{ "id": "7dd64aa7-5f2b-4463-a230-77f52ffd418e", "created_at": "2026-04-06T00:15:23.919753Z", "updated_at": "2026-04-10T03:34:00.511304Z", "deleted_at": null, "sha1_hash": "58dde9295633c491e3790dff62cfe063cf6a607e", "title": "BadBlood: TA453 Targets US \u0026 Israel in Credential Phishing | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 900487, "plain_text": "BadBlood: TA453 Targets US \u0026 Israel in Credential Phishing |\r\nProofpoint US\r\nBy March 30, 2021 Joshua Miller and the Proofpoint Threat Research Team\r\nPublished: 2021-03-30 · Archived: 2026-04-05 13:19:07 UTC\r\nOverview\r\nIn late 2020, TA453, an Iranian-nexus threat actor, launched a credential phishing campaign targeting senior\r\nmedical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel.\r\nTA453 (aka CHARMING KITTEN and PHOSPHORUS) has historically aligned with Islamic Revolutionary\r\nGuard Corps (IRGC) collection priorities, targeting dissidents, academics, diplomats, and journalists. This latest\r\ncampaign, dubbed BadBlood, is a deviation from the group’s usual activity. [1,2,3] While this campaign may\r\nrepresent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short term\r\nintelligence collection requirement. BadBlood is aligned with an escalating trend of medical research being\r\nincreasingly targeted by threat actors.\r\nProofpoint researchers have named this campaign BadBlood based on the medical focus and continued\r\ngeopolitical tensions between Iran and Israel.\r\nCredential Phishing Campaign\r\nIn this December 2020 campaign, TA453 used an actor-controlled Gmail account that masqueraded as a prominent\r\nIsraeli physicist. The account (zajfman.daniel[@]gmail.com) sent messages with the subject \"Nuclear weapons at\r\na glance: Israel\" and contained social engineering lures relating to Israeli nuclear capabilities. These malicious\r\nemails contained a link to the TA453-controlled domain 1drv[.]casa. When clicked, the URL leads to a landing\r\nsite spoofing Microsoft's OneDrive service along with an image of a PDF document logo titled CBP-9075.pdf.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 1 of 8\n\nFigure 1: TA453 Landing Site with PDF Document Logo\r\nWhen a user attempts to view and download the PDF document, 1drv[.]casa delivers a forged Microsoft login\r\npage which attempts to harvest user credentials. Attempting to use any other hyperlink in the webpage results in\r\nthe same redirect to the same forged Microsoft login page, except for the \"Create one!\" link. This tab leads to the\r\nlegitimate Microsoft Outlook “Sign Up” page at hxxps://signup.live[.]com.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 2 of 8\n\nFigure 2: TA453 Credential Harvesting Page at 1drv[.] casa\r\nOnce an email is entered by the user and “Next” is clicked, the page prompts for a password.\r\nOnce a user enters their credentials, they are then redirected to Microsoft’s OneDrive where the benign \"Nuclear\r\nweapons at a glance: Israel\" document is hosted.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 3 of 8\n\nFigure 3: Microsoft OneDrive TA453 Benign Document\r\nAt this time, it does not appear 1drv[.]casa conducts any sort of multi-factor authentication bypass. Although\r\nProofpoint does not currently have further visibility into how TA453 used any credentials obtained from this\r\nspecific campaign, public reporting from CERTFA indicates TA453 has previously used harvested credentials to\r\nexfiltrate email inbox contents.[4] In select prior campaigns, Iranian-aligned actors, including TA453, have used\r\ncompromised accounts for further phishing.[5]\r\nTargeting\r\nTA453 targeted less than 25 senior professionals at a variety of medical research organizations located in the US\r\nand Israel. Proofpoint analysis of the targets’ publicly available research efforts and resumes indicate TA453\r\ntargeted individuals with a background in either genetics, oncology, or neurology. These medical professionals\r\nappear to be extremely senior personnel at a variety of medical research organizations. Additionally, TA453\r\ntargeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and\r\nIran during 2020. [6]\r\nAt this time, Proofpoint cannot conclusively determine the motivation of actors conducting these campaigns. As\r\ncollaboration for medical research is often conducted informally over email, this campaign may demonstrate that a\r\nsubset of TA453 operators have an intelligence requirement to collect specific medical information related to\r\ngenetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient\r\ninformation of the targeted medical personnel or an aim to use the recipients' accounts in further phishing\r\ncampaigns. While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an\r\noutlier, reflective of a specific priority intelligence tasking given to TA453.