{ "id": "56276057-6871-443a-8c61-0d756adfc6ff", "created_at": "2026-04-06T00:18:58.180984Z", "updated_at": "2026-04-10T03:34:00.301718Z", "deleted_at": null, "sha1_hash": "2e5328e79f4999479c0929cf89b335ca837330e3", "title": "Iranian cyber spies are targeting dissidents in Germany, warns intelligence service", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84572, "plain_text": "Iranian cyber spies are targeting dissidents in Germany, warns\r\nintelligence service\r\nBy Alexander Martin\r\nPublished: 2023-08-10 · Archived: 2026-04-05 17:53:20 UTC\r\nGermany’s domestic intelligence service published a cyber espionage warning on Thursday that Iranian dissident\r\norganizations and individuals in the country were being targeted by a suspected state-sponsored threat group.\r\nOfficially known as the Federal Office for the Protection of the Constitution (BfV), the agency reported it had\r\nfound concrete attempts by the group known as Charming Kitten to target the Iranian opposition and exiles based\r\nin Germany.\r\nSimilar to a warning issued by Britain’s National Cyber Security Centre in January, the BfV said the hackers were\r\nusing sophisticated social engineering techniques and false personals tailored to victims in order to build a rapport\r\nand compromise their targets.\r\nListen to More: Click Here investigates Iran’s efforts to target the Iranian diaspora\r\nCharming Kitten has been described as state-sponsored by numerous specialist companies — including Google,\r\nRecorded Future and Proofpoint — on the basis of its apparent intelligence-gathering rather than financial\r\nmotivation, although the BfV did not explicitly accuse the Iranian regime of supporting it.\r\nThe German agency’s publication describes the nature of the social engineering activities, designed to build a\r\nrapport with their victims, before often sending a link to an online chat that leads to a disguised credential\r\nharvesting page.\r\nLast December, Human Rights Watch said that Charming Kitten was behind a well-resourced and ongoing\r\ninternational cyber espionage campaign that targeted a member of their staff by having them enter their login\r\ncredentials into a webpage that the hackers controlled.\r\nAmong the industry research linked to by both the NCSC's advisory and the new warning from the BfV is work\r\nby CERTFA (the ‘Computer Emergency Response Team in Farsi’), a mostly anonymous collective that tracks\r\nIranian cybercriminals and state-sponsored hackers targeting Iranian citizens around the world.\r\nLast year, the head of MI5, the U.K.’s domestically-focused security service which takes the lead on counter-terrorism and counter-espionage, warned that there had been at least 10 potential threats by Iran to \"kidnap or even\r\nkill\" British or U.K.-based people who were perceived as enemies of the regime.\r\nIt is not known what links, if any, these threats share with the Charming Kitten espionage campaign, but Amin\r\nSabeti — the founder of CERTFA — told The Record he believed that Charming Kitten was linked to the IRGC\r\nand that he wouldn't be surprised to read a news story announcing that one of the campaign's targets had been\r\nkilled.\r\nhttps://therecord.media/charming-kitten-iran-targets-dissidents-in-germany\r\nPage 1 of 2\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/charming-kitten-iran-targets-dissidents-in-germany\r\nhttps://therecord.media/charming-kitten-iran-targets-dissidents-in-germany\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/charming-kitten-iran-targets-dissidents-in-germany" ], "report_names": [ "charming-kitten-iran-targets-dissidents-in-germany" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e5328e79f4999479c0929cf89b335ca837330e3.pdf", "text": "https://archive.orkl.eu/2e5328e79f4999479c0929cf89b335ca837330e3.txt", "img": "https://archive.orkl.eu/2e5328e79f4999479c0929cf89b335ca837330e3.jpg" } }