Iranian Hackers Deploy AI-Powered Phishing Campaign Targeting Israeli Tech Experts

WhatsApp chat from infosec expert could be Iranian phish

Charming Kitten unsheathes its claws and tries to catch credentials The cyber-ops arm of Iran's Islamic Revolutionary Guard Corps has started a spear-phishing campaign intent on stealing credentials from Israeli journalists, cybersecurity experts, and computer science professors from leading Israeli universities. This latest phishing expedition, which Check Point Research pins on Iran's Charming Kitten crew (aka APT42, Mint Sandstorm, and Educated Manticore) began earlier this month, shortly after Israel's air strikes against Iran. Charming Kitten employed more than 130 unique domains and numerous subdomains, using one or two for each targeted individual, researcher Sergey Shykevich told The Register. "This suggests there are likely dozens of intended targets, though the exact number is unclear. It's important to note that while this indicates targeting activity, we have no visibility into how many of these individuals or organizations were actually victims." Check Point has listed the domains used in this campaign, along with other indicators of compromise, in a report published Wednesday. The Iranian crew uses emails and WhatsApp messages as bait, and disguises them so they appear to come from threat intel analysts at real Israeli cybersecurity firms. In one email, "Sarah Novominski," a fake analyst at an infosec company, says she's seeking "initial tips or best practices for securing energy infrastructure against cyberthreats." Check Point thinks Iran's hackers used AI to write phishing messages, but still managed to make mistakes. The email from "Sarah Novominski", for example, uses different spellings of the name in the email's text and the account name of its sender. Another phishing message, this one sent on WhatsApp and also impersonating a cybersecurity employee, suggests a in-person meeting to discuss the "Iranian invasion and 700 percent cyberattack surge since June 12" and a possible AI-powered defense. Iran has a history of trying to lure Israeli businessmen and academics into in-person meetings using WhatsApp messages and stolen and fake identities, and then using the meetups for kidnapping or intel-gathering purposes. So it's impossible to rule out "the possibility that this campaign extends beyond cyberspace," the Check Point report says. In these types of scams, the initial email or WhatsApp messages don't contain any direct links to the phony meetings. Instead, the attackers work to gain the victims' trust through these online interactions and later send a meeting link that leads to the attacker-controlled phishing website. The phishing sites mimic Gmail login pages or Google Meet invitations. Before sending the phishing link, the attackers ask the victim for their email address, which is then pre-filled on the credential phishing page to make it look more real and mimic the legitimate Google authentication process. Iran's cyber-operatives gain access to credentials entered on the phishing pages, which allows them to hoover up passwords and two-factor authentication codes, thus enabling full account takeover of the victims' accounts. ®

Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel. "In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages," Check Point said in a report published Wednesday. "The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations." The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore, which overlaps with APT35 (and its sub-cluster APT42), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda. The advanced persistent threat (APT) group has a long history of orchestrating social engineering attacks using elaborate lures, approaching targets on various platforms like Facebook and LinkedIn using fictitious personas to trick victims into deploying malware on their systems. Check Point said it observed a new wave of attacks starting mid-June 2025 following the outbreak of the Iran-Israel war that targeted Israeli individuals using fake meeting decoys, either via emails or WhatsApp messages tailored to the targets. It's believed that the messages are crafted using artificial intelligence (AI) tools. One of the WhatsApp messages flagged by the company took advantage of the current geopolitical tensions between the two countries to coax the victim into joining a meeting, claiming they needed their immediate assistance on an AI-based threat detection system to counter a surge in cyber attacks targeting Israel since June 12. The initial messages, like those observed in previous Charming Kitten campaigns, are devoid of any malicious artifacts and are primarily designed to gain the trust of their targets. Once the threat actors build rapport over the course of the conversation, the attack moves to the next phase by sharing links that direct the victims to fake landing pages capable of harvesting their Google account credentials. "Before sending the phishing link, threat actors ask the victim for their email address," Check Point said. "This address is then pre-filled on the credential phishing page to increase credibility and mimic the appearance of a legitimate Google authentication flow." "The custom phishing kit [...] closely imitates familiar login pages, like those from Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic page routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its code from additional scrutiny." The fake page is part of a custom phishing kit that can not only capture their credentials, but also two-factor authentication (2FA) codes, effectively facilitating 2FA relay attacks. The kit also incorporates a passive keylogger to record all keystrokes entered by the victim and exfiltrate them in the event the user abandons the process midway. Some of the social engineering efforts have also involved the use of Google Sites domains to host bogus Google Meet pages with an image that mimics the legitimate meeting page. Clicking anywhere on the image directs the victim to phishing pages that trigger the authentication process. "Educated Manticore continues to pose a persistent and high-impact threat, particularly to individuals in Israel during the escalation phase of the Iran-Israel conflict," Check Point said. "The group continues to operate steadily, characterized by aggressive spear-phishing, rapid setup of domains, subdomains, and infrastructure, and fast-paced takedowns when identified. This agility allows them to remain effective under heightened scrutiny."