Google's Threat Analysis Group has observed an Iranian-backed threat group using a new tool to download email inboxes called "Hyperscrape." ("spam gmail" by notoriousxl is licensed under CC BY-SA 2.0.)

Iranian-backed threat group Charming Kitten was observed in December using a novel tool called “Hyperscrape” to download email from Gmail, Yahoo and Microsoft Outlook accounts, Google’s Threat Analysis Group (TAG) detailed in a blog post Tuesday.

The tool runs on the attacker’s computer to download a victim’s inbox after logging into the victim account by using previously acquired credentials. 

The Google TAG team said it has observed the tool used on fewer than two dozen accounts in Iran, with the oldest known sample dating from 2020. However, TAG said Hyperscrape is still under active deployment and it has re-secured the accounts and notified the victims.

In the post, TAG said that Hyperscrape isn’t particularly technical in its sophistication, but is notable because of its effectiveness in helping the APT achieve its objectives.

The tool spoofs a user agent to look like an outdated browser, which enables the basic HTML view in Gmail, TAG member Ajax Bash wrote. After changing the account’s language to English and downloading messages as .eml files, it reverts back to its original settings and deletes any security emails from Google. 

TAG tested Hyperscape in a controlled environment on a Gmail account, but said functionality may differ for Yahoo and Microsoft accounts.