Iranian hackers used the reputation of one of the regime’s most high-profile critics to dupe dissidents into an online surveillance programme that ran for at least six years without discovery, researchers have found.
The cyber-espionage operation run by the group known as Ferocious Kitten was designed to steal data from the user's computer and allow them to hijack any Telegram app, which is commonly used by the opposition to avoid regime scrutiny.
“The content of the decoy documents suggests the attackers are specifically going after supporters of protest movements within the country,” said cyber security experts Kaspersky, which first learnt of the malware in March.
Ferocious Kitten sent emails containing videos of anti-regime protests or resistance camps that contained hidden malicious software that monitored the computer activity of anyone who downloaded it, Kaspersky said.
While the malicious software was being downloaded, a message showed up on screen that claimed to be from a political prisoner from the 1980s, Hussein Jafari.
"Add my name to the prisoners' statement of Iraj Mesdaghi about the bloodthirsty mercenary," the message said. "Please use the nickname Jafar for my own safety and my family."
Mr Mesdaghi, an exiled former political prisoner who spent a decade in three jails, said he was unaware of what the message referred to and was unaware of Mr Jafari. But he said the cyber-espionage operation was typical of repeated attempts by the regime to snare dissidents abroad.
“This is the first time they have used my name,” he said. “Of course, it doesn’t have any effect on me – but they try, and they are very active in these things.”
The malware – known as MarkiRat – allowed Ferocious Kitten to download and upload material from the user's computer. The victims of the operation all appeared to be in Iran and Farsi-speaking, according to Kaspersky.
Researchers said Ferocious Kitten appeared to be “very much active” and may be in the process of modifying its tactics to continue targeting the opposition.
The group’s targeted operation inside Iran “makes it possible for them to fly under the radar for long periods of time and makes it easier for them to reuse their infrastructure and toolsets”, said Aseel Kyal, a security researcher with Kaspersky.
Ferocious Kitten is part of a broader surveillance operation in Iran. The country has a long history of cyber operations that attempt to identify and track dissidents and spread misinformation in countries such as the US. The country's Islamic Revolutionary Guard Corps has been identified as a driving force behind the cyber-espionage operations.
One of the earliest campaigns, from 2007, was by a group known as Prince of Persia, which was thought to be government-backed and targeted opponents in Iran and Europe, according to US cyber-intelligence company Check Point Research.
A similar attempt to reap information about the opposition – known as Domestic Kitten – was identified three years ago and had been running since 2016. That operation targeted potential ISIS supporters and members of the Kurdish minority in western Iran.
Iranian hackers have also tried to steal aviation and military secrets from countries including the US and Saudi Arabia. The US Treasury has sanctioned Iranian hacking networks, accusing them of attacks on the country's financial system.
Mr Mesdaghi, who lives in Sweden, said previous attempts to target dissidents there had included malware embedded in an email that included a Farsi version of the country’s official driving rules and regulations.
The exiled dissident, who has spent years researching regime crimes and tracking the movements of the alleged perpetrators, said he and his family in Iran had also been the recipients of misinformation that sought to undermine his credibility.
Mr Mesdaghi is expected to be a key witness in a court hearing later this year of a former regime official accused of involvement in the massacre of thousands of dissidents held in Iranian prisons in 1988.
Hamid Nouri, 61, was arrested in 2019 after flying to Stockholm after a dossier compiled by Mr Mesdaghi and others was passed to Swedish authorities.
Mr Nouri is accused of being part of a so-called death committee, which tried and signed off the warrants of condemned prisoners.
He is being held under the concept of universal jurisdiction, which means crimes against humanity can be prosecuted, no matter when or where they were committed.
Ebrahim Raisi, one of the key figures in the executions and the current head of the Iranian judiciary, is the frontrunner to become Iran's next president in elections this week.