{ "id": "1752a1f4-0c0b-4a19-a0f1-787f06fc9d06", "created_at": "2026-04-06T00:10:50.625672Z", "updated_at": "2026-04-10T03:34:00.242343Z", "deleted_at": null, "sha1_hash": "399a718c060f261ec5b127b9d6209a5a8da89748", "title": "The Return of The Charming Kitten - Certfa Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85317, "plain_text": "The Return of The Charming Kitten - Certfa Lab\r\nBy Certfa Lab\r\nArchived: 2026-04-05 13:39:43 UTC\r\nA review of the latest wave of organized phishing attacks by Iranian state-backed hackers\r\nAbstract\r\nPhishing attacks are the most common form of infiltration used by Iranian state-backed hackers to gain access into\r\naccounts. Certfa reviews the latest campaign of phishing attacks that has been carried out and dubbed as “The\r\nReturn of The Charming Kitten”.\r\nIn this campaign, hackers have targeted individuals who are involved in economic and military sanctions against\r\nthe Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the\r\nworld.\r\nOur review in Certfa demonstrates that the hackers - knowing that their victims use two-step verification - target\r\nverification codes and also their email accounts such as Yahoo! and Gmail. As a result, Certfa believes the safest\r\nexisting way to confront these attacks is using Security Keys such as YubiKey.\r\nIntroduction\r\nIn early October 2018, MD0ugh, a Twitter user1, revealed phishing attacks of a group of Iranian hackers against\r\nUS financial institution infrastructure. According to this user, these attacks could possibly be a reaction to new\r\nsanctions against Iran.\r\nThe account mentioned a domain with the address accounts[-]support[.]services for the first time. This domain is\r\nlinked to a group of hackers who are supported by the Iranian government, and that we believe have close ties\r\nwith the Islamic Revolutionary Guard Corps (IRGC). ClearSky2 has previously published detailed reports on their\r\nactivities.\r\nA month after these attacks, the administrators of accounts-support[.]services expanded their activities and started\r\ntargeting civil and human rights activists, political figures and also Iranian and Western journalists.\r\nMethods of Attacks\r\nOur investigation illustrates that the attackers are utilising different methods to carry out their attacks. These\r\nmethods can be put into two categories:\r\n1. Phishing attacks through unknown email or social media and messaging accounts\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 1 of 8\n\n2. Phishing attacks through email or social media and messaging accounts of public figures, which have been\r\nhacked by the attackers\r\nWe have also found that the hackers have collected information on their targets prior to the phishing attack. The\r\nhackers design specific plans for each target based on the level of targets’ cyber knowledge, their contacts,\r\nactivities, working time, and their geographic situation.\r\nWe also noticed that, unlike in previous phishing campaigns, in some cases the hackers did not change the\r\npassword of their victims’ accounts in these latest attacks. This allows them to remain undetected and monitor a\r\nvictim’s communications via their email in real time.\r\nAccording to the samples of phishing attacks, the main trick used by these hackers to deceive their targets is that\r\nof sending fake alerts through email addresses such as notifications.mailservices@gmail[.]com,\r\nnoreply.customermails@gmail[.]com, customer]email-delivery[.]info etc. stating that unauthorised individuals\r\nhave tried to access their accounts.\r\nFigure1. Illustration of safe and secure looking fake links\r\nFigure 1. Illustration of safe and secure looking fake links\r\nBy using this method, attackers pretend that the email provider has sent security alerts to the targets and they\r\nshould immediately review and restrict suspicious accesses. More details are available in the “Destination Link”\r\nsection.\r\nFake file sharing on Google Drive\r\nSending links with titles such as share files from Google Drive has been one of the most common tricks that\r\nhackers have used in recent years. A unique point of these attacks in comparison with the previous ones is that\r\nthey use Google Site3, which allows the hackers to show a fake download page of Google Drive, which tricks the\r\nusers into thinking it’s a real Google Drive page.