Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks
Summary:
Amid heightened tensions between Iran and Israel, the Iranian threat group Educated Manticore, linked to the Islamic Revolutionary Guard Corps—has intensified spear-phishing operations targeting Israeli journalists, cybersecurity professionals, and computer science professors. This group, aligned with APT42, Charming Kitten, or Mint Sandstorm, has long relied on credential theft and phishing as its core tactics. Recently, Check Point Research identified a new wave of impersonation campaigns where attackers posed as assistants to tech executives or researchers, approaching victims through email or WhatsApp with professionally written messages that often used artificial intelligence for added credibility. The phishing attempts lure victims into accessing fake Gmail or Google Meet login pages, designed to steal both passwords and two-factor authentication codes.
The phishing infrastructure is highly sophisticated, built using modern web technologies such as React-based Single Page Applications that mimic legitimate authentication flows. Victims are guided through step-by-step credential input screens, such as password entry, verification prompts, and 2FA tokens, while all data is exfiltrated in real time through asynchronous POST requests and WebSocket channels. A passive keylogger is embedded in the phishing pages, capturing every keystroke regardless of whether users submit forms. Additionally, some fake meeting links are hosted on Google Sites to increase legitimacy and redirect users to attacker-controlled servers. Educated Manticore’s kits also support phishing flows for Outlook and Yahoo, though Gmail remains the most targeted.
Security Officer Comments:
Since January 2025, researchers have tracked a significant expansion of this infrastructure, noting over 130 domains, often registered through NameCheap and hosted on IPs associated with a known sub-cluster called GreenCharlie. These domains serve both as phishing pages and backend collection points. The group’s evolving tactics also include impersonation of cybersecurity companies and outreach to victims under urgent or geopolitical pretexts, including in-person meeting suggestions an unusual and potentially more dangerous escalation.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2025/06/iranian-apt35-hackers-targeting-israeli.html
Amid heightened tensions between Iran and Israel, the Iranian threat group Educated Manticore, linked to the Islamic Revolutionary Guard Corps—has intensified spear-phishing operations targeting Israeli journalists, cybersecurity professionals, and computer science professors. This group, aligned with APT42, Charming Kitten, or Mint Sandstorm, has long relied on credential theft and phishing as its core tactics. Recently, Check Point Research identified a new wave of impersonation campaigns where attackers posed as assistants to tech executives or researchers, approaching victims through email or WhatsApp with professionally written messages that often used artificial intelligence for added credibility. The phishing attempts lure victims into accessing fake Gmail or Google Meet login pages, designed to steal both passwords and two-factor authentication codes.
The phishing infrastructure is highly sophisticated, built using modern web technologies such as React-based Single Page Applications that mimic legitimate authentication flows. Victims are guided through step-by-step credential input screens, such as password entry, verification prompts, and 2FA tokens, while all data is exfiltrated in real time through asynchronous POST requests and WebSocket channels. A passive keylogger is embedded in the phishing pages, capturing every keystroke regardless of whether users submit forms. Additionally, some fake meeting links are hosted on Google Sites to increase legitimacy and redirect users to attacker-controlled servers. Educated Manticore’s kits also support phishing flows for Outlook and Yahoo, though Gmail remains the most targeted.
Security Officer Comments:
Since January 2025, researchers have tracked a significant expansion of this infrastructure, noting over 130 domains, often registered through NameCheap and hosted on IPs associated with a known sub-cluster called GreenCharlie. These domains serve both as phishing pages and backend collection points. The group’s evolving tactics also include impersonation of cybersecurity companies and outreach to victims under urgent or geopolitical pretexts, including in-person meeting suggestions an unusual and potentially more dangerous escalation.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/06/iranian-apt35-hackers-targeting-israeli.html