{ "id": "f5135698-cf1b-4d58-aeb1-3ea71ceb6198", "created_at": "2026-04-06T00:17:50.943716Z", "updated_at": "2026-04-10T03:32:22.182649Z", "deleted_at": null, "sha1_hash": "256be76edfefbc4ba60307f6cb99a2198271af70", "title": "I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9277283, "plain_text": "I Spy With My Little Eye: Uncovering an Iranian\r\nCounterintelligence Operation\r\nBy Mandiant\r\nPublished: 2024-08-28 · Archived: 2026-04-05 18:34:32 UTC\r\nWritten by: Ofir Rozmann, Asli Koksal, Sarah Bock\r\nUPDATE (March 7, 2025): In light of new evidence, Google Threat Intelligence Group (GTIG) is currently\r\nreviewing the assessments in this blog post.\r\nToday Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting\r\ndata on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad,\r\nparticularly in Israel. \r\nThe data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who\r\nare interested in collaborating with Iran’s perceived adversarial countries. The collected data may be leveraged to\r\nuncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected\r\nto be involved in these operations. These may include Iranian dissidents, activists, human rights advocates, and\r\nFarsi speakers living in and outside Iran.\r\nMandiant assesses with high confidence this campaign was operated on behalf of Iran’s regime, based on its\r\ntactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap\r\nbetween this campaign and APT42, an Iran-nexus threat actor suspected to operate on behalf of Iran’s IRGC\r\nIntelligence Organization (IRGC-IO). This campaign’s activities are in line with Iran’s IRGC and APT42’s history\r\nof conducting surveillance operations against domestic threats and individuals of interest to the Iranian\r\ngovernment. Despite the possible APT42 connection, Mandiant observed no relations between this activity and\r\nany U.S. elections-related targeting as previously reported by Google's Threat Analysis Group.\r\nThe activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites\r\ncontaining extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli\r\nnational symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter\r\ntheir personal details as well as their professional and academic experience, which are subsequently sent to the\r\nattackers. \r\nThe suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the\r\npast, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah\r\nintelligence and security agencies. This may indicate Iran’s counterintelligence activities extend beyond its own\r\nsecurity and intelligence apparatus, possibly in support of its allies in Syria and Lebanon. \r\nMandiant worked to help ensure this activity was blocked and disrupted, the threat actor’s accounts were\r\nterminated, and Google Chrome users and the users of other browsers were protected.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 1 of 13\n\nAttack Lifecycle\r\nThis activity leverages a network of fake recruitment websites posing as Israel-based human resources firms that\r\nuse similar imagery in attempts to socially engineer Farsi-speaking individuals into providing personal details.\r\nThe websites were disseminated online including through fake social media accounts, and used similar templates.\r\nThe attack lifecycle is depicted in Figure 1.\r\nFigure 1: Attack lifecycle\r\nThe activity consists of several stages.\r\nStep 1: Disseminate Links to Fake Recruitment Websites\r\nMandiant identified multiple fake social media accounts promoting the websites on various social platforms, such\r\nas X (formerly Twitter) and Virasty, commonly used in Iran. \r\nThe following X post contains a link to the malicious website, topwor4u[.]com, as well as the following\r\ndescription translated from Farsi:\r\n“In the past year, we were able to attract hundreds of information and cyber professionals and achieve unique\r\nsuccesses at the global level.\r\nIf you have information and cyber work experience, join us”.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 2 of 13\n\nFigure 2: Posts by @MiladAzadihr, a Twitter profile promoting the fake recruitment website topwor4u[.]com\r\nFigure 3: Post by @A_Soleimani_Far, a Virasty (Iranian social network) profile promoting the fake recruitment\r\nwebsite joinoptimahr[.]com\r\nStep 2: Fake Job Offer Websites Presenting Israel-Related Decoy Content\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 3 of 13\n\nUpon entering the website, the user is presented with the alleged purpose of the fake human resources firms: “[to]\r\nrecruit employees and officers of Iran’s intelligence and security organizations.” \r\nThe fake recruitment websites share templates and content, posing as HR firms, like “Optima HR” or\r\n“Kandovan HR.”\r\nThe websites contain an elaborate description written in Farsi, presenting the alleged human resources firm\r\nas “active in the fields of international information and security/cyber consulting and research worldwide”. \r\nThe websites contain a Farsi description of the “Terms of Cooperation” with the fake HR firm:\r\n“Having relevant documented experience and resume in the field of information and cyber in related institutions\r\nand organizations (Mandatory).\r\nProtecting your privacy is our priority.\r\nExcellent salary for the chosen ones.\r\nOur center invites you to contact us to submit a job offer and receive special and unique projects!!\r\n Join us to help each other impact the world.\r\nOur duty is to protect your privacy.”\r\nMandiant observed both desktop and mobile versions of the websites beparas[.]com displaying similar\r\ncontents and lures affiliated with Israel, including Israel’s flag and major city landmarks.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 4 of 13\n\nFigure 4: Mobile version of the fake website beparas[.]com, used between January and March 2024\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 5 of 13\n\nFigure 5: Desktop and mobile versions of the website beparas[.]com used in February 2024; the left web page also\r\nincludes a form and a Telegram contact link\r\nThe websites contain Telegram contact links, using handles that contain “IL” (Israel) references, further\r\nenhancing the perceived Israel-affiliation of the campaign. For example:\r\nhxxps://t[.]me/PhantomIL13\r\nhxxps://t[.]me/getDmIL \r\nSeveral fake recruitment websites also contained a link to join a Telegram chat:\r\nhxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw\r\nFurther inspection of the domain beparas[.]com indicated the WordPress user data for the website is\r\npublicly available and lists the username “miladix” as well as Gravatar URLs likely affiliated with this user\r\n(see the following screenshot). The value \"b7e2f4a5bc67256189e6732fbce86520\" in the Gravatar URLs is\r\nthe Sha256 value of the user’s email, according to Gravatar documentation.\r\nThe nickname \"Miladix\" might be related to “Milad Azadi,” the name of the X account used by the\r\ncampaign and previously mentioned. In addition, \"Milad\" is a Persian name, further strengthening the\r\ncampaign’s affiliation to Iran. \r\nMandiant observed a domain miladix[.]com, affiliated with an Iranian software developer, although no\r\nlinks were found tying the campaign to miladix[.]com or its operator.\r\nFigure 6: Screenshot of the WordPress user's URL of beparas[.]com\r\nStep 3: Targeted User Fills Out Form, Personal and Professional details Sent to Attackers\r\nThe fake recruitment websites contain a form that includes the fields: name, birth date, email, home address,\r\neducation, and professional experience. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 6 of 13\n\nFigure 7: Fake personal details form\r\n“Axis of Resistance”: Historic Operations Targeting Syria and Hezbollah\r\nClose inspection of the fake “Optima HR” websites revealed a previous network of fake recruitment websites that\r\ntargeted Farsi speakers as well as Arabic speakers affiliated with Syria and Lebanon (Hezbollah) masquerading as\r\na different HR firm named “VIP Human Solutions.”