Ethical Hacking News
Iran's Charming Kitten crew has launched a spear-phishing campaign targeting Israeli journalists, cybersecurity experts, and computer science professors from leading Israeli universities, using AI-powered tools to craft convincing messages. The attack employed over 130 unique domains and numerous subdomains, with the aim of stealing sensitive information.
The IRGC launched a spear-phishing campaign targeting Israeli journalists, cybersecurity experts, and computer science professors. The campaign used over 130 unique domains and numerous subdomains, suggesting dozens of intended targets. The attackers disguised emails and WhatsApp messages to appear from threat intelligence analysts at real Israeli cybersecurity firms. The phishing sites were designed to mimic Gmail login pages or Google Meet invitations, with pre-filled email addresses for added legitimacy. Check Point Research highlights the importance of vigilance in the face of spear-phishing attacks and provides indicators of compromise for investigation.
In a disturbing display of cyber warfare, Iran's Islamic Revolutionary Guard Corps (IRGC) has launched a spear-phishing campaign aimed at stealing sensitive information from Israeli journalists, cybersecurity experts, and computer science professors from leading Israeli universities. The campaign, attributed to the Iranian cyber-operative group known as Charming Kitten, or APT42, Mint Sandstorm, and Educated Manticore, is a stark reminder of the evolving nature of modern cyber warfare.
According to Check Point Research, an Israeli cybersecurity firm, the spear-phishing campaign began earlier this month, shortly after Israel's air strikes against Iran. The attack employed over 130 unique domains and numerous subdomains, with one or two domains used for each targeted individual. This suggests that there are likely dozens of intended targets, although the exact number is unclear.
The Iranian crew used emails and WhatsApp messages as bait, disguising them to appear as if they came from threat intelligence analysts at real Israeli cybersecurity firms. In one email, a fake analyst named "Sarah Novominski" from an infosec company claimed she was seeking "initial tips or best practices for securing energy infrastructure against cyber threats." This ploy is eerily reminiscent of Iranian cyber-operative tactics used in the past to lure Israeli businessmen and academics into in-person meetings using stolen and fake identities, which were then used for kidnapping or intel-gathering purposes.
The phishing messages sent on WhatsApp also impersonated cybersecurity employees, suggesting a possible in-person meeting to discuss the "Iranian invasion and 700 percent cyberattack surge since June 12." The attackers worked to gain the victims' trust through these online interactions before sending a meeting link that led to a phony website mimicking Gmail login pages or Google Meet invitations.
To make the phishing sites appear more legitimate, the attackers asked the victim for their email address, which was then pre-filled on the credential phishing page. Once access was gained to the victims' credentials entered on the phishing pages, Iranian cyber-operatives could hoover up passwords and two-factor authentication codes, thus enabling full account takeover of the victims' accounts.
In recent weeks, there has been an increased focus on spear-phishing attacks, which involve targeting specific individuals or organizations with tailored messages that aim to trick them into divulging sensitive information. These types of attacks have become increasingly sophisticated, often using AI-powered tools to craft more convincing and personalized messages.
Check Point's report highlights the importance of vigilance in the face of such threats. The firm has listed the domains used in this campaign, along with other indicators of compromise, for anyone who wishes to investigate further.
This latest spear-phishing campaign serves as a stark reminder of the evolving nature of modern cyber warfare and the need for increased vigilance among cybersecurity professionals, policymakers, and individuals alike. As tensions between Israel and Iran continue to escalate, it is essential that all parties involved take proactive steps to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadowy-Art-of-Iranian-Cyber-Warfare-A-Spear-Phishing-Campaign-Targets-Israeli-Journalists-and-Experts-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
Published: Thu Jun 26 03:11:58 2025 by llama3.2 3B Q4_K_M
