Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Target Journalists in New Phishing Campaign

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The newly detailed phishing attack, Certfa Lab says, is related to previously observed activity targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians, where the hackers employed an updated spear phishing technique.  

Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics, organizations with ties to the Baha’i community, and others from Europe, the United States, and Saudi Arabia, Certfa Lab noted in a blog post.

As part of the campaign, the threat actor created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist), to send fake interview invitations to victims and trick them into accessing phishing websites. 

The phishing emails contained shortened URLs in the footnotes (social media links, WSJ and Dow Jones websites), which allow hackers to guide victims to legitimate sites while gathering basic information on their devices (IP address, operating system, and browser). 

Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup[.]site, where they are asked for login credentials, including two factor authentication (2FA) codes. 

In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings. Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 

Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. 

“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group. For example, we identified similar settings for the servers used in this attack with their previous campaigns. The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign,” the security company added.

The attacks appear to have started on November 1, 2019, Certfa Lab founder Amin Sabeti told SecurityWeek via email. The campaign has been active ever since and attacks are ongoing, with new infrastructure and different identities or scenarios observed, he said.

Sabeti also confirmed that at least five individuals were targeted in these phishing attempts, but added that there might be more than 20 intended victims.

Sabeti says that, while there have been no exact geographical patterns for the targets, they are spread all around the world. Certfa Lab has been tracking other attacks as well and is determined to share additional details on the campaign pending the completion of their investigation.

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...