{ "id": "db1fd378-dad9-4d4a-b1e6-efc08fd925c0", "created_at": "2026-04-06T00:21:54.702587Z", "updated_at": "2026-04-10T13:11:25.980858Z", "deleted_at": null, "sha1_hash": "2bef5737e527247abab9bcd6b8b33e17fa8ea716", "title": "Operation SpoofedScholars: A Conversation with TA453 | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1114353, "plain_text": "Operation SpoofedScholars: A Conversation with TA453 |\r\nProofpoint US\r\nBy July 13, 2021 Joshua Miller, Crista Giering, \u0026 the Threat Research Team\r\nPublished: 2021-06-30 · Archived: 2026-04-05 16:24:18 UTC\r\nKey Takeaways \r\nTA453, an Iranian-state aligned actor, masqueraded as British scholars to covertly target individuals of\r\nintelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars.  \r\nThe email conversations were benign until TA453 provided a link to a compromised website hosting a\r\ncredential harvesting page.  \r\nThe use of a legitimate but actor-compromised website is an increase in sophistication compared to\r\nTA453’s historical Tactics, Techniques, and Procedures of using actor-controlled credential phishing\r\nwebsites. \r\nProofpoint has worked with the appropriate authorities to conduct victim notification. \r\nOverview \r\nMasquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS),\r\nthe threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive\r\ninformation. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard\r\nCorps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure\r\nby compromising a legitimate site of a highly regarded academic institution to deliver personalized credential\r\nharvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from\r\nthink tanks, senior professors from well-known academic institutions, and journalists specializing in Middle\r\nEastern coverage. \r\nThese connection attempts were detailed and extensive, often including lengthy conversations prior to presenting\r\nthe next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to\r\na legitimate but compromised website belonging to the University of London’s SOAS radio. The compromised\r\nsite was configured to capture a variety of credentials. Of note, TA453 also targeted the personal email accounts of\r\nat least one of their targets. In subsequent phishing emails, TA453 shifted their tactics and began delivering the\r\nregistration link earlier in their engagement with the target without requiring extensive conversation. This\r\noperation, dubbed SpoofedScholars, represents one of the more sophisticated TA453\r\ncampaigns identified by Proofpoint. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 1 of 8\n\nChatting with TA453 \r\nIn early 2021, a TA453 persona, “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS\r\nUniversity in London,” used email address hannse.kendel4[@]gmail.com to solicit conversations with targets. The\r\nfollowing is a brief summary of an example conversation observed by Proofpoint Threat Research: \r\nTA453 sent an initial email trying to entice the target with a prospective invitation to an online conference on “The\r\nUS Security Challenges in the Middle East.” TA453 strived to connect with the individual via phone to discuss the\r\ninvitation; however, after the target hedged and emphatically stated that they wanted a written proposal with the\r\ndetails, TA453 acquiesced with conference specifics. After a little back and forth that verified the target’s interest,\r\nTA453 provided a detailed invitation to the fake conference (Figure 1). The conversation concluded with TA453\r\nattempting to get the target to connect via videoconferencing. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 2 of 8\n\nFigure 1. Fake conference invitation. \r\nConversation Analysis \r\nThroughout the conversation, Proofpoint identified a few interesting themes: \r\nTA453 demonstrates passable English skills and is open to voice communication via videoconferencing.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 3 of 8\n\nTA453 demonstrates an interest in mobile phone numbers, possibly for mobile malware or additional\r\nphishing.  \r\nTA453 repeatedly demonstrated a desire to connect with the target in real-time. \r\nPersonal Targeting \r\nIn addition to Hanns’ solicitations, at least one target received a credential harvesting email to their personal email\r\naccount. This attempt did not masquerade as Dr. Kendel but did still attempt to harvest credentials from the\r\ntarget. Currently, Proofpoint does not have more information on this specific kill chain. \r\nCampaign Breakdown \r\nTargets \r\nTA453 targets in Operation SpoofedScholars can be clustered into three main categories that are consistent with\r\nthe IRGC’s historical collection priorities.  \r\nSenior think tank personnel \r\nJournalists focused on Middle Eastern affairs \r\nProfessors \r\nThese groupings consistently have information of interest to the Iranian government, including, but not limited to,\r\ninformation about foreign policy, insights into Iranian dissident movements, and understanding of U.S. nuclear\r\nnegotiations, and most of the identified targets have been previously targeted by TA453. Targeting appeared to be\r\nhighly selective, with less than ten organizations targeted, according to Proofpoint data.  \r\nInfrastructure \r\nOnce TA453 established a time for the target to activate their invitation, the TA453 persona provided the\r\npersonalized link to the intended victim. The link led to a “Webinar Control Panel” on a legitimate but\r\ncompromised website belonging to University of London’s SOAS, a research institution. According to Proofpoint\r\nresearch, while TA453 does appear to have elevated privileges allowing them to create credential harvesting pages\r\nat soasradio[.]org, other pages on the site continue to host legitimate SOAS-affiliated content.  \r\nTA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as\r\nlegitimate affiliates of SOAS to deliver the malicious links. The displayed webpage (Figure 2) offers users the\r\nability to use “OpenID” to log in with the following mail providers; Google, Yahoo, Microsoft, iCloud, Outlook,\r\nAOL, mail.ru, Email, and Facebook. The website URI was hxxps://soasradio[.]org/connect/?\r\nmemberemailid= [RedactedInitials of Target]-[String of alphanumeric characters].  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 4 of 8\n\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 5 of 8\n\nFigure 2. SOAS displayed webpage. \r\nWhen a particular provider is clicked, a pop-up box (Figure 3) displays the actual credential phishing box. Of the\r\noptions, Google, Microsoft, and Email buttons prefilled the target’s email address. Based on the variety of email\r\nproviders along with TA453’s insistence that the target log on when TA453 was online, Proofpoint assesses that\r\nTA453 was planning on immediately validating the captured credentials manually. \r\nFigure 3. “AOL login window”   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 6 of 8\n\nHanns Kendel was not the only SOAS scholar spoofed by TA453 during Operation SpoofedScholars. Months\r\nlater, TA453 began spoofing Tolga Sinmazdemir, another individual associated with SOAS. These emails solicited\r\ncontributions to a “DIPS Conference” and would have likely followed a similar kill chain discussed above. In\r\nmid-May, TA453 returned, using a different email (hanse.kendel4[@]gmail.com) to recruit for a webinar.  \r\nAttribution \r\nAs discussed previously in Proofpoint’s research on TA453’s BadBlood campaign, Proofpoint analysts cannot\r\nindependently confirm that TA453 is part of the IRGC. However, the tactics and techniques used by the group and\r\ntheir overall targeting detected by Proofpoint is in line with IRGC intelligence collection priorities, which gives us\r\nhigh confidence in our assessment that TA453 operates in support of the IRGC. The IRGC, specifically the IRGC\r\nIntelligence Organization, collects intelligence and conducts operations in support of a variety of assigned\r\nresponsibilities. According to the Meir Amit Intelligence and Terrorism Information Center’s November\r\n2020 report, some of the IRGC IO’s responsibilities include foiling political subversion, combating western\r\ncultural penetration, and supporting the arrest of Iranian dual nationals. \r\nLikewise, attribution specifically for Operation SpoofedScholars is based on TTP similarities to previous TA453\r\ncampaigns and consistency with TA453’s historical targeting. TA453 often uses free email providers to spoof\r\nindividuals familiar to their targets to increase the likelihood of successful compromise. Additionally, as\r\npreviously discussed, TA453 concentrates their credential phishing to specific individuals of\r\ninterest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future\r\nphishing campaigns. \r\nMitigation \r\nFor specific mitigations against Operation SpoofedScholars, Proofpoint recommends investigating network traffic\r\nto soasradio[.]org, specifically URIs starting with hxxps://soasradio[.]org/connect/?\r\nmemberemailid=. Additionally, emails\r\nfrom hanse.kendel4[@]gmail.com, hannse.kendel4[@]gmail.com, and  t.sinmazdemir32[@]gmail.com should be\r\nconsidered suspect and investigated.  \r\nBroader mitigation efforts against TA453 campaigns include increased awareness and investigation of unusual\r\ncommunication from professional contacts. Academics, journalists, and think tank scholars should practice caution\r\nand verify the identity of the individuals offering them unique opportunities, especially if those opportunities\r\noccur virtually. Using multifactor authentication provides another layer of protection against TA453 credential\r\nharvesting.  \r\nConclusion \r\nTA453 illegally obtained access to a website belonging to a world class academic institution to leverage\r\nthe compromised infrastructure to harvest the credentials of their intended targets. The use of legitimate, but\r\ncompromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be\r\nreflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection\r\npriorities. While some of the identified selectors no longer appear to be active in TA453 operations, Proofpoint\r\nassesses with high confidence that TA453 will continue to spoof scholars around the world in support of TA453’s\r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 7 of 8\n\nintelligence collection operations in support of Iranian government interests. Academics, journalists, and think\r\ntank personnel should practice caution and verify the identity of the individuals offering them unique\r\nopportunities.  \r\nET Signature \r\n2033317 - ET Malware Operation SpoofedScholars Activity (GET) \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" ], "report_names": [ "operation-spoofedscholars-conversation-ta453" ], "threat_actors": [ { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434914, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2bef5737e527247abab9bcd6b8b33e17fa8ea716.pdf", "text": "https://archive.orkl.eu/2bef5737e527247abab9bcd6b8b33e17fa8ea716.txt", "img": "https://archive.orkl.eu/2bef5737e527247abab9bcd6b8b33e17fa8ea716.jpg" } }