IRGC-Linked Campaign Uses Fake Recruitment to Target Farsi Speakers Worldwide
- Actor Motivations: Exfiltration
- Attack Vectors: Baiting,Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/High Probability
Threat Overview
Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Dissident | High |
| Sector | Human Rights | High |
| Region | Iran | Verified |
| Region | Lebanon | Verified |
| Region | Syria | Verified |
Extracted IOCs
- azadijobs[.]me
- beparas[.]com
- bilal1com[.]com
- damavand-hr[.]me
- damkahill[.]com
- darakeh[.]me
- dream-jobs[.]org
- dream-jobs[.]vip
- dreamycareer[.]com
- dreamy-job[.]com
- dreamy-jobs[.]com
- golanjobs[.]me
- hat-cast[.]com
- irnjobs[.]me
- joinoptimahr[.]com
- jomehjob[.]com
- kandovani[.]org
- opthrltd[.]me
- optimac-hr[.]com
- optima-hr[.]com
- optimax-hr[.]com
- parasil[.]me
- radabala[.]com
- rostam-hr[.]vip
- salamjobs[.]me
- shirazicom[.]com
- syrtime[.]me
- titanium-hr[.]com
- topiranjobs[.]me
- topwor4u[.]com
- trnjobs[.]me
- vipjobsglobal[.]com
- wazayif-halima[.]com
- wazayif-halima[.]org
- wehatcast[.]com
- youna101[.]me
- younamesh[.]com
- sendcv@vipjobsglobal[.]com
Tip: 38 related IOCs (0 IP, 37 domain, 0 URL, 1 email, 0 file hash) to this threat have been found.