top of page
  • Admin

Charming Kitten APT Scrapes Email Accounts To Steal Data

Published: February 06, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

Charming Kitten, an Iranian-backed APT (Advanced Persistent Threat) group, is once again making headlines. In 2021, Google’s Threat Analysis Group (TAG) discovered Charming Kitten’s new surveillance tool, naming it HYPERSCRAPE. The name reflects HYPERSCRAPE’s ability to extract or “scrape” user data from Gmail, Microsoft Outlook, and Yahoo! email accounts.

There is no shortage of aliases for this group. Charming Kitten group has also been tracked as Cobalt Illusion, APT35, TA453, ITG18, Phosphorus, and Yellow Garuda. Some of these threat actors are also known to carry out ransomware attacks, linking their motives to financial theft in addition to espionage.

As TAG says about Charming Kitten’s latest tool “Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives.” They also find HYPERSCRAPE is currently under active development, and what new hacking tricks come from that remain to be seen.

HYPERSCRAPE tool uses previously acquired (aka stolen) login credentials to download a victim’s emails directly to the attacker’s computer. And, should Google send email security alerts about strange login attempts, HYPERSCRAPE deletes the alerts before a victim sees them.

Once inside a victim’s email account, the attacker goes through every email, looking for content valuable to their espionage goals. The chosen emails are then downloaded and returned to the inbox and marked as “unread,” if the victim had not yet opened it. HYPERSCRAPE covers its tracks, leaving victims clueless about any email intrusion and successfully provides data for Iran’s covert surveillance goals.

Keep Email Accounts and Texts Safe From Compromise

Since both emails and texts can include sensitive information you might want to keep private, the following actions can help keep spying eyes from accessing your data.

  • Always use strong passwords that are long (8+ characters) and use a combination of numbers and upper and lowercase letters. If you write passwords down, keep them in a safe place, preferably locked, but at least hidden.

  • Always use MFA (multi-factor authentication) for all accounts when available, including for mobile devices. MFA provides one or more layers of identity verification when logging in.

  • Be aware of phishing red flags for emails and texts, especially from those you don’t know.

  • Never open attachments or follow links in emails and texts unless you can verify the sender. Attachments can be malware-filled and links can lead to malicious web pages setup by the hacker.

  • Keep all system software and apps updated, especially anti-virus software. Updates have fixes to security flaws that can leave a system open to attack.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at


bottom of page