Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Target Journalists in New Phishing Campaign

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The newly detailed phishing attack, Certfa Lab says, is related to previously observed activity targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians, where the hackers employed an updated spear phishing technique.  

Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics, organizations with ties to the Baha’i community, and others from Europe, the United States, and Saudi Arabia, Certfa Lab noted in a blog post.

As part of the campaign, the threat actor created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist), to send fake interview invitations to victims and trick them into accessing phishing websites. 

The phishing emails contained shortened URLs in the footnotes (social media links, WSJ and Dow Jones websites), which allow hackers to guide victims to legitimate sites while gathering basic information on their devices (IP address, operating system, and browser). 

Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup[.]site, where they are asked for login credentials, including two factor authentication (2FA) codes. 

In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings. Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 

Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. 

“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group. For example, we identified similar settings for the servers used in this attack with their previous campaigns. The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign,” the security company added.

The attacks appear to have started on November 1, 2019, Certfa Lab founder Amin Sabeti told SecurityWeek via email. The campaign has been active ever since and attacks are ongoing, with new infrastructure and different identities or scenarios observed, he said.

Sabeti also confirmed that at least five individuals were targeted in these phishing attempts, but added that there might be more than 20 intended victims.

Sabeti says that, while there have been no exact geographical patterns for the targets, they are spread all around the world. Certfa Lab has been tracking other attacks as well and is determined to share additional details on the campaign pending the completion of their investigation.

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...