Researchers recently pieced together the activity, showing the limits of the cyber industry’s knowledge of Tehran-linked hacking against those who often bear the brunt of it: Iranian citizens. The findings are consistent with a surveillance dragnet that Iranian authorities have used to jail and beat protesters who challenge the regime.

Hackers have sent their targets malware-laced images and videos claiming to be from prisoners in Iran. When opened, the malicious documents hijack users’ Google Chrome browsers and Telegram, an encrypted app popular among Iranian activists, to try to steal data. The attackers’ also planted malicious code in Psiphon, a virtual private networking software that Iranians use to evade censorship.

The malicious code can take screenshots and has a keylogging capabilities with these two features, it can monitor the victim’s correspondences and conversations such as instant messaging or emails.

Researches noted Iran-nexus groups deploy mobile malware and spear phish dissidents to try to gain access to email and social media accounts..

The U.S. Treasury Department in September announced sanctions against dozens of Iranians, including alleged members of a hacking group known as APT39, for allegedly targeting Iranian dissidents and journalists. Those hackers are accused of operating on behalf of Iran’s Ministry of Intelligence. Then, in February, security researchers from Check Point exposed more Iranian government-linked attempts to break into the devices of dissidents abroad. But as usual Iran is in defensive mode.