Frequently Asked Questions
About Hyperscrape and Threat Analysis
What is Hyperscrape and how does it operate?
Hyperscrape is a data extraction tool attributed to Iranian APT actors. It requires valid victim account credentials and operates by spoofing the user agent to appear as an outdated browser, enabling Gmail's basic HTML view. Once authenticated, it iterates through mailbox contents, downloads messages as .eml files, marks them unread, and deletes security emails from Google. It can also request data from Google Takeout in earlier versions. The tool is written in .NET for Windows and is designed to run on the attacker's machine.
How does Hyperscrape gain access to victim email accounts?
Hyperscrape requires the attacker to have already acquired valid credentials or a hijacked authenticated session. It uses these credentials to log in, often by spoofing the user agent to trigger Gmail's basic HTML view, which simplifies data extraction.
What actions does Hyperscrape perform once inside a Gmail account?
Once inside, Hyperscrape changes the account's language to English, iterates through mailbox tabs, downloads emails as .eml files, marks them unread if they were originally unread, and deletes security-related emails from Google. It also reverts the language setting after completion.
How does Hyperscrape communicate with its command and control (C2) server?
Hyperscrape makes HTTP GET requests to its C2 server to check for a specific response ("OK") before proceeding. It sends identity information for confirmation and, upon completion, posts status and system information back to the C2. In later versions, the C2 address is obfuscated with Base64 encoding.
What anti-forensic techniques does Hyperscrape use?
Hyperscrape deletes security alert emails from Google that are generated by its activity, such as sign-in attempts, data archive requests, and other security notifications, to reduce the chance of detection by the victim.
Does Hyperscrape support Google Takeout data extraction?
Earlier versions of Hyperscrape included an option to request data from Google Takeout, allowing attackers to export user data as a downloadable archive. This feature was not automated and was removed in later versions.
What programming language is Hyperscrape written in?
Hyperscrape is written in .NET and is designed to run on Windows PCs.
How does Hyperscrape handle cookies and authentication?
Hyperscrape can accept a path to a valid cookie file via command line or through a drag-and-drop interface. It parses the cookies and inserts them into a local cache for the embedded web browser to use during authentication.
What files and logs does Hyperscrape create during operation?
Hyperscrape creates a "Download" folder adjacent to its main binary, where it saves downloaded emails as .eml files. It also writes a log file containing a count of the emails downloaded during the session.
How does Hyperscrape revert changes made to the victim's account?
After completing its data extraction, Hyperscrape reverts the account's language setting to its original value and deletes any security emails generated by its activity.
Is Hyperscrape compatible with email providers other than Gmail?
While Hyperscrape was tested in a controlled environment with a Gmail account, its functionality may differ for Yahoo! and Microsoft accounts. The tool is primarily designed for Gmail data extraction.
What command line arguments does Hyperscrape accept?
Hyperscrape accepts arguments such as the mode of operation, an identifier string, and a path to a valid cookie file. If not provided, a form prompts the operator for this information.
How does Hyperscrape handle failed authentication attempts?
If the provided cookies do not grant access, Hyperscrape displays a login page, allowing the attacker to manually enter credentials. The program waits until it detects the inbox page before proceeding with data extraction.
Does Hyperscrape send downloaded emails to the C2 server?
No, Hyperscrape does not send the downloaded emails to the C2 server. Instead, it saves them locally and only posts status and system information to the C2 upon completion.
How does Hyperscrape manage Google Takeout operations?
When performing a Google Takeout, Hyperscrape spawns a new process and uses a pipe communication channel to relay cookies and account information. The browser then navigates to the official Takeout link to request and download exported data. This feature was only present in early builds.
What are the main indicators of Hyperscrape activity?
Indicators include changes to Gmail language settings, creation of a "Download" folder with .eml files, deletion of Google security alert emails, and HTTP requests to a C2 server with specific parameters.
How does Cymulate help organizations defend against threats like Hyperscrape?
Cymulate's exposure management and security validation platform enables organizations to simulate real-world threats, including advanced persistent threats (APTs) like Hyperscrape. By continuously validating defenses across the full kill chain, Cymulate helps identify exploitable vulnerabilities, optimize security controls, and improve resilience against sophisticated attacks. Learn more about Cymulate's platform.
What types of threats can Cymulate validate?
Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Source
How does Cymulate's immediate threats module help with emerging attacks?
