Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Target Academic Researcher via WhatsApp, LinkedIn

The Iran-linked hacking group known as Charming Kitten recently switched to WhatsApp and LinkedIn to conduct phishing attacks, Clearsky security researchers reveal.

The Iran-linked hacking group known as Charming Kitten recently switched to WhatsApp and LinkedIn to conduct phishing attacks, Clearsky security researchers reveal.

Active since at least 2011, the adversary is also tracked as Ajax Security Team, APT35, ITG18, NewsBeef, Newscaster, and Phosphorus, and was previously observed targeting a U.S. presidential candidate, media organizations, government officials, and prominent expatriate Iranians, using an updated spear phishing technique.

In July, only a couple of months after Google revealed that the Iranian hackers targeted the WHO, the threat actor accidentally leaked 40Gb of data. In early 2020, the hackers were observed posing as journalists in a phishing campaign that targeted at least five individuals around the world.

Now, security firm Clearsky reveals that the adversary continues phishing attacks in which they impersonate journalists, this time from ‘DeutscheWelle’ and the ‘Jewish Journal’, and it employed both email and WhatsApp to approach the target and trick them into clicking on a malicious link. Fake LinkedIn profiles were used to gain victims’ trust.

The most recent campaign targeted Israeli scholars (via their institutional email account), and US government employees. The hackers used a personalized URL, tailored to the victim’s email address, to trick them into accessing the malicious link, and also attempted to send a malicious ZIP file to the victim.

“Clearsky alerted ‘Deutsche Welle’ about the impersonation and the watering hole in their website. A ‘Deutsche Welle’ representative confirmed that the reporter which Charming Kitten impersonated, did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks,” the security firm says.

As part of the campaign, the attackers used a well-developed LinkedIn account in support of their email spear-phishing attacks, and showed willingness to speak to the victim on the phone, over WhatsApp, using a legitimate German phone number.

The hackers approached Israeli researchers from Haifa and Tel Aviv Universities, to ask them to participate in a webinar about Iran and other subjects, nominating the victim as the main speaker in the webinar. The attackers sent multiple, repeated messages, until the victim responded.

The Charming Kitten attackers messaged the victim repeatedly for ten days, claiming they were interested in engaging in a direct phone call, and attempted to lure the victim into “activating their account” on the site “Akademie DW” (their phishing page).

“If the victim is not willing to share their personal phone number, the attacker will send him a message from the fake LinkedIn account. This message will contain a promise that the webinar is secured by Google, as they sent to the victim on the tenth day,” Clearsky says.

In another attack, the hackers created a fake LinkedIn account for ‘Helen Cooper’, a senior researcher at Hudson Institute and sent email messages that contained either a malicious link or a malicious attachment. Sending malicious files via email is uncommon for this threat actor.

Related: Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files

Related: Google Says Iran-Linked Hackers Targeted WHO

Related: Iranian Hackers Target Journalists in New Phishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...