Google’s Threat Analysis Group (TAG) has observed a significant increase in phishing campaigns from an Iranian government-backed actor targeting high-risk individuals in Israel and the United States. This activity, which follows the October 7th attack on Israel, is attributed with high confidence to Charming Kitten, a group also known as APT42 or Mint Sandstorm, which is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).

The campaigns focus on harvesting credentials from individuals whose work involves Middle East policy, including academics, activists, journalists, and staff at non-governmental organizations (NGOs).

Evasive Tactics and Deceptive Lures

Charming Kitten has employed a novel technique designed to bypass automated security scanning. The attacks begin with an email containing an encrypted, password-protected file, often a ZIP archive. The password for the file is provided directly in the body of the email. This payload contains a lure document and a malicious link that directs the target to a credential harvesting page.

These phishing pages are crafted to mimic legitimate login portals for services like Google, Microsoft, and Yahoo. The lures are tailored to the targets, with attackers impersonating journalists from prominent outlets like The Washington Post and The New York Times to solicit interviews. In another documented case, the group impersonated an organizer from the Munich Security Conference, inviting a target to a conference and providing a malicious link disguised as the event agenda.

Targeting Experts and Exfiltrating Data

The individuals targeted by these campaigns are often experts in their fields. Google’s TAG has identified specific attacks against personnel at academic and research institutions in the U.S. and the UK, as well as a U.S.-based think tank. The primary goal of these attacks is to gain access to sensitive information and communications.

Once credentials are stolen, Charming Kitten utilizes a custom tool called Hyperscrape to download data from the compromised Gmail, Yahoo, and Microsoft accounts. This tool runs on the attacker’s server and is designed to mimic an older, legitimate browser, enabling it to exfiltrate the contents of a victim’s inbox without triggering standard security alerts. This allows the group to gather intelligence by systematically downloading emails from compromised accounts.