New Charming Kitten Operation Blends Long-Term Reconnaissance and WebSocket Phishing
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/Low Probability
Threat Overview
The new Charming Kitten campaign demonstrates a significant escalation in the group’s operational maturity, combining strategic impersonation, long-term reconnaissance, and a large, automated infrastructure. The attackers impersonated Pentagon official Ariane Tabatabai to target Iranian activists, initiating contact via Telegram before redirecting victims through Google Sites to credential-harvesting domains using a WebSocket-based phishing kit. Evidence shows the group monitored security researcher activity for months, preparing infrastructure from May and launching operations in late July. More than 30 previously unseen domains support the campaign, reflecting increased automation, operational scale, and real-time monitoring. The operation highlights Charming Kitten’s growing geopolitical awareness and refined social engineering capability.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Researchers | Verified |
| Region | United Kingdom | High |
Extracted IOCs
- alpha-meet[.]online
- alpha-met[.]online
- alpha-radial[.]online
- amjc-jp[.]com
- arcanet[.]online
- azdava[.]online
- cppsg[.]online
- good-while[.]online
- into-panel[.]online
- into-support[.]online
- jessyland[.]online
- kuret-live[.]online
- kuret-met[.]online
- lingo-web[.]online
- live-board[.]online
- look-together-online[.]online
- nerdes-look[.]online
- online-speak[.]online
- owner-rate[.]online
- panel-personal[.]online
- powlow[.]online
- safe-core[.]online
- safe-lord[.]online
- samoli[.]online
- tapanj[.]online
- tensore[.]online
- teslator[.]online
- tomsahor[.]online
- view-tools[.]online
- viliam-live-identity[.]online
- 1750a814-2aa9-4034-a610-89af9b558e61.arcanet[.]online
- book.alpha-radial[.]online
- book.check-safe[.]online
- book.facepanel[.]online
- book.good-while[.]online
- book.into-panel[.]online
- book.jessyland[.]online
- book.kuret-live[.]online
- book.lingo-web[.]online
- book.lingside-panel[.]online
- book.loside-panel[.]online
- book.nerdes-look[.]online
- book.panel-personal[.]online
- book.powlow[.]online
- book.safe-core[.]online
- book.samoli[.]online
- book.tapanj[.]online
- book.tomsahor[.]online
- book.view-tools[.]online
- viliam.alpha-meet[.]online
- viliam.alpha-met[.]online
- viliam.arcanet[.]online
- viliam.azdava[.]online
- viliam.cppsg[.]online
- viliam.into-support[.]online
- viliam.kuret-live[.]online
- viliam.kuret-met[.]online
- viliam.live-board[.]online
- viliam.online-speak[.]online
- viliam.owner-rate[.]online
- viliam.p-safe[.]online
- viliam.safe-lord[.]online
- viliam.tensore[.]online
- viliam.teslator[.]online
- viliam.viliam-live-identity[.]online
- villiam.online-speak[.]online
- 185[.]90.162.66
- 79[.]132.131.184
- hxxps://jessyland[.]online:8569/content/value
- (wss)://jessyland[.]online:8569/room
Tip: 70 related IOCs (2 IP, 66 domain, 2 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
Charming Kitten’s 2025 Impersonation Campaign: What You Need to Know
A well-known Iranian espionage group launched a new phishing operation using a fake Telegram account impersonating a U.S. government official. The goal was to lure Iranian activists and researchers into a realistic Google login page and steal their account credentials.
The activity aligns with Charming Kitten, an Iranian state-linked cyber unit known for targeting activists, journalists, and academics. Their tactics and infrastructure closely match previous operations from this group.
The primary targets were Iranian activists, researchers, and individuals involved in political or security issues related to Iran. The attackers specifically monitored a public Telegram channel linked to researcher activity.
The attackers used a real U.S. official’s identity, previously involved in controversy, to make the impersonation more believable. They also monitored researchers for months and deployed more than 30 new phishing domains in a short time.
Victims were contacted through Telegram and directed to a Google Sites page, then to a phishing website. The page imitated Google’s login process and used real-time WebSocket technology to capture credentials instantly.
Iranian activists and researchers often hold information that is politically sensitive for the Iranian government. Impersonating a U.S. official made the lure more compelling and credible within these circles.
The campaign was highly targeted, focusing on specific individuals rather than broad populations. However, the scale of the infrastructure suggests the group is planning or conducting multiple related operations.
Use hardware security keys, verify unexpected outreach from officials or journalists, enable strong MFA options, and avoid engaging with unsolicited Telegram messages offering meetings or consultations.