Educated Manticore Targets Israeli Tech Academics with Advanced Phishing Kit
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Keylogger,Spear Phishing,Whaling
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Information Technology | Verified |
| Sector | Journalists | Verified |
| Sector | University | Verified |
| Region | Israel | Verified |
Extracted IOCs
- adams-cooling[.]online
- albert-company[.]online
- alex-mendez-fire[.]info
- alison624[.]online
- all-for-city[.]info
- alpha-man[.]info
- amg-car-ger[.]info
- anna-blog[.]info
- arizonaclub[.]me
- arrow-click[.]info
- backback[.]info
- becker624[.]online
- best85best[.]online
- bestshopu[.]online
- beta-man[.]info
- black-friday-store[.]online
- book-handwrite[.]online
- bracs-lion[.]online
- cc-newton[.]info
- city-splash[.]online
- clame-rade[.]online
- clothes-show[.]online
- cloth-model[.]blog
- conn-ectionor[.]cfd
- connect-room[.]online
- cook-tips[.]info
- course-math[.]info
- crysus-h[.]info
- crysus-p[.]info
- cyberlattice[.]pro
- dmn-for-car[.]online
- dmn-for-hall[.]online
- door-black-meter[.]online
- encryption-redirect[.]online
- est5090[.]online
- everything-here[.]info
- exir-juice[.]online
- expressmarket[.]online
- first-course[.]online
- food-tips-blog[.]online
- gallery-shop[.]online
- good-news[.]cfd
- good-news[.]fashion
- goods-companies[.]online
- good-student[.]online
- healthy-lifestyle[.]fit
- hrd-dmn[.]info
- human-fly900[.]online
- idea-home[.]online
- infinit-world[.]info
- lenan-rex[.]online
- lesson-first[.]info
- live-coaching[.]online
- live-conn[.]online
- live-content[.]online
- live-gml[.]online
- live-meet[.]blog
- live-meet[.]cfd
- live-meet[.]cloud
- live-meet[.]info
- live-meet[.]live
- live-message[.]online
- loads-ideas[.]online
- lynda-tricks[.]online
- make-house[.]online
- master-club[.]info
- meet-work[.]info
- message-live[.]online
- network-game[.]xyz
- network-review[.]xyz
- network-show-a[.]online
- network-show[.]online
- nice-goods[.]online
- normal-dmn[.]info
- nsim-pa[.]info
- nsim-ph[.]info
- ntp-clock-h[.]info
- ntp-clock-p[.]info
- online-room[.]online
- optio-nalynk[.]online
- pa-crtdomain[.]info
- panel-meeting[.]info
- panel-network[.]online
- panel-redirect[.]online
- ph-crtdomain[.]info
- ph-work[.]info
- platinum-cnt[.]info
- pnl-worth[.]online
- prj-pa[.]info
- prj-ph[.]info
- prt-max[.]online
- ptr-cc[.]online
- ques-tion-ing[.]xyz
- rap-art[.]info
- reading-course[.]online
- redirect-review[.]online
- reg-d[.]info
- ricardo-mell[.]online
- roland-cc[.]online
- royalsoul[.]online
- sendly-ink[.]shop
- shadow-network[.]best
- shaer-likn[.]store
- show-verify[.]xyz
- sky-writer[.]online
- socks[.]beauty
- spring-club[.]info
- stadium-fresh[.]online
- steve-brown[.]info
- storm-wave[.]online
- suite-moral[.]info
- teammate-live[.]online
- thomas-mark[.]xyz
- tomas-company[.]online
- top-game[.]online
- ude-final[.]online
- warning-d[.]info
- warplogic[.]pro
- wash-less[.]online
- wer-d[.]info
- white-car[.]online
- white-life-bl[.]info
- white-life[.]info
- wood-house[.]online
- word-course[.]online
- work-meeting[.]info
- world-shop[.]online
- yamal-group[.]online
- zra-roll[.]online
- 146[.]19.254.238
- 185[.]130.226.71
- 194[.]11.226.29
- 194[.]11.226.46
- 194[.]11.226.5
- 194[.]11.226.9
- 194[.]61.120.185
- 195[.]66.213.132
- 2[.]56.126.230
- 45[.]12.2.158
- 45[.]143.166.230
- 91[.]222.173.141
Tip: 141 related IOCs (12 IP, 129 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
Iranian Hackers Target Israeli Cyber Experts
An Iranian-linked cyber group launched targeted phishing campaigns against Israeli journalists, academics, and cybersecurity professionals to steal email credentials and personal data.
The group, known as Educated Manticore (linked to APT42 or Charming Kitten), is believed to be connected to Iran’s Islamic Revolutionary Guard Corps.
Their goal was espionage—specifically, stealing login credentials, 2FA codes, and sensitive information from influential individuals in Israel.
Targets included prominent Israeli cyber researchers, journalists, and university professors in the field of computer science.
Attackers posed as tech professionals or researchers, reached out via email or WhatsApp, and lured victims to fake Google Meet or login pages to harvest their credentials.
These individuals likely have access to sensitive information and play influential roles in Israel’s cybersecurity and academic communities—making them valuable intelligence targets.
Use hardware-based two-factor authentication, be cautious of unsolicited meeting invitations or login requests, and verify sender identities independently.
This is a highly targeted campaign focused on specific high-value individuals in Israel, but it reflects broader tactics used by state-aligned threat actors.