\r\nFigure 2. A fake page of Google Drive file sharing page\r\nFigure 2. A fake page of Google Drive file sharing page\r\nFor example, the hacker had used hxxps://sites.google[.]com/view/sharingdrivesystem to deceive the users and\r\nconvince them the page is the authentic Google Drive as users can see google.com in the address bar of their\r\nbrowsers. Certfa has reported this link and similar links to Google and Google has now terminated them.\r\nBy creating websites with the same design and look of Google Drive file sharing page, hackers pretend\r\nto be sharing a file with the user, which they should download and run it on their devices. They use\r\nhacked Twitter, Facebook and Telegram accounts to send these links and target new users. The truth is\r\nthere is not any file and the hackers use this page to direct their targets to the fake Google login page,\r\nwhich the users enter their credential details including 2 factor authentication.\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 2 of 8\n\nThe Attack Structure\r\nMost of these attacks are currently occurring through phishing emails. As a result, it would be useful to take a look\r\nthe original content in recent phishing campaigns.\r\nFigure 3. An example of codes of phishing email sent to the user\r\nFigure 3. An example of codes of phishing email sent to the user\r\n1. Destination link\r\n1.1. Trusted Stage: Internet users around the world consider Google’s main domain (google.com) to be a safe and\r\nsecure address. The attackers misuse this fact and create fake pages on sites.google.com (which is a subdomain of\r\nGoogle) to deceive their targets. Google’s Site service gives its users an ability to show various contents on it. The\r\nattackers use this ability to send fake alerts and redirect their targets to insecure websites or embedded phishing\r\npages as a iframe on those pages.\r\nFigure 4. How attackers misuse site.google.com\r\nFigure 4. How attackers misuse site.google.com\r\n1.2. Untrusted Stage: Since Google can quickly recognise and eliminate suspicious and malicious links on\r\nsites.google.com, the hackers use their own website. The links of phishing websites have similar patterns to a\r\nprevious phishing campaign which was launched in the past years. For example, attackers use words such as\r\n“management”, “customize”, “service”, “identification”, “session”, “confirm” etc. in the domains name and\r\nphishing URLs to deceive users who want to verify their website addresses.\r\n2. Clickable image in emails\r\nThe hackers use an image, instead of texts, in the body of their emails, to bypass Google’s security and anti-phishing system. For this purpose, attackers have also used third party services such as Firefox Screenshot4\r\n to host\r\ntheir email images.\r\nFigure 5. An example of a planted image of fake alarm in a phishing email\r\nFigure 5. An example of a planted image of fake alarm in a phishing email\r\nThe attackers use a separate hidden image in the body of the email to notify them when their targets open the\r\nemail. This trick helps the hackers to act immediately after the target opens the email and clicks on the phishing\r\nlink.\r\nPhishing Pages\r\nApart from the content structure of the emails and phishing links, we are sure that attackers use a customized\r\nplatform to create and store users’ credential details. We have also noticed that they have designed the phishing\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 3 of 8\n\npages for both desktop and mobile versions of Google and Yahoo! mail services and they might use other services\r\nin the future.\r\nAn interesting technique they have used in recent attacks was once their target enters their username and\r\npassword, attackers check those credentials on-the-fly and if that information was given correctly, they then ask\r\nfor 2-step verification code.\r\nIn other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor\r\nauthentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal\r\nthat information too.\r\nFigures 6 to 9 demonstrate some examples of the phishing pages, which have been sent to the targets by the\r\nIranian hackers.\r\nFigure 6. A fake page for entering password of Gmail accounts\r\nFigure 6. A fake page for entering password of Gmail accounts\r\nFigure 7. A fake page for entering 2-step verification code for Gmail accounts\r\nFigure 7. A fake page for entering 2-step verification code for Gmail accounts\r\nFigure 8. A fake page for entering password of Yahoo! accounts\r\nFigure 8. A fake page for entering password of Yahoo! accounts\r\nFigure 9. A fake page for entering 2-step verification code for Yahoo! accounts\r\nFigure 9. A fake page for entering 2-step verification code for Yahoo! accounts\r\nOur primary reviews of the phishing websites linked to this campaign show that hackers have set up a remarkable\r\nnumber of domains. Our latest findings show that for this phishing campaign in a relatively short period of time,\r\n(September to November 2018), they have used more than 20 domain names. The number of phishing domains\r\nhas increased at the time of writing this report. Closer investigation of these servers revealed how their network of\r\ndomain names have been used in recent attacks.\r\nFigure 10. Deep data of the attackers’ network in this phishing campaign, which gathered by Certfa\r\nFigure 10. Deep data of the attackers’ network in this phishing campaign, which gathered by Certfa\r\n5\r\nMoreover, our technical reviews reveal that the individuals, who are involved in this campaign used Virtual\r\nPrivate Networks (VPNs) and proxies with Dutch and French IP addresses to hide their original location. In spite\r\nof their efforts, we have uncovered enough evidence to prove that the attackers were using their real IP addresses\r\n(i.e 89.198.179[.]103 and 31.2.213[.]18 from Iran during the preparation phase of their campaign).\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 4 of 8\n\nAlso, some domain names and servers of this campaign are very similar to the methods, techniques and targets\r\nthat been used by Charming Kitten, a group of hackers who are linked to the Iranian government. Consequently,\r\nwe believe Charming Kitten and the Iranian hacker(s) belonging to this group have returned and launched new\r\ncyber attacks against various people around the world and with more focus on Israeli and American citizens.\r\nConclusion\r\nPhishing attacks are the most popular method of stealing data and hacking account amongst Iranian hackers, but\r\nthe most significant fact about this campaign is its timing. This campaign launched weeks before 4 November\r\n2018 which is when the U.S. imposed new sanctions on Iran. This campaign tries to collect information by\r\ninfiltrating the accounts of non-Iranian political figures and authorities who work on economic and military\r\nsanctions against Iran.\r\nIn other words, hackers who are supported by the Iranian government pick their targets according to policies and\r\ninternational interests for the Iranian government and also where Iran wants to have impact indirectly.\r\nA a result, we propose a series of recommendations to tech companies, policymakers, civil society actors and\r\ninternet users to effectively lessen the threat of this type of attack and even thwart them.\r\nOur recommendations to tech companies and policy makers:\r\nStop using 2 factor authentication by text plain message/SMS.\r\nStart using Security Keys (i.e. YubiKey) for 2 factor authentication for high ranking individuals who have\r\nsensitive jobs or activities.\r\nDo not use one-tap login verification process.\r\nOur recommendations to civil society and the Iranian diaspora media:\r\nInform employees and colleagues about any phishing threats and encourage them to use Security Keys\r\nsuch as Yubikey for 2 factor authentication and activate Google’s Advanced Protection Program.\r\nAlways use company and institution email accounts instead of personal email for sensitive\r\ncommunications. Change Sender Policy Framework or SPF6 settings according to the communication\r\npolicy of the company/organisation such as restricting receiving emails from outside of the working\r\nnetwork. For example, G Suite allows admins to block receiving emails from unauthorised address or\r\ndomains7.\r\nEncourage the public to enable 2 factor authentication on their account by mobile apps such as Google\r\nAuthenticator.\r\nOur recommendations to users:\r\nDo not click on unknown links. For reviewing suspicious activities on your account or change the\r\npassword, instead of clicking on any link, you can go to your “My Account” settings from your email\r\ndirectly which is more safer.\r\nUse email encryption such PGP for sensitive emails which prevent hackers reading your emails in the first\r\nplace.\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 5 of 8\n\nDo not store classified and sensitive information as a plain text in your mailbox.\r\nHTTPS being before a domain names in a URL does not mean that the content of a website is secure or\r\ntrusted - it’s just a secure extension of the HTTP protocol. Do not forget many phishing websites are\r\ncurrently operating under HTTPS protocol too.