Dubbed BouldSpy, the malware is likely installed by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA) using physical access to victim devices, supposedly obtained during detention.
The spyware has been in use since at least 2020, with more than 300 victims identified to date, including Iranian Kurds, Azeris, Baluchis, and possibly Armenian Christian groups. Evidence also suggests potential law enforcement use of the malware to counter and monitor trafficking.
“We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release,” Lookout notes.
