When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.

Google’s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn’t the most successful or sophisticated threat on the international stage—this is the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle that could pay dividends.

The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more. 

In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice—everything from Gmail to Facebook to AOL is on offer—to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s a technique so old it’s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more. 

screenshot

Phishing page hosted on a compromised website.

Courtesy of Google TAG

The fake VPN isn’t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though—or does install it on another platform where it’s still available—the spyware can steal call logs, texts, location data, and contacts. 

Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “This is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,” says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”

Advantages of local domestic helper.