\r\nIOCs\r\n178.162.132[.]65\r\n190.2.154[.]34\r\n190.2.154[.]35\r\n190.2.154[.]36\r\n190.2.154[.]38\r\n46.166.151[.]211\r\n51.38.87[.]64\r\n51.38.87[.]65\r\n51.68.185[.]96\r\n51.38.107[.]113\r\n95.211.189[.]45\r\n95.211.189[.]46\r\n95.211.189[.]47\r\n213.227.139[.]148\r\n54.37.241[.]221\r\n54.38.144[.]250\r\n54.38.144[.]251\r\n54.38.144[.]252\r\n85.17.127[.]172\r\n85.17.127[.]173\r\n85.17.127[.]174\r\n85.17.127[.]175\r\n89.198.179[.]103\r\n31.2.213[.]18\r\naccounts-support[.]services\r\nbroadcast-news[.]info\r\nbroadcastnews[.]pro\r\ncom-identifier-servicelog[.]info\r\ncom-identifier-servicelog[.]name\r\ncom-identifier-userservicelog[.]com\r\nconfirm-session-identification[.]info\r\nconfirm-session-identifier[.]info\r\nconfirmation-service[.]info\r\ncustomer-recovery[.]info\r\ncustomize-identity[.]info\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 6 of 8\n\ndocument-share[.]info\r\ndocument.support-recoverycustomers[.]services\r\ndocumentofficupdate[.]info\r\ndocuments.accounts-support[.]services\r\ndocumentsfilesharing[.]cloud\r\nemail-delivery[.]info\r\nmobile-sessionid.customize-identity[.]info\r\nmobiles-sessionid.customize-identity[.]info\r\nmy-scribdinc[.]online\r\nmyyahoo.ddns[.]net\r\nnotificationapp[.]info\r\nonlinemessenger.com-identifier-servicelog[.]name\r\npodcastmedia[.]online\r\nrecoveryusercustomer[.]info\r\nsession-management[.]info\r\nsupport-recoverycustomers[.]services\r\ncontinue-session-identifier[.]info\r\nmobilecontinue[.]network\r\nsession-identifier-webservice.mobilecontinue[.]network\r\ncom-messengersaccount[.]name\r\ninvitation-to-messenger[.]space\r\nconfirm-identification[.]name\r\nmobilecontinue[.]network\r\nmobile.confirm-identification[.]name\r\nservices.confirm-identification[.]name\r\nmobile-messengerplus[.]network\r\nconfirm.mobile-messengerplus[.]network\r\ncom-messengercenters[.]name\r\nsecuremail.mobile-messengerplus[.]network\r\ndocuments.mobile-messengerplus[.]network\r\nconfirm-identity[.]net\r\nidentifier-sessions-mailactivityid[.]site\r\nactivatecodeoption.ddns[.]net\r\nbroadcastpopuer.ddns[.]net\r\nbooks.com-identifier-servicelog[.]name\r\nmb.sessions-identifier-memberemailid[.]network\r\nsessions-identifier-memberemailid[.]network\r\nsessions.mobile-messengerplus[.]network\r\nconfirm-verification-process[.]systems\r\naccounts.confirm-verification-process[.]systems\r\nbroadcastnews.ddns[.]net\r\naccount-profile-users[.]info\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 7 of 8\n\nus2-mail-login-profile[.]site\r\nus2.login-users-account[.]site\r\nlogin-users-account[.]site\r\nlive.account-profile-users[.]info\r\nsignin.account-profile-users[.]info\r\naol.account-profile-users[.]info\r\nusers-account[.]site\r\n1. https://s.certfa.com/q1514c\r\nhttps://s.certfa.com/eNnnag\r\nhttps://s.certfa.com/ur93p2 ↩︎\r\n2. ClearSkye Cyber Security (2018), “Charming Kitten, Iranian cyber espionage against human rights\r\nactivists, academic researchers and media outlets - and the HBO hacker connection”. Accessed November\r\n15, 2018. https://s.certfa.com/1ulIxk ↩︎\r\n3. Sites. Accessed November 23, 2018. https://sites.google.com/ ↩︎\r\n4. Firefox Screenshots. Accessed November 15, 2018. https://screenshots.firefox.com/ ↩︎\r\n5. VirusTotal Graph. Accessed November 25, 2018. https://s.certfa.com/OgQUSC ↩︎\r\n6. Sender Policy Framework or SPF is an email authentication method to detect forged sender addresses in\r\nemails. SPF allows the recipient to check that an email claiming to come from a specific domain comes\r\nfrom an IP address authorized by that domain’s administrators. ↩︎\r\n7. G Suite Administrator Help (2018), “Restrict messages to authorized addresses or domains”. Accessed\r\nNovember 29, 2018. https://support.google.com/a/answer/2640542?hl=en ↩︎\r\nSource: https://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nhttps://blog.certfa.com/posts/the-return-of-the-charming-kitten/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.certfa.com/posts/the-return-of-the-charming-kitten/" ], "report_names": [ "the-return-of-the-charming-kitten" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434250, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/399a718c060f261ec5b127b9d6209a5a8da89748.pdf", "text": "https://archive.orkl.eu/399a718c060f261ec5b127b9d6209a5a8da89748.txt", "img": "https://archive.orkl.eu/399a718c060f261ec5b127b9d6209a5a8da89748.jpg" } }