Threats Feed

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.