Israeli Cybersecurity Experts and Professors Targeted by Iranian APT35 Hackers

Amid heightened tensions between Iran and Israel, cybersecurity researchers have uncovered a sophisticated and ongoing cyber-espionage campaign targeting Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities.

The operation, attributed to the Iranian threat group known as Educated Manticore (also recognized as APT42, Charming Kitten, or Mint Sandstorm), is believed to be linked to the Islamic Revolutionary Guard Corps’ Intelligence Organization (IRGC-IO).

The group employs spear-phishing as its primary tactic, impersonating trusted individuals, such as assistants to technology executives or representatives from reputable cybersecurity firms to gain the trust of its victims.

The attackers initiate contact through carefully crafted emails or WhatsApp messages, often using a formal tone and error-free grammar, suggesting possible AI assistance in message creation.

For example, one email impersonated a “Sarah Novominski,” but discrepancies in the sender’s name (“Sara Noviminski”) tipped off some vigilant recipients.

The initial messages typically avoid suspicious links, but through prompt and persuasive follow-up, attackers guide targets to fake Gmail login pages or fraudulent Google Meet invitations.

Once victims input their credentials, these are harvested in real time, including passwords and 2FA codes, enabling unauthorized access to their accounts.

Custom Phishing Kits and Advanced Technical Tactics

Check Point Research has identified a custom phishing kit used in these campaigns, implemented as a React-based Single Page Application (SPA).

The kit is designed to closely mimic legitimate Google authentication closely flows, dynamically rendering UI elements and managing authentication steps client-side.

The phishing page never reloads; instead, it uses React Router for seamless navigation and asynchronous POST requests to send stolen data to the attackers’ backend API.

The backend, often hosted on domains such as “idea-home[.]online,” tracks victims using a session key and pre-fills the victim’s email address to increase credibility.

The phishing kit supports a wide range of Google authentication steps, including password entry, SMS or email verification codes, and even Google Authenticator prompts.

A persistent WebSocket connection is maintained throughout the session, enabling real-time data exfiltration and a passive keylogger that captures every keystroke, even if the victim abandons the form.

This allows attackers to intercept credentials and 2FA tokens instantly, bypassing traditional MFA protections.

Infrastructure and Indicators of Compromise

Since January 2025, threat actors have registered over 130 unique domains many of which are hosted on NameCheap to host phishing kits or backend servers.

These domains resolve to a dozen distinct IP addresses, with some infrastructure matching the public fingerprint of the GreenCharlie sub-cluster, a known component of Educated Manticore’s operations.

Notable indicators of compromise (IOCs) include IPs such as 185.130.226[.]71 and domains like “sendly-ink[.]shop” and “idea-home[.]online.”

In some cases, attackers leverage fake Google Meet invitations hosted on Google Sites to add legitimacy to their links.

These pages display hardcoded images that, when clicked, redirect victims to attacker-controlled phishing infrastructure.

The campaign is highly agile, with rapid domain registration and takedown cycles, making it difficult for defenders to disrupt their operations.

Educated Manticore continues to pose a persistent threat to Israeli individuals in sensitive or trust-based roles.

Their use of advanced phishing kits, real-time data exfiltration, and rapid infrastructure turnover underscores the group’s technical sophistication and operational resilience.

As geopolitical tensions persist, the cybersecurity community remains vigilant, urging heightened awareness and robust authentication practices to counter these evolving threats.

IOCs

IPs:
185.130.226[.]71
45.12.2[.]158
45.143.166[.]230
91.222.173[.]141
194.11.226[.]9
195.66.213[.]132
146.19.254[.]238