Connect with us

Hi, what are you looking for?



Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

The Iranian state-sponsored threat actor known as Charming Kitten employed new spear-phishing methods in a campaign observed in August and September, ClearSky’s security researchers report.

The Iranian state-sponsored threat actor known as Charming Kitten employed new spear-phishing methods in a campaign observed in August and September, ClearSky’s security researchers report.

The attacks are related to a campaign Microsoft recently exposed as targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians. The campaign resulted in four accounts getting compromised, out of a total of 241 that were targeted.

“Until these days, Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activity had been attributed mainly to the Russian APT groups,” ClearSky notes in their report (PDF).

Despite this lack of historical targeting of elections, the security researchers say, with medium-high confidence, that the attacks that Microsoft disclosed are part of the same campaign they observed over the past several months.

According to ClearSky, victim profiles are similar to those exposed by Microsoft, attack times overlap, and the same attack vectors were used in both campaigns, suggesting they are congruent.

Charming Kitten, a group also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, has been active since at least 2011, targeting activists and journalists focusing on the Middle East, U.S. organizations, and entities located in Israel, the U.K., Saudi Arabia and Iraq.

As part of the newly observed campaign, ClearSky says, the group employed three different spear-phishing methods, namely password recovery impersonation, spear-phishing emails, and spear-phishing via SMS messages.

Advertisement. Scroll to continue reading.

The first impersonation vector used was a message with a link pretending to arrive from Google Drive or from a colleague’s email address. Social engineering is used in an attempt to trick the victim into exposing their login credentials.

“Another social engineering technique is to identify the Google Site from which the victim was directed and to pair the phishing page with its (the site’s) email. In other words, the victim receives an email from the attacker with a link which was prepared for them personally,” ClearSky explains.

Another vector employed SMS messages containing a link and claiming to inform the recipient of an attempt to compromise their email account. Just as in the previous type of attack, the link directs to a URL shortening service leading to a malicious website attempting to phish for the victim’s credentials.

A third attack vector employed a fake unauthorized login attempt alert, where the intended victim is informed that a North Korean attacker tried to compromise their Yahoo email address and is asked to secure their account. Previously, the victim was informed that someone from North Korea changed their email recovery options.

The fourth attack vector employed recently by Charming Kitten was social network impersonation. In an attempt to grab login credentials, the attackers have created fake sites for Instagram, Facebook, Twitter, Google, and the National Iranian-American Council.

Although not new for Charming Kitten, the targeting of Yahoo accounts is something that the group hasn’t done for a couple of years. Since 2017, the hackers focused on Google accounts instead, but it seems they are now back again at targeting Yahoo accounts and impersonating Yahoo services.

Related: Iranian Hackers Said to Target Presidential Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.