Amid growing warnings from agencies like the FBI and DHS about Iranian cyber activity, Check Point Research is sharing fresh, real-world examples from the past few days to shed light on how these threats are playing out in practice.
Check Point Research has identified the reemergence of an active, global spear-phishing campaign attributed to the Iranian threat actor Educated Manticore, also tracked as APT42, Charming Kitten, and Mint Sandstorm.
Associated with the IRGC Intelligence Organization, this group is known to target public figures worldwide. Currently, the campaign is executing sophisticated credential theft operations against high-profile individuals in Israel, while the real scope of the campaign is likely much wider, both geographically and by industry.
Following the escalation in Iran–Israel tensions, the group has intensified its efforts, this time impersonating Israeli institutions, diplomats, and tech professionals.
This campaign marks a broader scope of Iranian cyber ops, using tailored spear-phishing, creating fictitious personas tied to existing entities, precise timing, and multi-channel outreach to extract credentials and bypass MFA.
Check Point Research has observed attacks against leading Israeli computer science academics, cyber security researchers, and prominent journalists known for covering geopolitical and intelligence topics.
While recent activity focuses on Israeli targets, Educated Manticore has a broader history of global operations. In the past, the group has masqueraded as prominent international media outlets and NGOs, including The Washington Post, The Economist, Khaleej Times, Azadliq, and others, to phish journalists, researchers, and geopolitical figures in regions aligned with Iran’s strategic interests. These operations follow the same pattern: trust-building through impersonation, followed by credential harvesting and surveillance.
We’ve identified over 100 phishing domains tailored to each target, with phishing pages often mimicking Google, Outlook, and Yahoo, and event scheduling or meeting platforms such as Google Meet. The links have since been blocked and are no longer available.
Attackers use multiple communication channels to initiate contact, including email addresses and private messaging apps (e.g., WhatsApp).
Once contact is established, victims are typically directed to fake Google sign-in pages, often pre-filled with their email address or fake Google Meet invitations hosted on phishing domains.
These pages mimic legitimate login flows using advanced web development frameworks.
Educated Manticore also works to bypass 2FA by tricking victims into sharing them as part of the phishing chain, enabling full account takeover.
In one incident, a target received a WhatsApp message inviting them to an in-person meeting in Tel Aviv. While the goal may have been to rush the victim to confirm an online session, this raises the concern that the campaign could extend beyond cyber space.
The impersonation style is highly adaptive. In some cases, attackers pose as mid-level employees at major Israeli firms, staff from the Prime Minister’s Office, and professionals affiliated with well-known tech companies.
Emails are grammatically correct, formally structured, and may have been assisted by AI tools. However, subtle inconsistencies, such as minor name misspellings, can give them away.
This evolving campaign poses a serious threat to academic, policy, and media sectors. Individuals should be cautious when receiving unsolicited meeting invitations, even from seemingly credible sources.
If you’re in a high-risk sector:
-
Verify the identity of the sender or caller using known channels like reliable social media accounts;
-
Always verify the URL before entering credentials into any site handling sensitive information;
-
Enable and monitor 2FA and be suspicious of any request to share codes; and
-
Report suspicious contact to your organisation’s security team.
Check Point Research continues to monitor this activity and will share updates as new indicators and techniques are uncovered.
Check Point’s Harmony Email and Collaboration and Zero Phishing protect customers by detecting and blocking such attacks and targeted phishing attempts.