\r\nAttribution\r\nWhile Proofpoint cannot independently attribute TA453 to the IRGC, the tactics and techniques observed in\r\nBadBlood continue to mirror those used in historic TA453 campaigns and the overall targeting of TA453\r\ncampaigns detected by Proofpoint appear to support IRGC intelligence collection priorities.[7]\r\nIn 2019, the US Department of Justice indicted four Iranian individuals for using social media and credential\r\nphishing emails to conduct malicious computer intrusions on behalf of the IRGC.[8] Private industry reporting\r\nidentified this activity as part of CHARMING KITTEN in both 2017 and 2019.[9,10] In early 2019, Microsoft\r\nreported TA453 was abusing well known email brands to conduct spear phishing operations against government\r\nagencies, political targets, and journalists on behalf of the Iranian government.[11]\r\nRelated Infrastructure\r\nWhile investigating this campaign, Proofpoint Threat Research identified other domains attributed to TA453 with\r\nhigh confidence based on network infrastructure components, campaign timing, and similarity in lure documents.\r\nBoth Proofpoint and VirusTotal telemetry indicated additional actor-controlled domains were used in TA453\r\ncampaigns attempted to compromise more traditional TA453 targets with a similar attack-chain in late December\r\n2020. Finally, the provided lure documents at the end of the attack chain share similar, national security themes,\r\nincluding Congressional Research Reports, think tank publications, and other policy minded documents. While\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 4 of 8\n\nresearchers were not able to directly correlate all of these domains with phishing campaigns, we judge this activity\r\nto be consistent with the BadBlood campaign.\r\nFigure 4: Diagram of Related Infrastructure\r\nFigure 5: Final 1drv[.]xyz Lure “Reviving The Revolutionaries Document”\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 5 of 8\n\nFigure 6: Final 1drv[.]surf Lure Congressional Research Service Document\r\nOutlook\r\nWhile TA453 has consistently demonstrated a desire to collect and exfiltrate the email mailbox contents belonging\r\nto typical intelligence targets of the Iranian government like the Iranian diaspora, policy analysts, and educators,\r\nthis TA453 campaign demonstrated a desire to target medical researchers and providers. Further detection and\r\nanalysis of TA453 campaigns will likely determine whether this targeting is an outlier or if targeting has evolved\r\nto support the medical sector becoming a consistent intelligence requirement and target for TA453.\r\nWhile targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453\r\ntargeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an\r\nescalating trend globally of medical research being increasingly targeted by espionage motivated focused threat\r\nactors. [12]\r\nReferences\r\n[1] https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/\r\n[2] https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/\r\n[3] https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf\r\n[4] https://blog.certfa.com/posts/charming-kitten-christmas-gift/\r\n[5] https://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 6 of 8\n\n[6] https://www.cpomagazine.com/cyber-security/hidden-cyber-war-between-israel-and-iran-spills-into-public-view-with-attacks-on-physical-infrastructure/\r\n[7] https://www.janes.com/defence-news/news-detail/iranian-irgc-consolidates-primacy-in-intelligence-operations\r\n[8] https://www.justice.gov/opa/press-release/file/1131726/download\r\n[9] https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf   \r\n[10] https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant\r\n[11] https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking\r\n[12] https://us-cert.cisa.gov/ncas/alerts/AA20126A\r\nIndicators of Compromise\r\nIOC IOC Type Description\r\n1drv[.]live Domain\r\n1drv[.]online Domain Educational Credential Phishing Domain\r\n1drv[.]icu Domain\r\n1drv[.]surf Domain\r\n1drv[.]xyz Domain\r\n1drv[.]cyou Domain\r\n1drv[.]casa Domain Medical Credential Phishing Domain\r\n1drv[.]casa/s/AFGHJKFJelMtfZXSXSGkdsjh1 URL Medical Credential Harvesting URL\r\n1drv[.]icu/b/AuQWU1NEWRw1 URL VT Sourced URL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 7 of 8\n\n1drv[.]surf/b/AuQWU1NEWRw9 URL VT Sourced URL\r\n1drv[.]xyz/b/AuQWU1NEWRw1/ URL VT Sourced URL\r\n1drv[.]cyou/b/AuQWU1ZEWRw5 URL VT Sourced URL\r\n[Analyst Note: List of URL IOCs is not meant to be conclusive. It is possible other variants of the URL have\r\nbeen delivered.]\r\nET Signatures \r\n2847882 - OneDrive Phishing Landing 2021-03-29\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nhttps://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" ], "report_names": [ "badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434523, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58dde9295633c491e3790dff62cfe063cf6a607e.pdf", "text": "https://archive.orkl.eu/58dde9295633c491e3790dff62cfe063cf6a607e.txt", "img": "https://archive.orkl.eu/58dde9295633c491e3790dff62cfe063cf6a607e.jpg" } }