Threats Feed|Charming Kitten|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date08/01/2021

Unwrapping Charming Kitten's Holiday Phishing Campaign

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Smishing,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

Reference and Credit: Certfa - January 2021

Charming Kitten’s Christmas Gift

Detected Targets

Type	Description	Confidence
Case	News 12 Networks The News 12 Networks are a group of regional cable news television channels in the New York metropolitan area that are owned by Altice USA. All channels provide rolling news coverage 24 hours a day, focusing primarily on regions of the metro area outside Manhattan, Queens, and Staten Island. News 12 Networks has been targeted by Charming Kitten with abusive purposes.	High
Case	PlanetObserver PlanetObserver is a French company specialized in the processing and production of high value-added geospatial data. We thrive to develop innovative products that maximize the visual and technological performance of our clients' projects and solutions in the Defense, Aerospace, mapping and GIS sectors. PlanetObserver has been targeted by Charming Kitten with abusive purposes.	High
Case	The New Yorker The New Yorker is an American weekly magazine featuring journalism, commentary, criticism, essays, fiction, satire, cartoons, and poetry. Founded as a weekly in 1925, the magazine is published 47 times annually, with five of these issues covering two-week spans. The New Yorker has been targeted by Charming Kitten with abusive purposes.	High
Sector	Journalists	Verified
Sector	Civic	High
Sector	Media	Verified
Sector	Political	Verified
Sector	University	Verified
Region	Middle East Countries	Verified
Region	United States	Verified
Region	European Countries	Verified

Extracted IOCs

archiverepositories[.]xyz
bulk-approach[.]site
com-254514785965[.]site
com-3654623478192[.]site
com-5464825879854[.]site
com-apk-6712qw123asd8awf7[.]site
com-archive[.]site
com-posts6712qw12387[.]site
confirm-identity[.]site
customer-session[.]site
hello-planet[.]com
identifier-service-verify[.]site
identifier-session-recovery[.]site
identity-session-recovery[.]site
mail-newyorker[.]com
mobile-activity-session[.]site
mobile-check-activity[.]site
planet-labs[.]site
recover-identity[.]site
recover-session-service[.]site
recover-session[.]site
recovery-customer-service[.]site
recovery-session-service[.]site
recovery-session[.]site
recovery-session-verify[.]site
reset-account[.]com
securelogicalrepository[.]com
service-recovery[.]site
service-session-recovery[.]site
service-support[.]site
service-verification-session[.]site
service-verification[.]site
session-confirmation[.]site
session-customer-activity[.]site
verify-session-service[.]site
a.archiverepositories[.]xyz
accounts.customer-session[.]site
accounts.service-verification[.]site
agentappservice.ddns[.]net
app-e.request.unlock-service.accounts.service-verification[.]site
basementofdarkness.ddns[.]net
benefitsredington.ddns[.]net
challengechampions.ddns[.]net
chn.archiverepositories[.]xyz
com.recover-session-service[.]site
com.service-verification[.]site
customer.com-3654623478192[.]site
customer.verification.com-3654623478192[.]site
deepthinkingroom.ddns[.]net
differentintegrated.ddns[.]net
dynamiceventmanager.ddns[.]net
enhanceservicchecke.hopto[.]org
google.com-apk-6712qw123asd8awf7[.]site
google.reset-account[.]com
heisonhisway.ddns[.]net
homedirections.ddns[.]net
homeinspections.ddns[.]net
identifier.recovery-session[.]site
identifier.recovery-session-verify[.]site
identifier.service-recovery[.]site
identifier.service-support[.]site
identifier.session-confirmation[.]site
insgram.service-recovery[.]site
instagram.com.service-verification[.]site
instagram.service-recovery[.]site
lonelymanshadow.ddns[.]net
mail.com-posts6712qw12387[.]site
mail.service-verification[.]site
mail.yahoo.verify-session-service[.]site
minimumservicechek.ddns[.]net
mobile.identifier-service-verify[.]site
mobile.recover-session-service[.]site
mobile.recovery-session-service[.]site
mobile.service-session-recovery[.]site
mobile.service-verification-session[.]site
mobile.service-verification[.]site
mobile.verification.session.com-254514785965[.]site
mobile.verify.service.com-5464825879854[.]site
mobile.verify-session-service[.]site
myaccount.recover-session[.]site
news12.com.recover-session-service[.]site
patchtheschool.ddns[.]net
planet.customer-session[.]site
planet-map.gigfa[.]com
planet.service-support[.]site
play.google.com-apk-6712qw123asd8awf7[.]site
playstore.com-apk-6712qw123asd8awf7[.]site
profilechangeruser.ddns[.]net
randomworldcity.ddns[.]net
request.unlock-service.accounts.service-verification[.]site
schoolofculture.ddns[.]net
service.com-5464825879854[.]site
session.com-254514785965[.]site
session.recover-identity[.]site
session.recovery-customer-service[.]site
uniquethinksession.ddns[.]net
unlock-service.accounts.service-verification[.]site
verification.com-3654623478192[.]site
verification.session.com-254514785965[.]site
verify.mobile-activity-session[.]site
verify.service.com-5464825879854[.]site
verify.session-customer-activity[.]site
video.instagram.service-recovery[.]site
wearefirefighters.ddns[.]net
www.archiverepositories[.]xyz
www.bulk-approach[.]site
www.com-254514785965[.]site
www.com-3654623478192[.]site
www.com-5464825879854[.]site
www.com-apk-6712qw123asd8awf7[.]site
www.com-archive[.]site
www.com-posts6712qw12387[.]site
www.confirm-identity[.]site
www.customer-session[.]site
www.identifier.recovery-session[.]site
www.identifier-service-verify[.]site
www.identifier-session-recovery[.]site
www.mobile-activity-session[.]site
www.mobile-check-activity[.]site
www.mobile.service-verification[.]site
www.planet-labs[.]site
www.recover-identity[.]site
www.recover-session-service[.]site
www.recover-session[.]site
www.recovery-customer-service[.]site
www.recovery-session-service[.]site
www.recovery-session[.]site
www.recovery-session-verify[.]site
www.reset-account[.]com
www.service-recovery[.]site
www.service-session-recovery[.]site
www.service-support[.]site
www.service-verification-session[.]site
www.service-verification[.]site
www.session-confirmation[.]site
www.session-customer-activity[.]site
www.verify-session-service[.]site
yahoo.verify-session-service[.]site
109[.]202.99.98
134[.]19.188.242
134[.]19.188.243
134[.]19.188.244
134[.]19.188.246
146[.]59.185.15
146[.]59.185.19
185[.]23.214.187
185[.]23.214.188
213[.]152.176.205
213[.]152.176.206
54[.]37.164.254

download

Tip: 150 related IOCs (12 IP, 138 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

About Affiliation

Charming Kitten

Associate threats