Pierluigi Paganini June 27, 2025

Iran-linked APT42 targets Israeli experts with phishing attacks, posing as security professionals to steal email credentials and 2FA codes.

Iran-linked group APT42 (aka Educated Manticore, Charming Kitten, and Mint Sandstorm) is targeting Israeli journalists, cybersecurity experts, and academics with phishing attacks, posing as security professionals to steal email credentials and 2FA codes, according to Check Point.

APT42 focuses on highly targeted spear-phishing and social engineering techniques, its operations broadly fall into three categories, credential harvesting, surveillance operations, and malware deployment.

“The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations. Credentials entered on these phishing pages are sent to the attackers, enabling them to intercept both passwords and 2FA codes and gain unauthorized access to the victims’ accounts.” reads the report published by Check Point.

Since mid-June, the Iranian cyberspies have impersonated cybersecurity employees to target Israeli cyber experts via email and WhatsApp. Using polished, AI-written messages, they lured victims into phishing traps by proposing fake online meetings, some even suggesting in-person encounters. The attackers avoided links in initial outreach to build trust before directing targets to credential-stealing sites.

The group APT42 used a custom Google phishing kit to target Israeli professionals. After gaining trust via WhatsApp, they send links to spoofed Google login pages, prefilled with victims’ emails. Built as a React SPA, the kit mimics Google’s 2FA steps and relays credentials in real time. It includes a live keylogger and WebSocket, allowing the attacker to control it. Attackers also employed fake Google Meet invites hosted on Google Sites to add legitimacy, redirecting users to phishing servers for data theft.

Since January 2025, the state-sponsored hackers have used custom phishing kits mimicking Gmail, Outlook, and Yahoo, built with React and equipped with live keyloggers. While Gmail kits are most common, Yahoo and Outlook versions also exist, following similar patterns. The group’s infrastructure included over 130 phishing-related domains, many registered via NameCheap. Older IPs in the phishing infrastructure match GreenCharlie, a subgroup of Educated Manticore, with domains showing similar naming patterns.

“The custom phishing kit used in Educated Manticore campaigns closely imitates familiar login pages, like those from Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic page routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its code from additional scrutiny.” concludes the report. “Given the vulnerable nature of their targets — often operating in sensitive or trust-based environments with external peers — we assess that Educated Manticore tactics will continue to focus on stealing identities and credentials linked to the regime’s interests.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT42)