Charming Kitten Exploits Phishing to Target Global Academia and Activists
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Claudia Gazzini Claudia Gazzini is a senior Libya analyst at the International Crisis Group (ICG). Claudia Gazzini has been targeted by Charming Kitten as the main target. | Verified |
| Case | Dareen Khalifa Dareen Khalifa is a senior Syria analyst at ICG. Dareen Khalifa has been targeted by Charming Kitten as the main target. | Verified |
| Case | Hagar Hajjar Chemali Hagar Hajjar Chemali is an American political commentator and one of the nonresident senior fellows at the Atlantic Council’s GeoEconomics Center. Hagar Hajjar Chemali has been targeted by Charming Kitten with abusive purposes. | Verified |
| Case | Hussein Ibish Hussein Ibish is the senior resident scholar at the Arab Gulf States Institute in Washington (AGSIW). Hussein Ibish has been targeted by Charming Kitten with abusive purposes. | Verified |
| Case | Paul Salem Paul Salem is president of The Middle East Institute (MEI). This institution is working on providing non-partisan analysis and promoting greater understanding between the people of the US and the Middle East. Paul Salem has been targeted by Charming Kitten with abusive purposes. | Verified |
| Case | Samuel Valable Samuel Valable is one of the researchers at the French National Center for Scientific Research (CNRS) who is specialist in imaging and therapeutic strategies for cancers and brain tissues. Samuel Valable has been targeted by Charming Kitten with abusive purposes. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Human Rights | Verified |
| Sector | Journalists | Verified |
| Sector | Military | Verified |
| Sector | Media | Verified |
| Sector | Political | Verified |
| Sector | Researchers | Verified |
| Region | France | Verified |
| Region | Iran | Verified |
| Region | Israel | Verified |
| Region | Saudi Arabia | Verified |
| Region | United States | Verified |
| Region | Middle East Countries | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- app-online[.]live
- basepage[.]xyz
- beape[.]live
- beasze[.]live
- beasze[.]online
- bnt2[.]live
- btoltf[.]store
- checkout-panel[.]live
- check-panel-account[.]icu
- check-reload-page[.]live
- cover-home-page[.]xyz
- cover-home-panel[.]xyz
- direct-view-panel[.]xyz
- france24[.]live
- free-guy[.]xyz
- front-cover-panel[.]xyz
- galil-merkazi[.]co
- home-check-direct[.]icu
- home-reload-page[.]xyz
- ict-amar[.]org
- join-room[.]online
- live-load[.]online
- load-online-app[.]live
- load-panel[.]online
- mail-download-attachment[.]xyz
- maill-support[.]com
- mailupdate[.]info
- msnpayee[.]com
- msn-service[.]co
- msn-services[.]center
- nc5[.]live
- nco2[.]live
- online-dashboard[.]live
- online-live[.]top
- page-home-reload[.]xyz
- panel-archieve[.]live
- panel-check[.]online
- panel-review-check[.]live
- panel-review-home[.]xyz
- pingview-home-panel[.]icu
- student-rank-number[.]icu
- view-check[.]online
- view-direct-panel[.]icu
- view-direct-panel[.]live
- view-home-panel[.]xyz
- view-online[.]live
- web-link[.]live
- website-main[.]live
- account.security.google.com.website-main[.]live
- admin.beasze[.]online
- api.beasze[.]live
- api.beasze[.]online
- api.checkout-panel[.]live
- api.view-home-panel[.]xyz
- blog.check-reload-page[.]live
- blog.mail-download-attachment[.]xyz
- blog.view-home-panel[.]xyz
- confluence.check-reload-page[.]live
- dev.pingview-home-panel[.]icu
- download.check-panel-account[.]icu
- go.check-panel-account[.]icu
- icloud.app-online[.]live
- itunes.app-online[.]live
- jenkins.view-home-panel[.]xyz
- login.beasze[.]live
- login.checkout-panel[.]live
- mysql10.pingview-home-panel[.]icu
- remote.beasze[.]online
- secure.checkout-panel[.]live
- service.pingview-home-panel[.]icu
- stage.pingview-home-panel[.]icu
- staging.checkout-panel[.]live
- test.beasze[.]online
- view.googlebook.com.website-main[.]live
- vpn.checkout-panel[.]live
- watch-video.youtube.com.website-main[.]live
- webdav.check-panel-account[.]icu
- webdisk.pingview-home-panel[.]icu
- hibish@husseinibish[.]org
- husseinibish8@gmail[.]com
- paul_salem@outlook[.]com
- paul_sallem@yahoo[.]com
- samuelvalable@gmail[.]com
- 41002e8ed24836d8a99157c12eba69271fae8511
- 144[.]76.115.26
- 144[.]76.115.28
- 144[.]76.115.29
- 144[.]76.115.59
- 168[.]119.47.242
- 65[.]21.137.137
- 65[.]21.137.139
- 65[.]21.137.141
- 85[.]10.193.10
- 88[.]80.148.161
- 88[.]80.148.162
- 88[.]80.148.188
- 88[.]80.148.189
Tip: 97 related IOCs (13 IP, 78 domain, 0 URL, 5 email, 1 file hash) to this threat have been found.
Overlaps
Source: Bitdefender - April 2023
Detection (four cases): 88[.]80.148.162, maill-support[.]com, mailupdate[.]info, msn-service[.]co
Source: Proofpoint - December 2022
Detection (two cases): bnt2[.]live, nco2[.]live
Source: Google Threat Analysis Group (TAG) - October 2021
Detection (one case): nco2[.]live
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.