{ "id": "518d6e04-eae2-44ff-9772-02c573b188d9", "created_at": "2026-04-06T00:18:48.866196Z", "updated_at": "2026-04-10T13:12:18.23331Z", "deleted_at": null, "sha1_hash": "07336685a65e86562afab4823368e7472ade3b78", "title": "Iranian backed group steps up phishing campaigns against Israel, U.S.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66600, "plain_text": "Iranian backed group steps up phishing campaigns against Israel,\r\nU.S.\r\nBy Google Threat Analysis Group\r\nPublished: 2024-08-14 · Archived: 2026-04-05 16:13:28 UTC\r\nToday Google’s Threat Analysis Group (TAG) is sharing insights on APT42, an Iranian government-backed threat\r\nactor, and their targeted phishing campaigns against Israel and Israeli targets. We are also confirming recent\r\nreports around APT42’s targeting of accounts associated with the U.S. presidential election.\r\nAssociated with Iran’s Islamic Revolutionary Guard Corps (IRGC), APT42 consistently targets high-profile users\r\nin Israel and the U.S., including current and former government officials, political campaigns, diplomats,\r\nindividuals who work at think tanks, as well as NGOs and academic institutions that contribute to foreign policy\r\nconversations. In the past six months, the U.S. and Israel accounted for roughly 60% of APT42’s known\r\ngeographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with\r\nboth U.S. presidential campaigns. These activities demonstrate the group’s aggressive, multi-pronged effort to\r\nquickly alter its operational focus in support of Iran’s political and military priorities.\r\nBetween February and late July 2024, APT42 heavily targeted users in Israel and the U.S.\r\nSpikes in APT42 targeting against Israel\r\nTargeted APT42 credential phishing campaigns focused on Israel between February and late July 2024\r\nIn April 2024, APT42 intensified their targeting of users based in Israel. They sought out people with connections\r\nto the Israeli military and defense sector, as well as diplomats, academics, and NGOs.\r\nAPT42 uses a variety of different tactics as part of their email phishing campaigns — including hosting malware,\r\nphishing pages, and malicious redirects. They generally try to abuse services like Google (i.e. Sites, Drive, Gmail,\r\nand others), Dropbox, OneDrive and others for these purposes. In the course of our work to disrupt APT42, TAG\r\nreset any compromised accounts, sent government-backed attacker warnings to the targeted users, updated\r\ndetections, disrupted malicious Google Sites pages, and added malicious domains and URLs to the Safe Browsing\r\nblocklist — dismantling the group’s infrastructure.\r\nGovernment-backed attacker warning\r\nGoogle Sites phishing: We took down multiple APT42-created Google Sites pages that masqueraded as a petition\r\nfrom the legitimate Jewish Agency for Israel calling on the Israeli government to enter into mediation to end the\r\nconflict. The text of the petition was embedded in image files instead of HTML. The Sites page included an ngrok\r\nredirect URL, a free service for developers that APT42 has previously used to redirect users to phishing pages.\r\nAPT42 Google Sites abuse from an April 2024 phishing campaign\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 1 of 6\n\nTargeting military, defense, diplomats, academics, and civil society: APT42 attempted to use social\r\nengineering to target former senior Israeli military officials and an aerospace executive by sending emails\r\nmasquerading as a journalist requesting comment on the recent air strikes. They also sent social engineering\r\nemails to Israeli diplomats, academics, NGOs and political entities. The emails were sent from accounts hosted by\r\na variety of email service providers, and did not contain malicious content. These emails were likely meant to\r\nelicit engagement from the recipients before APT42 attempted to compromise the targets. Google suspended\r\nidentified Gmail accounts associated with APT42.\r\nA June 2024 campaign targeting Israeli NGOs used a benign PDF email attachment impersonating the legitimate\r\nProject Aladdin, which contained a shortened URL link that redirected to a phishing kit landing page designed to\r\nharvest Google login credentials.\r\nBenign PDF leading to an APT42 phishing kit landing page\r\nTargeted credential phishing: APT42’s success in credential phishing is the result of persistence and heavy\r\nreliance on social engineering to appear more credible to their targets. They regularly create accounts or domains\r\nthat impersonate organizations that might be of interest to the target. For example:\r\nAPT42 masqueraded as the legitimate Washington Institute for Near East Policy in multiple campaigns\r\nsince April 2024, targeting Israeli diplomats and journalists, researchers at U.S. think tanks, and others. In\r\nthese campaigns, attackers set the email display name as a legitimate researcher affiliated with the\r\nWashington Institute, but the underlying email address was not from the official .org domain.\r\nAPT42 registers typosquat domains very close to the legitimate domains of the organizations they\r\nimpersonate. For example, APT42 used the domain understandingthewar[.]org to target U.S. military\r\nmembers by impersonating the legitimate Institute for the Study of War. Similarly, APT42 registered\r\nbrookings[.]email, to spoof the Brookings Institution and used it in multiple campaigns targeting Israel.\r\nTargeting individuals related to the U.S. presidential election\r\nFor many years, Google has worked to identify and disrupt malicious activity in the context of democratic\r\nelections. During the 2020 U.S. presidential election cycle, we disrupted APT42 attempts to target accounts\r\nassociated with the Biden and Trump presidential campaigns.\r\nIn the current U.S. presidential election cycle, TAG detected and disrupted a small but steady cadence of APT42’s\r\nCluster C credential phishing activity. In May and June, APT42 targets included the personal email accounts of\r\nroughly a dozen individuals affiliated with President Biden and with former President Trump, including current\r\nand former officials in the U.S. government and individuals associated with the respective campaigns. We blocked\r\nnumerous APT42 attempts to log in to the personal email accounts of targeted individuals.\r\nRecent public reporting shows that APT42 has successfully breached accounts across multiple email providers.\r\nWe observed that the group successfully gained access to the personal Gmail account of a high-profile political\r\nconsultant. In addition to our standard actions of quickly securing any compromised account and sending\r\ngovernment-backed attacker warnings to the targeted accounts, we proactively referred this malicious activity to\r\nlaw enforcement in early July and we are continuing to cooperate with them.\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 2 of 6\n\nAt the same time, we also informed campaign officials that Google was seeing heightened malicious activity\r\noriginating from foreign state actors and underscored the importance of enhanced account security protections on\r\npersonal email accounts.\r\nToday, TAG continues to observe unsuccessful attempts from APT42 to compromise the personal accounts of\r\nindividuals affiliated with President Biden, Vice President Harris and former President Trump, including current\r\nand former government officials and individuals associated with the campaigns.\r\nUnderstanding APT42’s tailored credential phishing\r\nIn phishing campaigns that TAG has disrupted, APT42 often uses tactics like sending phishing links either directly\r\nin the body of the email or as a link in an otherwise benign PDF attachment. In such cases, APT42 would engage\r\ntheir target with a social engineering lure to set-up a video meeting and then link to a landing page where the\r\ntarget was prompted to login and sent to a phishing page. One campaign involved a phishing lure featuring an\r\nattacker-controlled Google Sites link that would direct the target to a fake Google Meet landing page. Other lures\r\nincluded OneDrive, Dropbox and Skype. Over the last six months, we have systematically disrupted these\r\nattackers’ ability to abuse Google Sites in more than 50 similar campaigns.\r\nAnother APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to\r\nbuild trust and encourage the target to engage on other platforms like Signal, Telegram or WhatsApp. We expect\r\nthe attackers would then use these platforms to send a phishing kit to harvest credentials.\r\nAPT42 has a number of phishing kits that target a variety of sign-on pages including:\r\nGCollection/LCollection/YCollection: a sophisticated credential harvesting tool observed by TAG, capable\r\nof gathering credentials from Google, Hotmail and Yahoo users respectively. This kit has seen consistent\r\ndevelopment since it was first observed in use by APT42 in January 2023. The current version implements\r\na seamless flow that supports multi-factor authentication, device PINs and one-time recovery codes in all 3\r\nplatforms. A set of landing page URLs are included with the indicators of compromise.\r\nDWP: a browser-in-the-browser phishing kit often delivered via URL shortener that is less full featured\r\nthan GCollection.\r\nThis spear phishing is supported by reconnaissance, using open-source marketing and social media research tools\r\nto identify personal email addresses that might not have default multi-factor authentication or other protection\r\nmeasures that are commonly seen on corporate accounts.\r\nAPT42 has also developed a strong understanding of the email providers they target, often researching the security\r\nsettings of accounts they’re targeting using failed login or recovery workflows to determine the configured second\r\nfactor for authentication to better target their initial phishing attempts. For example, in some cases they have\r\nidentified that an account is configured to use Device Prompts as an accepted second factor and added support for\r\nthem in their GCollection phishing kit. APT42 then combines this approach with knowledge of the target's current\r\ngeographic location based on either public research or social engineering. As a result, APT42 login and recovery\r\nattempts often originate from the correct geographic location with the correct credentials and correct second factor\r\nfor user authentication.\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 3 of 6\n\nOnce APT42 gains access to an account, they often add additional mechanisms of access including changing\r\nrecovery email addresses and making use of features that allow applications that do not support multi-factor\r\nauthentication like application specific passwords in Gmail and third-party app passwords in Yahoo. Google’s\r\nAdvanced Protection Program revokes and disables these application specific passwords in Gmail, protecting\r\nusers from this tactic.\r\nConclusion\r\nGoogle Threat Intelligence Group, inclusive of TAG and Mandiant, helps identify, monitor and tackle threats,\r\nranging from coordinated influence operations to cyber espionage campaigns against high-risk entities. TAG\r\ntracks and works to disrupt more than 270 government-backed attacker groups from more than 50 countries, and\r\nwe regularly publish our findings to keep the public informed of these threats.\r\nAs we outlined above, APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their\r\nattempts to target users and deploy novel tactics. This spring and summer, they have shown the ability to run\r\nnumerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between\r\nIran and Israel intensify, we can expect to see increased campaigns there from APT42.\r\nWe also remain vigilant for targeting around the U.S. election and encourage all high-risk individuals including\r\nelected officials, candidates, campaign workers, journalists, election workers, government officials, and others to\r\nsign up for Google’s Advanced Protection Program. APP is a free, opt-in program designed to protect targeted\r\nusers against such tactics, preventing unauthorized users from signing into an account even if they know the\r\npassword.\r\nIndicators of Compromise\r\nAPT42 Domains and URLs\r\nDWP Phishing Kit related\r\naccredit-navigation[.]online\r\nhXXps://n9[.]cl/4xgro\r\nGCollection Phishing Kit related\r\npanel-short-check[.]live\r\ncheck-pabnel-status[.]live\r\nmeetroomonlin1925.w3spaces[.]com\r\nsmaaaal[.]cfd\r\nclick-choose-figured[.]cfd\r\nshort-ion-per[.]live\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 4 of 6\n\nchecking-paneling[.]live\r\nhXXps://panel-short-check[.]live/PhyfkFQX\r\nhXXps://check-pabnel-status[.]live/Gcollection/Ref/CkliPwaM\r\nhXXps://check-pabnel-status[.]live/Gcollection/Password\r\nhXXps://panel-short-check[.]live/ZZqt3LYD\r\nhXXps://check-pabnel-status[.]live/Lcollection/Ref/F53OQQkE\r\nhXXps://check-pabnel-status[.]live/Lcollection/Password\r\nhXXps://meetroomonlin1925.w3spaces[.]com/\r\nhXXps://smaaaal[.]cfd/Wp59tqKU\r\nhXXps://click-choose-figured[.]cfd/Gallery/Ref/FSaEM5gG\r\nhXXps://click-choose-figured[.]cfd/Gallery/Password\r\nhXXps://short-ion-per[.]live/08EFNZ1\r\nhXXps://checking-paneling[.]live/aliasauthG/Password\r\nhXXps://checking-paneling[.]live/aliasauthG/autoref/vNSX6c2m\r\nOther\r\nunderstandingthewar[.]org\r\nbrookings[.]email\r\nsharedrive.webredirect[.]org\r\nvisioneditor.loseyourip[.]com\r\ns3api[.]shop\r\nhXXps://sharedrive.webredirect[.]org/Khn/shoaGzA/cGNt/dMPaV/kvvhK\r\nhXXps://firebasestorage.googleapis[.]com/v0/b/share-box-5f395.appspot.com/o/onedrive-qrty45.html\r\nhXXps://visioneditor.loseyourip[.]com\r\nhXXps://s3api[.]shop/api/\r\nAPT42 Samples (SHA256)\r\nc67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32 (NEWSTERMINAL)\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 5 of 6\n\nbc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527 (OFFICEFUEL)\r\nbaac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849 (OFFICEFUEL)\r\n0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60 (FUELDUMP)\r\nf83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060 (FUELDUMP)\r\n82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a (FUELDUMP)\r\n89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c (FUELDUMP)\r\nc3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 (GORBLE PS - LNK)\r\n33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 (GORBLE PS - Stage 1)\r\n4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f (GORBLE PS - Stage 2)\r\nAPT42 - IPs Addresses\r\n49.13.194[.]118 (C2 - OFFICEFUEL/FUELDUMP)\r\n91.107.150[.]184 (C2 - OFFICEFUEL/FUELDUMP)\r\nSource: https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nhttps://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/" ], "report_names": [ "iranian-backed-group-steps-up-phishing-campaigns-against-israel-us" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07336685a65e86562afab4823368e7472ade3b78.pdf", "text": "https://archive.orkl.eu/07336685a65e86562afab4823368e7472ade3b78.txt", "img": "https://archive.orkl.eu/07336685a65e86562afab4823368e7472ade3b78.jpg" } }