Full Report
An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel. "In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to
Analysis Summary
# Threat Actor: APT35 (Educated Manticore)
## Attribution & Identity
**Attribution:** Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC).
**Aliases/Associated Groups:** Educated Manticore (cluster tracked by Check Point), APT42, CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.
## Activity Summary
The actor is linked to a spear-phishing campaign launched in mid-June 2025, following the outbreak of the Iran-Israel war. The campaign specifically targets Israeli technology and cyber security experts, journalists, and computer science professors. Attackers used social engineering via emails and WhatsApp messages utilizing fictitious assistants to executives/researchers. The activity involved luring targets into fake Google Meet invitations or directing them to fake Gmail login pages. Messages were noted to be tailored and potentially crafted using Artificial Intelligence (AI) tools, sometimes exploiting current geopolitical tensions.
## Tactics, Techniques & Procedures
- **Social Engineering:** Orchestrating elaborate social engineering attacks using fictitious personas on platforms like Facebook and LinkedIn, as well as email and WhatsApp.
- **Initial Access/Lures:** Approaching targets with initial messages devoid of malicious artifacts to build rapport and trust.
- **Credential Harvesting:** Directing engaged victims to fake landing pages (impersonating Google login flows) to harvest Google account credentials.
- **Pre-filling Data:** Threat actors ask for the victim's email address first, which is then pre-filled on the phishing page to increase credibility.
- **Deception:** Using fake meeting decoys (e.g., AI-based threat detection system assistance) as luring mechanisms.
## Targeting
- **Sectors:** Technology, Cyber Security, Academia (Computer Science Professors).
- **Geography:** Israel.
- **Victims:** Journalists, high-profile cyber security experts, and computer science professors in Israel.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named in this text snippet, but associated with previous Charming Kitten campaigns which deploy malware.
- **Infrastructure (C2, domains, IPs):** Custom phishing kit imitating familiar login pages (e.g., Google). Specific URLs/IPs were not provided in a defangable format in the summary text.
## Implications
This activity demonstrates APT35's continued focus on espionage targeting sensitive Israeli technical and academic communities, especially in the context of escalated geopolitical conflict (Iran-Israel war). The integration of AI in crafting social engineering lures indicates a shift toward more sophisticated and highly personalized influence operations designed to bypass existing trust indicators.
## Mitigations
- **Heightened Vigilance:** Increased scrutiny for unsolicited communications (email/WhatsApp) from unknown senders, particularly those concerning current geopolitical events (like the Iran-Israel war).
- **Credential Verification:** Never input credentials on pages linked from unexpected communications; always verify URLs and avoid using pre-filled email addresses on login prompts unless absolutely certain of legitimacy.
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced on all Google/other critical accounts to mitigate risks from successful credential harvesting.
- **Technical Controls:** Deploy robust email filtering and network monitoring to detect and block communication patterns associated with known Iranian APT groups.