Iranian state-sponsored hackers linked to APT35 (also tracked as Charming Kitten, Mint Sandstorm, or Educated Manticore) have intensified spear-phishing campaigns targeting Israeli technology experts, cybersecurity professionals, journalists, and academics since mid-June 2025. These attacks escalated following Israeli airstrikes against Iran and leverage AI-generated content for social engineering.
Key Attack Characteristics
The hackers use AI tools to craft convincing emails and WhatsApp messages impersonating Israeli cybersecurity analysts or researchers. Messages reference current events like “Iranian invasion and 700% cyberattack surge since June 12” to establish credibility. Despite AI assistance, operational security flaws persist—such as inconsistent name spellings in sender profiles.
Victims receive invitations for in-person or virtual meetings (e.g., via Google Meet) to discuss cybersecurity strategies, redirecting to attacker-controlled phishing pages. Links lead to counterfeit Gmail login portals designed to bypass two-factor authentication (2FA). Historical patterns suggest successful phishing could escalate to physical threats, including kidnapping or intelligence extraction during arranged meetings.
Infrastructure Scale
Over 130 unique domains and subdomains were deployed, with 1–2 domains per target, indicating dozens of intended victims across Israeli institutions. Attackers used fictitious personas (e.g., “Sarah Novominski”) and spoofed legitimate Israeli cybersecurity firms.
Operational Context
APT35 operates under Iran’s Islamic Revolutionary Guard Corps (IRGC), with activities aligned with Iran’s retaliation for Israeli military actions. This campaign coincides with hacktivist surges and state-sponsored cyber operations between Israel and Iran, though Iran’s top-tier cyber capabilities remain partially restrained as of mid-June.
