Threats Feed

UNC1549, a suspected Iran-nexus threat group, has conducted sustained cyber espionage campaigns since mid-2024 targeting the aerospace, aviation, and defense sectors across the Middle East and connected partner ecosystems. The group gained initial access through targeted spear-phishing and exploitation of trusted third-party relationships, including breakouts from Citrix and VMWare VDI environments. Once inside, UNC1549 deployed custom malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, and POLLBLEND, heavily relying on DLL search order hijacking, reverse SSH tunnels, and Azure-based C2. Their operations focused on long-term persistence, credential theft (including DCSync attacks), stealthy lateral movement, and extensive data collection from high-value defense networks.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

The new Charming Kitten campaign demonstrates a significant escalation in the group’s operational maturity, combining strategic impersonation, long-term reconnaissance, and a large, automated infrastructure. The attackers impersonated Pentagon official Ariane Tabatabai to target Iranian activists, initiating contact via Telegram before redirecting victims through Google Sites to credential-harvesting domains using a WebSocket-based phishing kit. Evidence shows the group monitored security researcher activity for months, preparing infrastructure from May and launching operations in late July. More than 30 previously unseen domains support the campaign, reflecting increased automation, operational scale, and real-time monitoring. The operation highlights Charming Kitten’s growing geopolitical awareness and refined social engineering capability.

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

Kaspersky has uncovered BellaCPP, a new C++ variant of the BellaCiao malware family, linked to the Charming Kitten threat actor. BellaCPP, found on an infected machine in Asia, features domain generation, XOR-encrypted string decryption, and SSH tunneling, with payloads stored in critical directories like C:\Windows\System32. It lacks a webshell, showing refined design. PDB paths reveal targeting details, highlighting evolving capabilities. These findings underscore the need for robust cybersecurity and thorough network scanning to combat such threats.

APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.

ClearSky Cyber Security's research details an Iranian cyber campaign, dubbed "Iranian Dream Job," using fake job postings to target the aerospace industry. The campaign, active since at least September 2023, employs the SnailResin malware, leading to the SlugResin backdoor. Attribution is complex, with potential links to both Iranian group TA455 (a Charming Kitten subgroup) and North Korea's Lazarus group, raising questions about potential collaboration or deception. The campaign leverages fake LinkedIn profiles and websites, distributing malware via seemingly legitimate ZIP files containing a malicious executable. This sophisticated attack uses social engineering and DLL side-loading for infiltration.

APT42 has launched a series of phishing attacks targeting Middle Eastern studies researchers, defense sector officials, and institutions specializing in Iran across Israel and the U.S. The phishing messages were highly personalized, containing malicious links disguised as Zoom invitations and documents. APT42’s tactics included impersonating researchers and reputable organizations to enhance credibility and evade detection. The campaign underscores ongoing cyber espionage efforts by Iranian actors focused on intelligence gathering in academia, defense, and foreign policy sectors, impacting both governmental and research entities.

Charming Kitten has launched a new cyber campaign targeting NGOs and media organizations in Western and Middle Eastern countries. The campaign begins with initial contact via a Yahoo email, followed by a phishing link sent through WhatsApp. To build credibility, attackers may initiate silent WhatsApp voice calls before redirecting victims to a phishing site designed to mimic Google Meet. This page, hosted on Google Sites, employs an EventListener script to capture any entered data and send it to the attackers' server. Indicators of compromise include the domain atlanticcouncil[.]site and specific WhatsApp numbers.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

The Iranian hacktivist group Lord Nemesis, also known as 'Nemesis Kitten,' targeted the Israeli academic sector via a supply chain attack on Rashim Software, a provider of academic administration and training software. They breached Rashim's infrastructure and accessed its clients, including numerous academic institutions, by using stolen credentials and exploiting admin accounts on customer systems. This allowed them to extract sensitive data, circumvent multi-factor authentication, and instill fear by releasing findings and sending ominous warnings. The attack highlights the significant risks posed by third-party vendors and demonstrates the group's sophisticated planning and understanding of targeted IT environments.

Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

Charming Kitten has intensified its cyber espionage operations targeting Iranian dissidents, legal professionals, journalists, and human rights activists in Germany and abroad. According to the German BfV, the group uses detailed social engineering and spoofed online identities to initiate contact and build trust. Victims are lured into video calls via phishing links that mimic legitimate platforms like Google or Microsoft. These links lead to credential-harvesting sites, often intercepting two-factor authentication as well. Stolen credentials are then used to access cloud services and extract personal data using tools like Google Takeout.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.