ZooPark
| Primary URL | Location | Industry | Undetermined |
Country
Iran
|
Government - National
|
|---|
Profile
ZooPark is a cyberespionage group that focuses on gathering intelligence through the compromise of mobile devices, primarily Android smartphones. The group develops and distributes malicious applications disguised as legitimate tools such as voting apps or news‑themed lures to trick victims into installing malware. Once installed, the malware exfiltrates a wide range of data including intercepted text messages, emails, GPS location coordinates, audio recordings, and detailed device information. ZooPark’s operations have also been observed to capture account verification codes for popular messaging platforms like Instagram and Telegram, enabling further access to victims’ online identities. The group’s targeting has been concentrated on individuals and organisations in Egypt and Iran, with additional victims identified among users of extremist content and a United Nations agency, according to analyses by security researchers such as Kaspersky. These activities indicate a sustained effort to surveil communications and gather sensitive personal and organisational information across multiple Middle Eastern countries.
The group’s distinguishing attributes include its specialization in mobile‑based espionage campaigns and its reliance on social engineering tactics that exploit current events or civic processes to lure targets. Researchers have noted code reuse within ZooPark’s malware, which has exposed operational security weaknesses and facilitated the identification of its infrastructure, some of which has been traced to servers hosted in Tehran. While the organisation is described in open‑source reporting as believed to be government‑linked, no explicit details about its size, employee count, financial scale, or corporate structure are provided in the available material. Consequently, any description of ownership, parent‑subsidiary relationships, or formal market positioning remains unspecified, and the profile is limited to the confirmed facts concerning its malicious activities, targeting patterns, and observed technical characteristics.