Cymulate's immediate threats module is rapidly updated to reflect new attacks, allowing organizations to quickly assess their IT estate for exposure and implement remedial actions. Customers praise its speed and relevance for proactive defense. Source
What feedback have customers given about Cymulate's ease of use?
Customers consistently praise Cymulate for its intuitive design and ease of use. For example, Raphael Ferreira, Cybersecurity Manager, stated, "Cymulate is easy to implement and use—all you need to do is click a few buttons." The dashboard is described as user-friendly and effective for both technical and non-technical users. Source
Features & Capabilities
What are the key features of Cymulate's platform?
Cymulate offers continuous threat validation, exposure awareness, defensive posture optimization, attack path discovery, automated mitigation, integration with security tools, and dedicated cloud validation. These features help organizations proactively manage their cybersecurity posture. Source
How does Cymulate automate asset discovery?
Cymulate integrates with existing security and IT tools to aggregate asset data from vulnerability scans, asset inventories, and Active Directory, supporting continuous threat exposure management. Source
What types of threats and techniques does Cymulate simulate for endpoint security validation?
Cymulate simulates known malicious file samples, malicious behaviors, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection to validate endpoint security controls. Source
What integrations does Cymulate support?
Cymulate integrates with a wide range of security tools, including endpoint security (e.g., CrowdStrike Falcon, Carbon Black EDR), cloud security (AWS GuardDuty, Wiz), SIEM (Splunk), vulnerability management (Rapid7 InsightVM), network security (Akamai Guardicore), and SOAR platforms. Full list of integrations
What technical documentation is available for Cymulate?
Cymulate provides technical documentation including data sheets on custom attack simulations, technology integrations, and a whitepaper on its exposure management platform. Access resources
Pricing & Plans
What is Cymulate's pricing model?
Cymulate operates on a subscription-based pricing model, customized to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a tailored quote, schedule a demo with the Cymulate team.
Competition & Comparison
How does Cymulate compare to AttackIQ?
Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows and accelerated security posture. AttackIQ does not match Cymulate's innovation, threat coverage, or ease of use. Read more
How does Cymulate compare to Mandiant Security Validation?
Mandiant's platform has seen little innovation in recent years, while Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more
How does Cymulate compare to Pentera?
Pentera focuses on attack path validation but lacks the depth of exposure validation and optimization that Cymulate provides. Cymulate offers comprehensive exposure validation and optimization. Read more
How does Cymulate compare to Picus Security?
Picus is suitable for on-premise breach and attack simulation but lacks the full-kill chain coverage and cloud control validation that Cymulate provides. Cymulate offers a more complete exposure validation platform. Read more
Use Cases & Benefits
Who can benefit from using Cymulate?
Cymulate is designed for CISOs, SecOps teams, Red Teams, Vulnerability Management teams, and Detection Engineers in organizations of all sizes and industries, especially those with complex security needs and a focus on proactive threat management. Source
What business impact can customers expect from Cymulate?
Customers typically achieve a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. Source
What are some real-world case studies demonstrating Cymulate's value?
Hertz Israel reduced cyber risk by 81% in four months, Nemours Children's Health improved detection and response, Banco PAN optimized security controls, and Nedbank increased assessment breadth and depth. See all case studies
How quickly can Cymulate be implemented?
Cymulate is designed for rapid deployment and operates in agentless mode, requiring no additional hardware or complex configuration. Customers can start running simulations almost immediately after deployment. Source
Security & Compliance
What security and compliance certifications does Cymulate hold?
Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Source
How does Cymulate ensure data security and privacy?
Cymulate hosts services in secure AWS data centers, uses TLS 1.2+ for data in transit, AES-256 for data at rest, and follows a strict Secure Development Lifecycle (SDLC) with regular third-party penetration tests. Source
Company & Vision
What is Cymulate's mission and vision?
Cymulate's mission is to empower organizations worldwide against threats and make advanced cybersecurity as simple as sending an email. Founded in 2016 by former IDF intelligence officers and cyber researchers, Cymulate aims to lead the way in exposure management and security validation. Source
What is the size and reach of Cymulate as a company?
Cymulate serves over 1,000 customers across 50 countries and operates globally with offices in eight locations. Source
Research & Community
What recent vulnerabilities has Cymulate's research team discovered?
Cymulate researchers discovered high-severity Anthropic vulnerabilities (CVE-2025-53109 & 53110). Watch the video
Is there a tool for Kerberos CNAME abuse available?
Yes, a modified version of mitm6 with Kerberos CNAME abuse capabilities is available at this GitHub repository.