Check Point Research unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, the investigation allowed Check Point to connect the different campaigns and attribute them to the same attackers.

Among the different attack vectors Check Point found were:

  • Four variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information
  • Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more
  • Telegram phishing pages, distributed using fake Telegram service accounts

The above tools and methods appear to be mainly used against Iranian minorities, anti-regime organizations and resistance movements such as:

  • Association of Families of Camp Ashraf and Liberty Residents (AFALR)
  • Azerbaijan National Resistance Organization
  • Balochistan people

After the victim opens the document and the remote template is downloaded, the malicious macro code in the template executes a batch script which tries to download and execute the next stage payload from a Share Point site. The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three additional executables from its resources. 

The main features of the malware include:

  • Information Stealer
    • Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full usage of the victim’s Telegram account
    • Steals information from KeePass application
    • Uploads any file it could find which ends with pre-defined extensions
    • Logs clipboard data and takes desktop screenshots
  • Module Downloader
    • Downloads and installs several additional modules.
  • Unique Persistence
    • Implements a persistence mechanism based on Telegram’s internal update procedure

According to Check Point, the core functionality of the malware is to steal as much information as it can from the target device. The payload targets two main applications: Telegram Desktop and KeePass, the famous password manager.

Once the relevant Telegram Desktop and KeePass files have been uploaded, the malware enumerates any relevant file it can find on the victim’s computer. For each such file, the malware then uploads it after encoding the file. 

After analyzing the payload, Check Point researchers were able to find multiple variants that date back to 2014, indicating that this attack has been in the making for years. "Malware variants developed by the same attackers often have minor differences between them, especially if they are used around the same time frame. In this case however, we noticed that while some of the variants were used simultaneously, they were written in different programming languages, utilized multiple communication protocols and were not always stealing the same kind of information," the researchers say. 

The team also uncovered a malicious Android app tied to the same threat actors, which masquerades as a service to help Persian speakers in Sweden get their driver’s license. 

From the evidence gathered throughout their research, the team concluded  the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices.

"Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment," say the researchers. 

David "moose" Wolpoff, a former DoD contractor who is CTO and co-founder of automated red-teaming platform Randori, was surprised at the lack of sophistication in the attack.

He notes, “It’s wrong to assume an attacker needs millions of dollars and a complex attack infrastructure to target and breach their victims. While there’s truth to that statement, the reality is that not every attack needs millions and sophisticated tools. This attack campaign was not terribly complex, but it was executed well, as proven by its six year run. A typical hacker could have gone heads-down for a weekend, set up major parts of this attack campaign, and have been reasonably successful over a period of time. The number of tools involved indicates that the attackers adapted over time, but the individual tools and techniques aren't remarkably complex, and that’s what’s impressive to me. These are all techniques and tactics I’ve used as part of red-team engagements. Quite simply, this is a case of moderate attack tools being used with well executed plans.

"When it comes to cyberespionage, attackers don't want to lose access to their tools -- they need to protect their attack infrastructure to allow for a long-running campaign. Since this campaign lasted six years, we know it was well executed; that they had a good process. Attackers cleverly took advantage of a trusted communications process. Telegram, WhatsApp and other encrypted messaging apps are good for trusted  communications, where devices and individuals trust each other to share information," he says. "But if the device on either side  is compromised, it’s reasonable to assume that an attacker sees every communication. There’s no way for a secure communication app to keep a user safe when the end devices are compromised.'

He adds, "When I think about what could have been done to prevent this attack, I’ve got a couple thoughts:

  1. If victims of this attack were using cloud-based document editing (aka Google Docs, Microsoft 365, etc), this attack couldn’t have played out as it did
  2. There are a lot of security tools that could have been deployed to defend against this attack:
    1. Cutting edge: Use Microsoft Edge in with application guard -- then the attackers would have had to use a real exploit.
    2. Cutting edge in 2009: If you had a whitelisting app downloaded, you probably would have been protected from executables running. 
    3. Cutting edge in 2001: You could even (gasp!) have had the firewall set to default deny, and had a chance to catch the malware talking to the internet.
    4. Dirt simple: Or use a Chromebook or iPad, in 2020 you can still do most of your work from these devices, and they are much more expensive to exploit.”

For more information, including detailed findings, please visit