Threats Feed

Leaked internal documents reveal a highly structured APT35 (Charming Kitten) operation run as a quota-driven, bureaucratic intelligence unit within the IRGC IO. The materials detail coordinated, long-term cyber-espionage campaigns targeting Lebanon, Kuwait, Turkey, Saudi Arabia, South Korea, and domestic Iranian entities, with a strong focus on diplomatic, governmental, telecom, energy, and large commercial mail systems. Operators used ProxyShell, Ivanti exploits, credential replay, HERV phishing, and persistent mailbox monitoring to harvest GALs, credentials, and sensitive communications. The leak exposes end-to-end workflows: reconnaissance, exploitation, credential theft, HUMINT-focused collection, and centralized KPI reporting, confirming a mature, state-managed espionage apparatus.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

APT42 has launched a series of phishing attacks targeting Middle Eastern studies researchers, defense sector officials, and institutions specializing in Iran across Israel and the U.S. The phishing messages were highly personalized, containing malicious links disguised as Zoom invitations and documents. APT42’s tactics included impersonating researchers and reputable organizations to enhance credibility and evade detection. The campaign underscores ongoing cyber espionage efforts by Iranian actors focused on intelligence gathering in academia, defense, and foreign policy sectors, impacting both governmental and research entities.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

TA453, also known as Charming Kitten, has targeted sectors such as academia, defence, government, NGOs, think tanks and journalists in the UK and other regions of interest. The group uses spear phishing attacks, using open source reconnaissance to create tailored phishing emails. These emails are often sent from fake social media profiles or compromised email accounts. Once a relationship has been established, TA453 directs victims to malicious links or documents and steals credentials upon interaction. The group also exploits compromised email accounts to steal sensitive data, set up mail forwarding rules and facilitate further surveillance and future attacks.