{ "id": "774611db-5a7a-418a-a2d3-50f91d3c5a15", "created_at": "2026-04-06T01:29:43.518516Z", "updated_at": "2026-04-10T03:34:00.285291Z", "deleted_at": null, "sha1_hash": "39a62e31f1ac716c1eb4d40ac1851e439b22c111", "title": "Iran: State-Backed Hacking of Activists, Journalists, Politicians", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69271, "plain_text": "Iran: State-Backed Hacking of Activists, Journalists, Politicians\r\nPublished: 2022-12-05 · Archived: 2026-04-06 00:44:59 UTC\r\n(Beirut) – Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and\r\nat least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on\r\nMiddle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said\r\ntoday.\r\nAn investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian\r\ngovernment known as APT42 and sometimes referred to as Charming Kitten. The technical analysis conducted\r\njointly by Human Rights Watch and Amnesty International’s Security Lab identified 18 additional victims who\r\nhave been targeted as part of the same campaign. The email and other sensitive data of at least three of them had\r\nbeen compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf\r\nregion, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.\r\n“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting\r\ntactics to access sensitive information and contacts held by Middle East-focused researchers and civil society\r\ngroups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the\r\nrisks that journalists and human rights defenders face in Iran and elsewhere in the region.”\r\nFor the three people whose accounts were known to be compromised, the attackers gained access to their emails,\r\ncloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports\r\ndata from the core and additional services of a Google account.\r\nVarious security companies have reported on phishing campaigns by APT42 targeting Middle East-focused\r\nresearchers, civil society groups, and dissidents. Most of them identify APT42 based on targeting patterns and\r\ntechnical evidence. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint,\r\nand Mandiant have linked APT 42 to Iranian authorities. Identifying and naming a threat actor helps researchers to\r\nidentify, track, and link hostile cyber activity.\r\nIn October 2022, a Human Rights Watch staff member working on the Middle East and North Africa region\r\nreceived suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon,\r\ninviting them to a conference. The joint investigation revealed that the phishing links sent via WhatsApp, once\r\nclicked, directed the target to a fake login page that captured the user’s email password and authentication code.\r\nThe research team investigated the infrastructure that hosted the malicious links and identified additional targets\r\nof this ongoing campaign.\r\nHuman Rights Watch and Amnesty International contacted the 18 high profile individuals identified as targets of\r\nthis campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at\r\nsome point between September 15 and November 25, 2022.\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 1 of 6\n\nOn November 23, 2022, a second Human Rights Watch staff member was also targeted. They received the same\r\nWhatsApp messages from the same number that contacted other targets.\r\nSocial engineering and phishing attempts remain key components of Iranian cyberattacks. Since 2010, Iranian\r\noperators have targeted members of foreign governments, militaries, and businesses, as well as political dissidents\r\nand human rights defenders. Over time, these attacks have become more sophisticated in the ways they execute\r\nwhat is known as “social engineering.”\r\nAccording to Mandiant, a US-based cybersecurity company, APT42 has been responsible for several phishing\r\nattacks in Europe, the US, and the Middle East and North Africa region. On September 14, 2022, the US Office of\r\nForeign Asset Control at the Treasury Department imposed sanctions on individuals affiliated with the group.\r\nThe investigation also revealed inadequacies in Google’s security protections to safeguard its users’ data.\r\nIndividuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their\r\nGmail accounts had been compromised or a Google Takeout had been initiated, in part because the security\r\nwarnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or\r\nsend a push message to the Gmail app on their phone.\r\nGoogle’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the\r\ncompromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International\r\nresearch team informed them and assisted them in removing the attacker’s connected device.\r\nGoogle should promptly strengthen its Gmail account security warnings to better protect journalists, human rights\r\ndefenders, and its most at-risk users from attacks, Human Rights Watch said.\r\n“In a Middle East region rife with surveillance threats for activists, it's essential for digital security researchers to\r\nnot only publish and promote findings, but also prioritize the protection of the region's embattled activists,\r\njournalists, and civil society leaders,” Ghattas said.\r\nTechnical Analysis of the Phishing Campaign\r\nOn October 18, 2022, a Human Rights Watch staff member working on the Middle East and North Africa region\r\nreceived a message on WhatsApp that claimed to be from a Lebanon-based think tank and invited the recipient to\r\na conference. The invitation used the same format as previous invitations from the think tank, indicating a\r\nsophisticated level of social engineering. The person impersonated by the threat actor group APT42 in the\r\nWhatsApp messages previously worked for the think tank.