Threats Feed|Educated Manticore|Last Updated 26/06/2025|AuthorCertfa Radar|Publish Date25/06/2025

Educated Manticore Targets Israeli Tech Academics with Advanced Phishing Kit

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Keylogger,Spear Phishing,Whaling
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

Detected Targets

TypeDescriptionConfidence
SectorInformation Technology
Verified
SectorJournalists
Verified
SectorUniversity
Verified
RegionIsrael
Verified

Extracted IOCs

  • adams-cooling[.]online
  • albert-company[.]online
  • alex-mendez-fire[.]info
  • alison624[.]online
  • all-for-city[.]info
  • alpha-man[.]info
  • amg-car-ger[.]info
  • anna-blog[.]info
  • arizonaclub[.]me
  • arrow-click[.]info
  • backback[.]info
  • becker624[.]online
  • best85best[.]online
  • bestshopu[.]online
  • beta-man[.]info
  • black-friday-store[.]online
  • book-handwrite[.]online
  • bracs-lion[.]online
  • cc-newton[.]info
  • city-splash[.]online
  • clame-rade[.]online
  • clothes-show[.]online
  • cloth-model[.]blog
  • conn-ectionor[.]cfd
  • connect-room[.]online
  • cook-tips[.]info
  • course-math[.]info
  • crysus-h[.]info
  • crysus-p[.]info
  • cyberlattice[.]pro
  • dmn-for-car[.]online
  • dmn-for-hall[.]online
  • door-black-meter[.]online
  • encryption-redirect[.]online
  • est5090[.]online
  • everything-here[.]info
  • exir-juice[.]online
  • expressmarket[.]online
  • first-course[.]online
  • food-tips-blog[.]online
  • gallery-shop[.]online
  • good-news[.]cfd
  • good-news[.]fashion
  • goods-companies[.]online
  • good-student[.]online
  • healthy-lifestyle[.]fit
  • hrd-dmn[.]info
  • human-fly900[.]online
  • idea-home[.]online
  • infinit-world[.]info
  • lenan-rex[.]online
  • lesson-first[.]info
  • live-coaching[.]online
  • live-conn[.]online
  • live-content[.]online
  • live-gml[.]online
  • live-meet[.]blog
  • live-meet[.]cfd
  • live-meet[.]cloud
  • live-meet[.]info
  • live-meet[.]live
  • live-message[.]online
  • loads-ideas[.]online
  • lynda-tricks[.]online
  • make-house[.]online
  • master-club[.]info
  • meet-work[.]info
  • message-live[.]online
  • network-game[.]xyz
  • network-review[.]xyz
  • network-show-a[.]online
  • network-show[.]online
  • nice-goods[.]online
  • normal-dmn[.]info
  • nsim-pa[.]info
  • nsim-ph[.]info
  • ntp-clock-h[.]info
  • ntp-clock-p[.]info
  • online-room[.]online
  • optio-nalynk[.]online
  • pa-crtdomain[.]info
  • panel-meeting[.]info
  • panel-network[.]online
  • panel-redirect[.]online
  • ph-crtdomain[.]info
  • ph-work[.]info
  • platinum-cnt[.]info
  • pnl-worth[.]online
  • prj-pa[.]info
  • prj-ph[.]info
  • prt-max[.]online
  • ptr-cc[.]online
  • ques-tion-ing[.]xyz
  • rap-art[.]info
  • reading-course[.]online
  • redirect-review[.]online
  • reg-d[.]info
  • ricardo-mell[.]online
  • roland-cc[.]online
  • royalsoul[.]online
  • sendly-ink[.]shop
  • shadow-network[.]best
  • shaer-likn[.]store
  • show-verify[.]xyz
  • sky-writer[.]online
  • socks[.]beauty
  • spring-club[.]info
  • stadium-fresh[.]online
  • steve-brown[.]info
  • storm-wave[.]online
  • suite-moral[.]info
  • teammate-live[.]online
  • thomas-mark[.]xyz
  • tomas-company[.]online
  • top-game[.]online
  • ude-final[.]online
  • warning-d[.]info
  • warplogic[.]pro
  • wash-less[.]online
  • wer-d[.]info
  • white-car[.]online
  • white-life-bl[.]info
  • white-life[.]info
  • wood-house[.]online
  • word-course[.]online
  • work-meeting[.]info
  • world-shop[.]online
  • yamal-group[.]online
  • zra-roll[.]online
  • 146[.]19.254.238
  • 185[.]130.226.71
  • 194[.]11.226.29
  • 194[.]11.226.46
  • 194[.]11.226.5
  • 194[.]11.226.9
  • 194[.]61.120.185
  • 195[.]66.213.132
  • 2[.]56.126.230
  • 45[.]12.2.158
  • 45[.]143.166.230
  • 91[.]222.173.141
download

Tip: 141 related IOCs (12 IP, 129 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

FAQs

Iranian Hackers Target Israeli Cyber Experts

An Iranian-linked cyber group launched targeted phishing campaigns against Israeli journalists, academics, and cybersecurity professionals to steal email credentials and personal data.

The group, known as Educated Manticore (linked to APT42 or Charming Kitten), is believed to be connected to Iran’s Islamic Revolutionary Guard Corps.

Their goal was espionage—specifically, stealing login credentials, 2FA codes, and sensitive information from influential individuals in Israel.

Targets included prominent Israeli cyber researchers, journalists, and university professors in the field of computer science.

Attackers posed as tech professionals or researchers, reached out via email or WhatsApp, and lured victims to fake Google Meet or login pages to harvest their credentials.

These individuals likely have access to sensitive information and play influential roles in Israel’s cybersecurity and academic communities—making them valuable intelligence targets.

Use hardware-based two-factor authentication, be cautious of unsolicited meeting invitations or login requests, and verify sender identities independently.

This is a highly targeted campaign focused on specific high-value individuals in Israel, but it reflects broader tactics used by state-aligned threat actors.