Skip to content

Google catches Iranian hackers using new tool to steal emails

  • by
  • 3 min read

Researchers at Google’s Threat Analysis Group (TAG) have identified a new tool called Hyperscrape being used by the Iranian state-sponsored hacking group Charming Kitten, also known as APT35 and Phosphorus, to download emails from targeted Gmail, Yahoo and Outlook accounts. 

TAG reports the earliest samples of the tool dating back to 2020. The tool was discovered in December 2021 and was tested using a Gmail account. The researchers say that the tool is under active development and is currently quite simple in terms of technical complexity. It is, however, quite effective. 

Hyperscrape isn’t a hacking tool and requires the victim’s credentials to run using a valid, authenticated session that either the attacker has hijacked or using credentials already stolen in advance. Once active, it spoofs the victim’s browser to look like an outdated one forcing Gmail to load in its basic HTML view. From there, the tool can do the following.

  • Set’s inbox language to English if not set already. Reverts to the original setting when done.
  • Clicks individual emails, opens and downloads them.
  • If the email was originally unread, mark it unread again. 
  • Go back to the inbox. 

All stolen emails are stored as a ‘.eml’ file in a ‘Download’ directory with each file named after the corresponding email’s subject. A log file is also saved containing the total number of emails downloaded. The tool also deletes any Google warning emails generated by its activity. 

Hyperscrape tool metadata (left) and the initial UI (right). | Source: Google

The tool is capable of communicating with a command and control centre to send activity status and receive information like the victim’s credentials. The downloaded emails however aren’t sent to the same C2 server.

A remote operator can configure the tool either using command line arguments or using a basic user interface. The tool gets user credentials from cookie files which can be dragged and dropped into the interface. If the cookie is parsed successfully, the tool creates a ‘Download’ folder and gets to work. Otherwise, the attacker can also log in manually. 

The cookie drag and drop form. | Source: Google

Older versions of the tool could request a victim’s data from Google Takeout, a service allowing users to export their Google account data for backup or to use it with another third-party service. 

Currently, the tool has only been used on fewer than two dozen targets, all located in Iran itself. Google has also notified victims of a state-backed attack on their inboxes. 

In the News: Apple patches two zero-days across macOS, iOS and iPadOS

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: