Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks - The Hacker News

Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks Ravie LakshmananJun 26, 2025Cyber Espionage / Malware An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel. "In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages," Check Point said in a report published Wednesday. "The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations." The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore, which overlaps with APT35 (and its sub-cluster APT42), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda. The advanced persistent threat (APT) group has a long history of orchestrating social engineering attacks using elaborate lures, approaching targets on various platforms like Facebook and LinkedIn using fictitious personas to trick victims into deploying malware on their systems. Check Point said it observed a new wave of attacks starting mid-June 2025 following the outbreak of the Iran-Israel war that targeted Israeli individuals using fake meeting decoys, either via emails or WhatsApp messages tailored to the targets. It's believed that the messages are crafted using artificial intelligence (AI) tools due to the structured layout and the absence of any grammatical errors. One of the WhatsApp messages flagged by the company took advantage of the current geopolitical tensions between the two countries to coax the victim into joining a meeting, claiming they needed their immediate assistance on an AI-based threat detection system to counter a surge in cyber attacks targeting Israel since June 12. The initial messages, like those observed in previous Charming Kitten campaigns, are devoid of any malicious artifacts and are primarily designed to gain the trust of their targets. Once the threat actors build rapport over the course of the conversation, the attack moves to the next phase by sharing links that direct the victims to fake landing pages capable of harvesting their Google account credentials. "Before sending the phishing link, threat actors ask the victim for their email address," Check Point said. "This address is then pre-filled on the credential phishing page to increase credibility and mimic the appearance of a legitimate Google authentication flow." "The custom phishing kit [...] closely imitates familiar login pages, like those from Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic page routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its code from additional scrutiny." The fake page is part of a custom phishing kit that can not only capture their credentials, but also two-factor authentication (2FA) codes, effectively facilitating 2FA relay attacks. The kit also incorporates a passive keylogger to record all keystrokes entered by the victim and exfiltrate them in the event the user abandons the process midway. Some of the social engineering efforts have also involved the use of Google Sites domains to host bogus Google Meet pages with an image that mimics the legitimate meeting page. Clicking anywhere on the image directs the victim to phishing pages that trigger the authentication process. "Educated Manticore continues to pose a persistent and high-impact threat, particularly to individuals in Israel during the escalation phase of the Iran-Israel conflict," Check Point said. "The group continues to operate steadily, characterized by aggressive spear-phishing, rapid setup of domains, subdomains, and infrastructure, and fast-paced takedowns when identified. This agility allows them to remain effective under heightened scrutiny." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, AI Tools, APT35, Credential Theft, cyber espionage, Cyber warfare, cybersecurity, Google, Malware, Phishing, social engineering, Threat Intelligence Trending News CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility