Iranian APT35 Phishing Attacks have been launched by a state-sponsored hacking group linked to the Islamic Revolutionary Guard Corps (IRGC). These Iranian APT35 Phishing Attacks are targeting Israeli technology professionals, cybersecurity experts, and journalists through AI-powered phishing campaigns and fake Google login pages.
According to cybersecurity researchers from Check Point, the hackers specifically aimed their attacks at Israeli journalists, cybersecurity experts, and computer science professors. In this campaign, Iranian hackers posed as assistants to well-known technology executives or researchers. They contacted their targets via email and WhatsApp, sending fake meeting invitations or directing victims to counterfeit Google login pages designed to steal credentials.
These phishing attempts were carefully crafted to appear legitimate. The attackers used AI-powered writing tools to produce messages free of grammatical errors, increasing the chances of success.
One of the key techniques involved fake Google Meet invitations hosted on Google Sites. Victims clicking on these links were redirected to highly convincing phishing pages that closely mimicked real Google login pages.
The phishing kit used by APT35:
Captures Google login credentials and two-factor authentication (2FA) codes.
Uses real-time WebSocket connections to steal data instantly.
Employs passive keyloggers to record all keystrokes, even if victims abandon the login process.
Before sending phishing links, the attackers asked for the victim’s email address. This email was then pre-filled on the fake login page to increase credibility and trick the victim into believing it was a legitimate authentication process.
The latest wave of attacks began in mid-June 2025, coinciding with the escalation of the Iran-Israel war. The hackers exploited the conflict by creating urgent scenarios. For example, one phishing message claimed that Israel needed the victim’s immediate help to build an AI-powered cyber defense system.
These carefully designed lures made the attacks seem highly relevant and urgent, increasing the likelihood that victims would engage.
The threat cluster behind the campaign is tracked as Educated Manticore, which overlaps with groups such as:
APT35 (also known as Charming Kitten)
APT42
TA453
Mint Sandstorm (formerly Phosphorus)
These groups are known for:
Aggressive spear-phishing campaigns
Rapid creation of fake domains and infrastructure
Quick takedowns when exposed
Their expertise in social engineering and AI-driven phishing allows them to stay active and effective, even under constant cybersecurity scrutiny.
Double-check email senders, meeting invitations, and any request that asks for sensitive information.
Modern phishing attempts are polished, free of grammar mistakes, and often use urgent scenarios to trick you.
Never enter your login details on suspicious websites or forms. Always verify URLs.
Keep learning about the latest cybersecurity threats and phishing tactics. Real-world awareness is key to strong defense.
CCIE Academy is a leading training center offering expert-led courses in networking, cybersecurity, and IT certifications. We focus on practical labs, real-world scenarios, and current technologies to prepare our students for top-tier certifications such as CCNA, CCNP, and CCIE. Our mission is to create skilled, future-ready IT professionals capable of defending against modern cyber threats.
