State-backed Iranian hackers spread malware through links to fake VPN apps

  • Home State-backed Iranian hackers spread malware through links to fake VPN apps
State-backed Iranian hackers spread malware through links to fake VPN apps

State-backed Iranian hackers spread malware through links to fake VPN apps

September 9, 2022

State-backed Iranian hackers spread malware through links to fake VPN apps.

A highly resourceful Iranian state-backed hacker group uses malicious links to VPN apps sent via SMS texts to inject spyware, a cybersecurity firm reports. 

Mandiant found evidence that APT42 (advanced persistent threat) has been conducting such attacks against what they described as "the enemies of the Iranian state" since 2015, with the goal of harvesting sensitive data and spying on victims. 

They also claim with "moderate confidence" that the group is aligned with the Islamic Revolutionary Guard Corps Intelligence (IRGC-IO), which Washington designates as a terrorist organization. 

This malware is not just spread hidden behind the reputation of some of the best VPN services, though. Well-crafted phishing emails, mischievous webpages free messaging apps, and adult-only sites have also been employed.  

As Mandiant reports: "The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information.

"The group's proven ability to record phone calls, activate the microphone and record the audio, exfiltrate images and take pictures on command, read SMS messages, and track the victim's GPS location in real-time poses a real-world risk to individual victims of this campaign." 

Researchers observed over 30 confirmed operations across 14 countries worldwide so far, spanning its seven years of activity. However, they believe the total number to be much larger than that. 

Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, dissidents, and the Iranian diaspora abroad have all been among the victims of such attacks. 

APT42's campaigns have two main goals: gathering targets' sensitive data like personal email credentials, multi-factor authentication codes, and private communication records while tracking victims' location data to carry on major surveillance operations.      

The group's cunning playbook is gaining the trust of targets, engaging in conversation that can even last several weeks before finally sending the phishing email. In an instance, hackers pretended to be journalists working for a famous US media outlet for 37 days before launching the attack. 

In the case of mobile malware, APT42 has been successfully targeting internet users that were looking for circumventing tools to bypass the strict government restrictions. And, being that over 80% of Iranians use such software to escape online censorship, citizens' safety seems never been so at stake.

The Mandiant report further pointed out how the group - believed to be also linked to the infamous APT35 that last year managed to infiltrate Play Store with fake VPN apps - has been proficient at quickly shaping its strategies and targets to align with Iran's domestic and geopolitical interests.

"We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements."

My Take: This is just what Iran does, as well as all those countries. We need to fight back. 


To Make a Request For Further Information


Happy Clients


Cups Of Coffee


Finished Projects



What Our Clients

Are Saying About Us

Get a

Free Consultation


See Our Latest

Blog Posts

Intuit Mailchimp