Charming Kitten APT Tries Spying on Israeli Cyber Experts - Dark Reading

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES CYBER RISK DATA PRIVACY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Charming Kitten APT Tries Spying on Israeli Cybersecurity Experts Israel's cyber pros are having to put theory into practice, as a notorious nation-state APT sponsored by Iran targets them with spear-phishing attacks. Nate Nelson,Contributing Writer June 26, 2025 4 Min Read SOURCE: KEN GILLESPIE VIA ALAMY STOCK PHOTO An Iranian state-backed hacking group is spear-phishing cybersecurity and computer science experts in Israel. Charming Kitten (aka APT42, Educated Manticore, Mint Sandstorm) is a decade-plus-old advanced persistent threat (APT) associated with Iran's Islamic Revolutionary Guard Corps (IRGC), a military organization designed to protect the Iranian regime, which reports directly to the Ayatollah. As part of its mandate, IRGC is known to deploy hacker groups to spy on governments both friendly and unfriendly to the Islamic Republic, as well as individuals outside and inside of Iran. In recent days, for example, Charming Kitten has been playing its role in the regime's war with Israel by spear-phishing prominent Israeli academics and experts in the cybersecurity and computer science fields, according to Check Point Research (CPR). Iran Spying on High-Profile Israelis Charming Kitten is the right threat actor to attempt a campaign like this. For years now, it has used spear-phishing to infect senior officials, experts, and other influential individuals working in the research, public policy, media, government, and military sectors. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania The way the attacks work, first, is that members present themselves as some kind of relevant persona — a journalist, researcher, or some other kind of important individual. In this latest campaign, Charming Kitten has been playing employees of cybersecurity companies, with characteristically Jewish-seeming names and other personal details, according to CPR. The hackers email targets, or more often write to targets via WhatsApp. The WhatsApp strategy perhaps might be to either elicit quicker responses, evade email filters, or lend the messages legitimacy if they had known the target's phone number. The lures are written in clear English, and personalized to some extent based on whom they are targeting. In the following example, the threat actor ironically references breaking research on cyber threats to Israel from Iran. Source: Check Point Research "The actor here did a good information collection job, because they knew how to approach each person — who would likely be somehow connected to them, know their name, and their company affiliation, and already has their number but is also not a close friend," says Sergey Shykevich, threat intelligence group manager at CPR. To avoid raising alarms, the attackers do not include any sort of malicious link or attachment in their initial overture. Instead, they request meetings with victims — opportunities to collaborate, share insights, etc. In at least one case, the attackers even requested an in-person meeting in Tel Aviv. Whether this was just a superficial tactic or the operation truly did extend beyond cyberspace is unclear. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years The point is to gain trust before asking for a victim's email address. Then, finally, the attacker sends a phishing link, leading to a credential phishing page with the email field already filled in, for added realism. Some meeting invitations add an extra layer of verisimilitude by directing targets to a static page mimicking a Google Meet lobby. Victims who click anywhere on the page are redirected to another page mimicking Google's authentication process. Though subtle in some ways, "they are very quick, and very aggressive in conversation — especially talking with WhatsApp — urging the target to click the link. So, in most cases, the attack is either a success or failure within a day or two. And then either way, they just continue to the next target and stop using the same domain," Shykevich explains. The speed with which Charming Kitten cycles through infrastructure may pose a challenge for those tracking their indicators of compromise (IoCs). Cybersecurity Experts Targeted The primary targets of this latest campaign are experts in the computer science and cybersecurity fields, particularly from academia. Shykevich posits that "it could be part of a retaliation. There are assumptions that Israel physically damaged some cybersecurity units and [infrastructure] in Iran. And cybersecurity experts are high-profile people in some cases — I think many people assume that some of them are also connected to national cyber operations." Related:LatAm Now Faces 2x More Cyberattacks Than US "And it's a very good type of target to show off to journalists, if you are successful," he says. Per that point: Besides computer experts, Charming Kitten also appears to be going after journalists. Just a few days before the time of writing, one journalist publicly disclosed having been targeted in an attack that closely aligned with the group's latest tactics, techniques, and procedures (TTPs). Though it's not clear how many individuals have been targeted in all, and whether any of them were ultimately compromised, CPR was able to identify more than 100 domains and subdomains comprising Charming Kitten's current campaign infrastructure. "We assume that each one is for one target, though maybe in some cases they're used for more than one for one target. So we assume that there are dozens of different targets, at least," Shykevich says. He adds, "We also assume that the campaign likely is much wider [than we've seen]. Because of the scale of the infrastructure, there are likely more sectors and maybe even there are targets in other countries besides Israel, based on the history of this actor generally." Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE