A different try to analyze and simplify threat intelligence

Threats Feed

We are excited to announce that the preliminary editions of Threats Feed and Actors Insights are now accessible to the public. Our efforts are focused on incorporating additional practical features and beneficial resources with the intention of nurturing an informed community. Stay connected for further updates.

  1. Educated Manticore Targets Israeli Tech Academics with Advanced Phishing Kit

    Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

    read more about Educated Manticore Targets Israeli Tech Academics with Advanced Phishing Kit
  2. BladedFeline Targets Iraq and Kurdistan Governments with Custom Malware Arsenal

    BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.

    read more about BladedFeline Targets Iraq and Kurdistan Governments with Custom Malware Arsenal
  3. Iranian APT Impersonates German Model Agency in Espionage Operation

    Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

    read more about Iranian APT Impersonates German Model Agency in Espionage Operation
  4. Avast-Themed Phishing Campaign Targets Israeli Businesses with ScreenConnect RAT

    A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

    read more about Avast-Themed Phishing Campaign Targets Israeli Businesses with ScreenConnect RAT