Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks

Jun 26, 2025Ravie LakshmananCyber Espionage / Malware

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been identified as the culprit behind a spear-phishing campaign targeting journalists, high-profile cybersecurity experts, and computer science professors in Israel.

According to a report published by Check Point on Wednesday, Israeli technology and cybersecurity professionals were lured by attackers who posed as fictional assistants to technology executives or researchers via emails and WhatsApp messages. The victims were directed to fake Gmail login pages or Google Meet invitations.

The cybersecurity company linked the operation to a threat cluster known as Educated Manticore, which overlaps with several other threat groups such as APT35, APT42, CALANQUE, and Charming Kitten among others.

The APT group, known for its social engineering tactics, approached targets on platforms like Facebook and LinkedIn using fake personas to trick victims into installing malware on their systems.

Check Point observed a new wave of attacks in mid-June 2025, coinciding with the Iran-Israel conflict outbreak, targeting Israeli individuals using fake meeting decoys through emails or WhatsApp messages. The messages are suspected to be generated using artificial intelligence tools.

One of the WhatsApp messages leveraged the geopolitical tensions between Iran and Israel to entice the victim into joining a meeting, claiming urgent assistance on an AI-based threat detection system to counter cyber attacks targeting Israel since June 12.

The initial messages, similar to previous Charming Kitten campaigns, were designed to build trust with the targets before sharing links leading to fake landing pages aimed at harvesting Google account credentials.

\”Before sending the phishing link, threat actors ask the victim for their email address,\” Check Point explained. \”This address is then pre-filled on the credential phishing page to increase credibility and mimic the appearance of a legitimate Google authentication flow.\”

The custom phishing kit used by the attackers closely mimics legitimate login pages like those from Google, using modern web technologies like React-based Single Page Applications (SPA) and real-time WebSocket connections to send stolen data.

The phishing kit not only captures credentials but also 2FA codes, enabling 2FA relay attacks. Additionally, it features a passive keylogger to record keystrokes entered by the victim and exfiltrate them if the process is abandoned.

Social engineering tactics have also involved the use of Google Sites domains to host fake Google Meet pages that redirect victims to phishing pages upon clicking an image.

\”Educated Manticore remains a persistent and high-impact threat, particularly during the Iran-Israel conflict escalation,\” Check Point warned.

\”The group’s agility in spear-phishing, domain setup, and infrastructure deployment enables them to operate effectively under heightened scrutiny.\”