Threats Feed

Silent Librarian (aka TA407/COBALT DICKENS) has resumed its annual spearphishing campaign targeting universities worldwide for the 2020-2021 academic year. The group seeks to steal research and intellectual property using phishing websites that mimic legitimate university domains. Recent campaigns have featured domains with altered top-level domains such as ".me", ".tk" and ".cf", often hosted via Cloudflare to disguise the true origin, which includes servers based in Iran. This follows their indictment by the US Department of Justice in 2018 for cyber attacks on academic institutions worldwide.

TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.