\r\nThe Human Rights Watch staff member forwarded these messages to the information security team, which\r\nconfirmed they were a phishing attempt. If the person had clicked on the cutly[.]biz link, they would have been\r\nredirected to the URL https://sharefilesonline[.]live/xxxxxx/BI-File-2022.html which hosts a fake Microsoft login\r\npage.\r\nThe cutly[.]biz domain is a custom URL shortener deployed and managed by the attacker’s group, designed to\r\nmimic the name of the legitimate URL shortener cutt.ly.\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 2 of 6\n\nThe phishing link sent to the Human Rights Watch staff member included a random path of five characters, both\r\nlowercase letters and numbers, which represents around 6 million combinations, making it possible to enumerate\r\nall of the existing paths on the attacker’s infrastructure to find other existing links. This enumeration led to the\r\ndiscovery of 44 valid URLs, with many of them redirecting to a phishing page that displayed the email address of\r\nthe target. The phishing pages were specifically crafted to mimic Microsoft, Google, or Yahoo login pages.\r\nFurther investigation showed that the phishing kit allowed the bypass of multi-factor authentication methods other\r\nthan a hardware security key. Multi-factor authentication (MFA), often called two-factor authentication, or 2FA,\r\nrequires a second means of authentication, in addition to a password. Common second factors include a temporary\r\ncode delivered by SMS, a temporary code given by a smartphone application (such as FreeOTP or Google\r\nAuthenticator), and a code generated by a Hardware Security Key (like Yubikey or Solo Key). Through different\r\ntechnical means, it is possible to create phishing toolkits that bypass MFA when the temporary code is delivered\r\nby SMS or by a smartphone application. It is not possible at present for a phishing kit to bypass multi-factor\r\nauthentication using hardware keys.\r\nThe WhatsApp chats of those who were known to be successfully targeted reveal that the attackers were\r\nrepeatedly engaging with the targets as they clicked through the phishing links. After entering their credentials on\r\nthe phishing page, targets were prompted to enter a code on the 2FA bypass page, which the attackers used to gain\r\naccess to their email accounts. Phishing kits with MFA bypass features have been common since at least 2018, and\r\nAmnesty International’s Security Lab has documented multiple usages of such kits against human rights defenders\r\nin 2018 and 2020.\r\nTargeting of Journalists and Human Rights Defenders by APT42\r\nIn addition to the two Human Rights Watch staff members, Human Rights Watch and Amnesty International\r\nidentified 18 other email accounts targeted as part of the same campaign, including six journalists.\r\nHuman Rights Watch and Amnesty International contacted all of the individuals and 15 responded. They\r\nconfirmed they were all targeted with the exact same social engineering approach during the period between\r\nSeptember 15 and November 25, 2022. Out of the 20 targets, at least three had been compromised by the threat\r\nactor. Confirming the compromise led the research team to additional information about the data exfiltration\r\nprocess. Human Rights Watch also supported the journalists by disconnecting the attackers from their accounts\r\nand re-securing them.\r\nThe compromise gave the attackers access to the targets’ emails, cloud storage drives, calendars, and contacts. In\r\nat least one case, the attacker synced the target’s mailbox and performed a Google Takeout, a service that exports\r\nall of an account’s activity and information including web searches, payments, travel and locations, ads clicked\r\non, YouTube activity, and additional account information. It is the most comprehensive and intrusive method to\r\nexport data in a Google account.\r\nGoogle’s security activity revealed that the attackers had accessed the targets’ accounts almost immediately after\r\nthe compromise and that they had access for about five days until Human Rights Watch informed the targets and\r\nhelped remove the attacker’s connected device.\r\nAttribution\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 3 of 6\n\nThe Human Rights Watch Information Security team attributes these attacks with high confidence to the Iranian\r\nthreat actor APT42, also called TA453 by Proofpoint, Phosphorus by Microsoft, and Charming Kitten by ClearSky\r\nand CERTFA based on specific technical indicators linked to the phishing attacks and operational infrastructure\r\nused by the attackers when accessing compromised accounts. The list of APT42’s targets that Human Rights\r\nWatch identified all relate to the Middle East, including Iran, and one compromised account was accessed by an IP\r\naddress based in Tehran (see the technical details sections). Several organizations have confirmed this attribution\r\nbased on their own research into related campaigns.\r\nMany organizations, such as Google, and the cybersecurity companies Recorded Future and Proofpoint, who have\r\ninvestigated APT42 attacks, have concluded that APT42 operates on behalf of Iranian authorities. In September,\r\nthe American cybersecurity company, Mandiant, attributed APT42’s activities to the Iranian Islamic Revolutionary\r\nGuard Corps.