An Iranian state-backed group is escalating its attacks on Israeli academics and cybersecurity professionals using AI-crafted phishing lures.
What happened
A new spear-phishing campaign targeting Israeli technology professionals, journalists, and professors has been linked to Iranian threat actor APT35 (also known as Charming Kitten and other aliases). The group, believed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC), is using AI tools to deliver highly polished phishing messages via email and WhatsApp.
The campaign, active since mid-June 2025, coincides with the escalation of the Iran-Israel conflict. Attackers pose as assistants to tech executives or researchers and attempt to lure victims into fake Gmail or Google Meet login pages to steal credentials.
Going deeper
Security researchers at Check Point attributed the campaign to a threat cluster they call ‘Educated Manticore,’ known for long-running social engineering operations using fake online personas. The current operation relies on structured, grammatically flawless messaging likely written with AI to gain victims’ trust before progressing to credential theft.
The attackers request the victim’s email address, then redirect them to a fake login page pre-filled with that address to add credibility. These phishing pages are built with modern frameworks like React and use WebSockets to exfiltrate data in real time. The phishing kit can harvest both passwords and two-factor authentication (2FA) codes and includes passive keylogging capabilities in case the user exits mid-process.
Some lures also use fake Google Meet invitations hosted on Google Sites. Clicking any part of the mimic image leads users to credential-harvesting pages.
What was said
Check Point noted that the campaign reflects Educated Manticore’s growing sophistication and adaptability. The group is known for rapid domain setup and takedown, which helps it remain active despite increased attention. According to the report, the attackers were specifically using the current geopolitical crisis to pressure targets into engaging.
One flagged WhatsApp message invited a victim to join a meeting about “AI-based threat detection” to address a surge in cyberattacks since June 12, tying the request to ongoing regional tensions.
FAQs
What makes AI-generated phishing harder to detect?
AI can produce messages that are grammatically correct, highly structured, and tailored to a recipient’s background, reducing the common red flags that help people identify phishing.
How does the phishing kit bypass two-factor authentication?
The phishing site collects both login credentials and the 2FA code in real time, allowing attackers to immediately log in before the code expires, a method known as a 2FA relay attack.
Why are Israeli cyber professionals being targeted?
As tensions between Iran and Israel escalate, individuals with technical expertise may be seen as valuable sources of intelligence or as vectors into broader networks.
What is Educated Manticore’s typical attack method?
They often initiate contact via fake personas on social or messaging platforms, establish rapport, and then send customized phishing links to collect credentials.
How can targets protect themselves from similar attacks?
Be wary of unsolicited meeting invites or assistant introductions, enable phishing-resistant MFA (like hardware tokens), inspect URLs before clicking, and avoid entering credentials into unfamiliar login pages.
Farah Amod
