Level 6
Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The malware was part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.

Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organizations, and resistance movements such as:

  • Association of Families of Camp Ashraf and Liberty Residents (AFALR)
  • Azerbaijan National Resistance Organization
  • the Balochistan people
These campaigns involved the use of a wide spectrum of malware families, including four variants of Windows infostealers and an Android backdoor disguised inside malicious apps.


Level 65
Content Creator
Malware Hunter
Full report by researchers: Rampant Kitten - An Iranian Espionage Campaign - Check Point Research
Among the different attack vectors we found were:
  • Four variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information
  • Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more
  • Telegram phishing pages, distributed using fake Telegram service accounts