A spear-phishing campaign targeting Israeli defense and security professionals was discovered, involving impersonation, fake conference invites, and malicious links.

Who is behind the attack?

The operation is linked to APT42, also known as Charming Kitten — a cyber-espionage group aligned with Iranian state interests.

How was the attack carried out?

The attackers used WhatsApp to send links disguised as conference invites. These links led to fake websites designed to steal credentials or deliver malware.

Why were defense personnel targeted?

Individuals in the security sector hold sensitive information, making them valuable espionage targets for Iranian threat actors.

Is this an isolated case?

No. The infrastructure used shows signs of reuse and long-term planning, indicating an ongoing and deliberate campaign, not random phishing.

What should affected individuals or organizations do?

Avoid clicking unknown links on messaging apps, verify sender identities, report suspicious activity, and update incident response playbooks for mobile phishing vectors.

Threats Feed|APT42|Last Updated 05/01/2026|AuthorCertfa Radar|Publish Date30/12/2025

Infrastructure Ties Expose APT42 Behind Israeli-Focused Phishing Activity

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Pretexting,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

Israel’s National Cyber Directorate issued a public warning about an active spear-phishing campaign targeting individuals in security and defense-related sectors in Israel. The operation uses WhatsApp messages that impersonate a well-known organization and employ conference-themed lures to appear legitimate. Victims are redirected via shortened links, including msnl[.]ink, to a spoofed website designed to harvest personal and professional credentials, with some cases involving malicious file delivery. Infrastructure analysis links the activity to APT42, also known as Charming Kitten, based on reusable URL-shortening infrastructure and historical overlaps rather than lure content alone.

Reference and Credit: Linkedin post - December 2025

Active Spear-Phishing Campaign Targeting Israeli Security-Related Individuals — Infrastructure Linked to APT42

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Sector	Media	Verified
Region	Israel	Verified

FAQs

: A spear-phishing campaign targeting Israeli defense and security professionals was discovered, involving impersonation, fake conference invites, and malicious links.
: The operation is linked to APT42, also known as Charming Kitten — a cyber-espionage group aligned with Iranian state interests.
: The attackers used WhatsApp to send links disguised as conference invites. These links led to fake websites designed to steal credentials or deliver malware.
: Individuals in the security sector hold sensitive information, making them valuable espionage targets for Iranian threat actors.
: No. The infrastructure used shows signs of reuse and long-term planning, indicating an ongoing and deliberate campaign, not random phishing.
: Avoid clicking unknown links on messaging apps, verify sender identities, report suspicious activity, and update incident response playbooks for mobile phishing vectors.

About Affiliation

APT42

Associate threats