Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years.

The team unpacks the operation:

While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and attribute all of them to the same attackers.

Among the different attacks we found were:

* Four variants of Windows infostealers intended to steal victims’ personal documents as well as access their Telegram Desktop and KeePass account information.

* An Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings, and more.

* Malicious Telegram phishing pages, distributed using fake Telegram service accounts.

The above tools and methods appear to be mainly used against Iranian minorities, anti-regime organisations and resistance movements such as:

* Association of Families of Camp Ashraf and Liberty Residents (AFALR).

* Azerbaijan National Resistance Organisation.

* Balochistan citizens.

Initial infection and infection chain

We first encountered a document with the name “وحشت_رژیم_از_گسترش_کانونهای_شورشی.docx”, which roughly translates to “The Regime Fears the Spread of the Revolutionary Cannons.docx”.

The title of the document was referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement. The above document leverages the external template technique, which allows it to load a document template from an external remote server.

After the victim opens the document and the remote template is downloaded, the malicious macro code in that template executes a batch script which tries to download and execute the next stage payload.

The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three additional executables.

The main features of the malware include:

Information Stealer

* Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full usage of the victim’s Telegram account.

* Steals information from KeePass application.

* Uploads any file it could find which ends with pre-defined extensions.

* Logs clipboard data and takes desktop screenshots.

Module Downloader

* Downloads and installs several additional modules which we could not reach during our investigation.

Unique Persistence

* Implements a persistence mechanism based on Telegram’s internal update procedure.


By following the tracks of this attack we revealed a large-scale operation that has largely managed to remain under the radar for at least six years.

According to the evidence we have gathered, the threat actors, who appear to be operating from Iran, have been taking advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices, and their supposedly private, secure communications via Telegram and other social networks.

Since most of the targets we identified are Iranian nationals, it appears that in common with other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regime.