The Iranian state-sponsored hacking group associated with the Islamic Revolutionary Security Force (IRGC) is linked to a spear phishing campaign targeting journalists, well-known cybersecurity experts and Israeli computer science professors.
“In some of these campaigns, Israeli technology and cybersecurity experts were approached by attackers who pretended to be fictitious assistants to technology executives or researchers through email and whatsapp messages,” Checkpoint said in a report released Wednesday. “The threat actor has been invited to the victims who have been invited to help out their Gmail login page.”
The cybersecurity company attributed it to activities to threat clusters that track APT35 (and its subcluster APT42), Kalank, Charming Kitten, Charming Cypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sand Storm (formerly Lynpulse), Newscaster, TA453, and the Yellow Garda.
Advanced Persistent Threat (APT) groups have a long history of using elaborate lures to coordinate social engineering attacks, approaching targets on various platforms such as Facebook and LinkedIn, and using fictional personas to trick victims into deploying malware into systems.
According to Checkpoint, it was observed that after the Israeli war, a new wave of attacks that began in mid-June 2025 targeted Israeli people using fake meetings, either through targeted emails or WhatsApp messages. Messages are thought to be created using artificial intelligence (AI) tools.
One WhatsApp message flagged by the company has used current geopolitical tensions between the two countries to work together on victims, claiming that immediate support is needed on AI-based threat detection systems to combat surges of cyberattacks targeting Israel since June 12th.
Like what was observed in previous attractive kitten campaigns, the first message lacks malicious artifacts and is primarily designed to gain the trust of the target. Once the threat actor builds trust in the course of the conversation, the attack moves to the next phase by sharing a link directing the victim to a fake landing page where it can collect the qualifications of the Google account.
“Before sending a phishing link, threat actors will ask the victim for an email address,” Checkpoint said. “This address is pre-entered on the qualification phishing page to increase reliability and mimic the appearance of a legitimate Google authentication flow.”
“Custom fishing kit” […] It closely mimics familiar login pages like Google using modern web technologies such as React-based single-page applications (SPAs) and dynamic page routing. It also uses a real-time WebSocket connection to send stolen data and design allows you to hide your code from additional scrutiny. ”
Not only is the fake page part of a custom phishing kit that can capture credentials, it also captures two factor authentication (2FA) code to effectively promote 2FA relay attacks. The kit also includes a passive keylogger to record all keystrokes entered by the victim and remove them if the user abandons the process in the middle.
Some of the social engineering efforts include the use of the Google Sites domain, hosting Google Meet Pages with images that mimic legitimate meeting pages. Click anywhere in the image to instruct the victim on a phishing page that triggers the authentication process.
“Educated Manticore continues to pose a lasting and impactful threat to Israeli individuals, particularly during the escalation stage of the Israeli-Israel conflict,” Checkpoint said.
“The group continues to operate steadily, featuring aggressive spear phishing, rapid setup of domains, subdomains, infrastructure, and fast-paced takedowns when identified.
Source link