\r\nThe source code of the phishing page used against the 20 targets includes JavaScript code that is very similar to\r\ncode that was used on a phishing page hosted on the domain mailer-daemon[.]net in November 2022, which was\r\npart of a phishing campaign attributed by Recorded Future to the Iranian threat actor APT42. The same code was\r\nalso found on continuetogo[.]me in August 2021, which was part of a phishing campaign attributed by Google to\r\nIranian government-backed threat actors.\r\nThe second Human Rights Watch staff member who was targeted on November 23, 2022, received the same\r\nWhatsApp messages from the same number that contacted other targets. The malicious link shared with the staff\r\nwas hosted on mailer-daemon[.]org and the attackers used the same URL shortener (cutly[.]biz) to hide the full\r\nname of the domain.\r\nThe use of fake, uncommon, or custom URL shorteners was also seen in attacks attributed to other Iranian threat\r\nactors such as Phosphorus against Israeli and US targets in June 2022, for which they used litby[.]us.\r\nThe investigation of the attacker’s infrastructure showed that the same group registered the domain uani[.]us, a\r\ntypo-squatted domain that copies an advocacy group based in the United States called United Against Nuclear\r\nIran, which was targeted by Charming Kitten in November 2021.\r\nAll of the IP addresses used to connect to the compromised accounts were from the Express VPN (Virtual Private\r\nNetwork) service. Nevertheless, Human Rights Watch found one Iranian IP address, 5.160.239.XXX, that\r\nconnected to one of the target’s inboxes. This could potentially be the public IP address of the attacker’s own\r\nnetwork, perhaps revealed after they forgot to enable their VPN before connecting.\r\nOne of the most notable characteristics of Iranian government-backed threat groups is their highly targeted spear-phishing, social engineering techniques, and impersonation of conference and summit organizers to build trust and\r\nrapport with their targets. In this attack, APT42 used the Lebanon-based think tank to trick their targets. The\r\norganizers of the Munich Security Conference and Think 20 (T20) Summit in Saudi Arabia have been\r\nimpersonated in similar ways.  \r\nThe recent Mandiant report on APT42 has provided more detailed information into the difference and links\r\nbetween the APT35 and APT42 groups, both of which Mandiant attributes to Iran’s IRGC. The CERTFA, for\r\ninstance, has reattributed a campaign to APT42 instead of APT35 after this publication.\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 4 of 6\n\nTechnical Details on Post-Compromise Action and Indicators of Compromise\r\nDuring the investigation, Human Rights Watch supported journalists and human rights defenders who were\r\ncompromised by this phishing campaign. This gave Human Rights Watch insight into the attackers’ post-compromise actions.\r\nIn at least one case, the attackers performed a Google Takeout request, a service that exports all of an account’s\r\nactivity and information, including web searches, payments, travel and locations, ads clicked on, YouTube activity,\r\nand additional account information. It is the most comprehensive and intrusive method to export data in a Google\r\naccount. The use of Google Takeout to extract data from a compromised account is in line with the features of the\r\nHYPERSCRAPE tool identified by the Google TAG team, although Human Rights Watch could not confirm if the\r\ntool was used based on logs to which it had access.\r\nFor several targets, the attacker synchronized the compromised mailbox to a Microsoft service in order to export\r\nthe contents of the mailbox. As far as we know, it is the first time that this behavior is reported as a post-compromise tactic used by APT42.\r\nGoogle’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the\r\ncompromise, and that they maintained access until we informed the targets and assisted them to remove the\r\nattacker’s connected device.\r\nBased on Google Security logs, we identified the IP addresses used to connect to a compromised account.\r\nWe observed the same computer name connected to all of the compromised accounts: DESKTOP-F8QNCC0.\r\nIndicators of Compromise\r\nWhatsApp numbers used by the attackers:\r\n1. +1-234-312-1624\r\n2. +1-209-233-0560\r\n3. +1-804-500-1154\r\ncutly[.]biz\r\nhxxps://sharefilesonline[.]live/xxxxxx/BI-File-2022.html\r\nhxxps://sharefilesonline[.]live/xxxxxx/G-check-first.html\r\nhxxps://sharefilesonline[.]live/xxxxxx/G-transfer.html\r\nhxxps://sharefilesonline[.]live/xxxxxx/continue.html\r\nhxxps://sharefilesonline[.]live/xxxxxx/index.php\r\nhxxps://mailer-daemon[.]net/file=sharing=system/xxxxxx/first.check.html\r\nhxxp://mailer-daemon[.]org/ xxxxxx /index.php\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 5 of 6\n\nDESKTOP-F8QNCC0\r\n5.160.239.XXX\r\nSource: https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nhttps://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians" ], "report_names": [ "iran-state-backed-hacking-activists-journalists-politicians" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f778366-a4a7-42f1-ab1e-362aa065ee4f", "created_at": "2022-10-25T16:07:23.362157Z", "updated_at": "2026-04-10T02:00:04.562925Z", "deleted_at": null, "main_name": "APT 42", "aliases": [ "GreenBravo" ], "source_name": "ETDA:APT 42", "tools": [ "BROKEYOLK", "CHAIRSMACK", "CORRUPT KITTEN", "DOSTEALER", "GORBLE", "Ghambar", "MAGICDROP", "PINEFLOWER", "POWERPOST", "SILENTUPLOADER", "TABBYCAT", "TAMECAT", "VBREVSHELL", "VINETHORN" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438983, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39a62e31f1ac716c1eb4d40ac1851e439b22c111.pdf", "text": "https://archive.orkl.eu/39a62e31f1ac716c1eb4d40ac1851e439b22c111.txt", "img": "https://archive.orkl.eu/39a62e31f1ac716c1eb4d40ac1851e439b22c111.jpg" } }