Threats Feed|APT42|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date29/08/2024

IRGC-Linked Campaign Uses Fake Recruitment to Target Farsi Speakers Worldwide

  • Actor Motivations: Exfiltration
  • Attack Vectors: Baiting,Phishing
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

Reference and Credit: Mandiant - August 2024

I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation

Detected Targets

TypeDescriptionConfidence
SectorDissident
High
SectorHuman Rights
High
RegionIran
Verified
RegionLebanon
Verified
RegionSyria
Verified

Extracted IOCs

  • azadijobs[.]me
  • beparas[.]com
  • bilal1com[.]com
  • damavand-hr[.]me
  • damkahill[.]com
  • darakeh[.]me
  • dream-jobs[.]org
  • dream-jobs[.]vip
  • dreamycareer[.]com
  • dreamy-job[.]com
  • dreamy-jobs[.]com
  • golanjobs[.]me
  • hat-cast[.]com
  • irnjobs[.]me
  • joinoptimahr[.]com
  • jomehjob[.]com
  • kandovani[.]org
  • opthrltd[.]me
  • optimac-hr[.]com
  • optima-hr[.]com
  • optimax-hr[.]com
  • parasil[.]me
  • radabala[.]com
  • rostam-hr[.]vip
  • salamjobs[.]me
  • shirazicom[.]com
  • syrtime[.]me
  • titanium-hr[.]com
  • topiranjobs[.]me
  • topwor4u[.]com
  • trnjobs[.]me
  • vipjobsglobal[.]com
  • wazayif-halima[.]com
  • wazayif-halima[.]org
  • wehatcast[.]com
  • youna101[.]me
  • younamesh[.]com
  • sendcv@vipjobsglobal[.]com
download

Tip: 38 related IOCs (0 IP, 37 domain, 0 URL, 1 email, 0 file hash) to this threat have been found.

Overlaps

UnknownIRGC Cyber Campaign Targets US Political Campaigns and Middle Eastern Affairs

Source: Internet Crime Complaint Center - September 2024

Detection (one case): dreamycareer[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
APT42
View APT42's Insights