\r\nThe “VIP Human Solutions” sites used very similar imagery and themes, purporting to recruit for security- and\r\nintelligence-related jobs using Israel-affiliated decoy content, as can be seen in the Figure 8.\r\nFigure 8: Logos of VIP Human Solutions (2020–2023, left) and Optima HR (2022–2024, right)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 7 of 13\n\nFigure 9: dreamy-jobs[.]com, a fake “VIP Human Solutions” website used in 2022\r\nThe “VIP Human Solutions” website’s contents, template, and personal details form are almost identical to the\r\n“Optima HR” website. The headline translates to:\r\n“VIP job selection is a recruitment center for respected personnel and employees of Iran's security and intelligence\r\norganizations and institutions.”\r\nMandiant observed significant overlaps between the historic “VIP Human Solutions” campaign and the ongoing\r\n“Optima HR” campaign, and considers both to be deployed by the same threat actor. The activity was mentioned\r\npublicly in the past and was suspected to be related to the Israeli Mossad.\r\nFigure 10: A Tweet from January 2021 mentioning “VIP Human Solutions”\r\nMandiant observed the aforementioned Telegram group chat active, which has been active since at least\r\n2021 and used by the two clusters:\r\nhxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 8 of 13\n\nThe same link was embedded in multiple “VIP Human Solutions” websites, occasionally along with Israel\r\n(+972) phone numbers and additional Telegram accounts:\r\nhxxps://t[.]me/DreamyJobs_com\r\nhxxps://t[.]me/wazayif_IL\r\n“wazayif” is the English transcription of the word “jobs” in Arabic (وظايف(\r\nThe “VIP Human Solutions” recruitment websites were likely in use from at least 2018 to at least 2023. In\r\naddition to Farsi websites, the cluster used Arabic websites with similar templates.\r\nTranslation of the Arabic website’s title: \r\n“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and\r\nintelligence from Syria and Hezbollah, Lebanon.”\r\nFigure 11: wazayif-halima[.]com, an Arabic-language “VIP Human Solutions” website, used in 2021–2022 to\r\ntarget Syria and Hezbollah's intelligence personnel\r\nMandiant also observed another version of the same website in 2023, which includes the “Loren Ipsum” dummy\r\ntext in Arabic, possibly indicating that the updated version of the website was not operational yet. The template\r\nincludes the Syrian flag and map, an Israeli phone number (+972), and a Telegram contact link:\r\nhxxps://t[.]me/DreamyJobs_com.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 9 of 13\n\nFigure 12: An updated version of wazayif-halima[.]com observed in July 2023\r\nWhile the “VIP Human Solutions” domains were registered beginning in 2020, Mandiant observed further historic\r\nevidence suggesting that the campaign has been active since at least 2018. \r\nSpecifically, a YouTube channel named “VIP Human Solutions” was created by “Alireza Ebrahimpoor” in\r\nNovember 2018. The channel contains a single video by “VIP Jobs Global,” with a Farsi description very similar\r\nto the fake recruitment websites’, presented as a “recruitment center for retirees and employees of Iran’s security\r\nand intelligence organizations and institutions”. The threat actor-controlled YouTube channel is no longer\r\navailable.\r\nFigure 13: “VIP Human Solutions” YouTube channel: hxxps://www[.]youtube[.]com/@vipjobsglobal1819\r\nThe video has very similar content and theme as the fake recruitment websites, including the use of the unique\r\nlogo of “VIP Human Solutions.”\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 10 of 13\n\nFigure 14: Screenshot of the “VIP Human Solutions” video\r\nThe video also contains the following contact details:\r\nEmail address: sendcv@vipjobsglobal[.]com. The domain vipjobsglobal[.]com was registered in March\r\n2018.\r\nFacebook page: hxxps://facebook[.]com/358690841262928, which started operating in December 2017 and\r\nis no longer active.\r\nThe following table compares the historic activity with the new activity described in the previous section:\r\n  “VIP Human Solutions” “Optima HR”\r\nYears Active 2017-2022 2022-2024\r\nLanguages\r\nFarsi\r\nArabic\r\nFarsi\r\nTargeted Regions Iran, Syria and Hezbollah  Iran\r\nExample Domains (full list in the\r\nIOCs section)\r\nbilal1com[.]com (Farsi)\r\njomehjob[.]com (Farsi)\r\noptima-hr[.]com\r\njoinoptimahr[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 11 of 13\n\ndreamy-job[.]com (Farsi)\r\ndamavand-hr[.]me (Arabic)\r\nwazayif-halima[.]org (Arabic)\r\nopthrltd[.]me\r\nbeparas[.]com\r\ndarakeh[.]me\r\ntopwor4u[.]com\r\nContact Details\r\nhxxps://t[.]me/DreamyJobs_com\r\nhxxps://t[.]me/wazayif_IL\r\nhxxps://t[.]me/joinchat/\r\nAAAAAFgDeSXaWr2r_AQImw\r\n+972 (Israel) phone numbers\r\nhxxps//t[.]me/PhantomIL13\r\nhxxps://t[.]me/getDmIL \r\nhxxps://t[.]me/joinchat/\r\nAAAAAFgDeSXaWr2r_AQImw\r\nOutlook and Implications\r\nMandiant estimates this activity supports Iranian counterintelligence efforts to identify individuals affiliated (or\r\ninterested in working) with intelligence and security agencies.\r\nSpecifically, the activities described in this blog post are of concern to Iranian individuals who are suspected to be\r\ncollaborating with countries Iran might perceive as adversaries. These may include Iranian dissidents, activists,\r\nhuman rights advocates, and Farsi speakers living in and outside Iran.\r\nThe campaign casts a wide net by operating across multiple social media platforms to disseminate its network of\r\nfake HR websites in an attempt to expose Farsi-speaking individuals who may be working with intelligence and\r\nsecurity agencies and are thus perceived as a threat to Iran’s regime. The collected data, such as addresses, contact\r\ndetails, as well as professional and academic experience, might be leveraged in future operations against the\r\ntargeted individuals.\r\nAdditional Protection Information for Google Cloud Customers\r\nFor Google Chronicle Enterprise+ customers, Chronicle rules have been released to the Emerging Threats rule\r\npack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.\r\nIndicators of Compromise (IOCs)\r\nA Google Threat Intelligence Collection featuring IOCs related to the activity described in this post is now\r\navailable for registered users.\r\nCluster 1: “Optima HR”, “Kandovan HR” and “Paras IL”, active 2022-2024\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 12 of 13\n\nbeparas[.]com parasil[.]me darakeh[.]me kandovani[.]org\r\ntopwor4u[.]com opthrltd[.]me joinoptimahr[.]com optimax-hr[.]com\r\noptimac-hr[.]com optima-hr[.]com titanium-hr[.]com  \r\nCluster 2: “VIP Human Solutions”, active 2017-2023\r\nazadijobs[.]me bilal1com[.]com damavand-hr[.]me damkahill[.]com\r\ndream-jobs[.]org dream-jobs[.]vip dreamy-job[.]com dreamy-jobs[.]com\r\ndreamycareer[.]com golanjobs[.]me hat-cast[.]com irnjobs[.]me\r\njomehjob[.]com radabala[.]com rostam-hr[.]vip salamjobs[.]me\r\nshirazicom[.]com syrtime[.]me topiranjobs[.]me trnjobs[.]me\r\nvipjobsglobal[.]com wazayif-halima[.]com wazayif-halima[.]org wehatcast[.]com\r\nyouna101[.]me younamesh[.]com    \r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation\r\nPage 13 of 13\n\nThe “VIP Human intelligence-related Solutions” jobs using sites used Israel-affiliated very similar imagery decoy and themes, content, as can purporting be seen in the Figure to recruit for security- 8. and\nFigure 8: Logos of VIP Human Solutions (2020-2023, left) and Optima HR (2022-2024, right)\n Page 7 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation" ], "report_names": [ "uncovering-iranian-counterintelligence-operation" ], "threat_actors": [ { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434670, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/256be76edfefbc4ba60307f6cb99a2198271af70.pdf", "text": "https://archive.orkl.eu/256be76edfefbc4ba60307f6cb99a2198271af70.txt", "img": "https://archive.orkl.eu/256be76edfefbc4ba60307f6cb99a2198271af70.jpg" } }