } }