German Authorities Warn of Charming Kitten Cyberespionage Against Exiled Iranians
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Low
- Threat Risk: Unknown
Threat Overview
Charming Kitten has intensified its cyber espionage operations targeting Iranian dissidents, legal professionals, journalists, and human rights activists in Germany and abroad. According to the German BfV, the group uses detailed social engineering and spoofed online identities to initiate contact and build trust. Victims are lured into video calls via phishing links that mimic legitimate platforms like Google or Microsoft. These links lead to credential-harvesting sites, often intercepting two-factor authentication as well. Stolen credentials are then used to access cloud services and extract personal data using tools like Google Takeout.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Dissident | Verified |
| Sector | Human Rights | Verified |
| Sector | Journalists | Verified |
| Region | Germany | Verified |
Extracted IOCs
- beape[.]live
- beasze[.]live
- beeasaze[.]top
- bnt2[.]live
- check-control-panel[.]live
- check-reload-page[.]live
- cover-home-page[.]xyz
- cover-home-panel[.]xyz
- direct-view-check[.]live
- direct-view-panel[.]xyz
- ksview[.]top
- load-panel[.]online
- node-dashboard[.]site
- node-panel[.]site
- panel-review-check[.]live
- stellar-stable-faith[.]top
- view-direct-panel[.]live
- view-direct-panel[.]xyz
- view-home-panel[.]xyz
Tip: 19 related IOCs (0 IP, 19 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Google Cloud - May 2024
Detection (one case): ksview[.]top
Source: Secureworks - March 2023
Detection (three cases): node-dashboard[.]site, node-panel[.]site, stellar-stable-faith[.]top
Source: Proofpoint - December 2022
Detection (one case): bnt2[.]live
Source: Certfa - September 2022
Detection (11 cases): beape[.]live, beasze[.]live, bnt2[.]live, check-reload-page[.]live, cover-home-page[.]xyz, cover-home-panel[.]xyz, direct-view-panel[.]xyz, load-panel[.]online, panel-review-check[.]live, view-direct-panel[.]live, view-home-panel[.]xyz
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding Charming Kitten's Espionage Campaign
A known Iranian state-linked group called Charming Kitten targeted Iranian dissidents in Germany using phishing tactics to gain access to personal accounts and data.
The group Charming Kitten, associated with the Iranian regime, is known for targeting critics of the government, especially those involved in legal, journalistic, or human rights work.
The attackers aimed to spy on individuals by stealing access to their email, messaging, and cloud accounts through deceptive phishing campaigns.
Primarily Iranian opposition members and exiles in Germany, including lawyers, journalists, and activists.
Attackers pretended to be trusted contacts, invited victims to a fake video call, and tricked them into entering their passwords on a fake website that looked legitimate.
These individuals are critical of the Iranian government and likely possess sensitive information, making them valuable espionage targets.
Verify new or unusual contacts through a second trusted channel, avoid clicking suspicious links, enable two-factor authentication, and monitor accounts for unauthorized access.
This campaign was targeted, focusing on specific individuals linked to Iranian opposition groups in Germany.