Charming Kitten Resumes Phishing Campaigns Against Researchers and Activists
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Human Rights | Verified |
| Sector | Journalists | Verified |
| Sector | Media | Verified |
| Sector | Researchers | Verified |
| Region | Israel | High |
| Region | United States | High |
| Region | European Countries | High |
Extracted IOCs
- app-engage-station[.]help
- click-manage-room[.]cfd
- competitive-searchvolume-considered[.]top
- flow-exulltation-uplift[.]top
- growing-prices-advanced[.]top
- horse-improve-department[.]top
- house-server-digital[.]xyz
- interconnected-equipment-buildings[.]buzz
- nail-forward-valid[.]lol
- paper-blue-hero[.]top
- request-human-received[.]xyz
- software-selection-features[.]buzz
- 135[.]181.203.1
Tip: 13 related IOCs (1 IP, 12 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
Frequently Asked Questions About the Charming Kitten Phishing Campaigns Against Researchers and Activists:
CHARMING KITTEN, also known as APT42, Mint Sandstorm, and TA453, is an Iranian-nexus cyber threat actor. Their primary objective is to target individuals and entities perceived as a threat to the Iranian regime. This includes, but is not limited to, researchers, journalists, NGO leaders, and human rights activists.
CHARMING KITTEN primarily uses credential phishing attacks. They create fake login pages, often mimicking legitimate services like Google, YouTube, or file-hosting platforms. These pages are disseminated through targeted spear-phishing emails, disguised as conference invitations or links to documents. Once victims enter their credentials on these fake pages, the attackers gain access to their accounts.
The newly identified domains suggest that CHARMING KITTEN remains active and continues to expand its infrastructure. The new infrastructure demonstrates the continued use of similar techniques, indicating that the threat actor has not fundamentally altered its approach. This suggests an ongoing campaign targeting the accounts of individuals of interest to the Iranian regime.
Based on past activity, CHARMING KITTEN is known to target credentials for Google, Microsoft, and Yahoo accounts. These are most likely targeted to access user accounts and data from compromised targets. They are also known to impersonate login pages for file hosting services and email platforms like Gmail.
While the public reporting of CHARMING KITTEN's activities has increased awareness, it has not stopped the actor's activities. The newly identified domains demonstrate that CHARMING KITTEN continues to operate using the same techniques, suggesting that their focus remains on persistent operations rather than adapting its methods. The new activity demonstrates that they are unfazed by the public knowledge of their campaign, as their techniques have remained largely unchanged.