{ "id": "8652064d-8400-437b-8182-7d2df271ebcd", "created_at": "2026-04-06T00:08:29.680206Z", "updated_at": "2026-04-10T13:12:21.475246Z", "deleted_at": null, "sha1_hash": "591f38e64a8fc5de79661c5c363eeda05302bc80", "title": "Iranian Hackers Target Women Involved in Human Rights and Middle East Politics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 646790, "plain_text": "Iranian Hackers Target Women Involved in Human Rights and\r\nMiddle East Politics\r\nBy The Hacker News\r\nPublished: 2023-03-09 · Archived: 2026-04-05 17:35:15 UTC\r\nIranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by\r\nimpersonating a U.S. think tank.\r\n\"Notably the targets in this instance were all women who are actively involved in political affairs and human\r\nrights in the Middle East region,\" Secureworks Counter Threat Unit (CTU) said in a report shared with The\r\nHacker News.\r\nThe cybersecurity company attributed the activity to a hacking group it tracks as Cobalt Illusion, and which is\r\nalso known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda.\r\nThe targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor has\r\nbeen well-documented over the years.\r\nhttps://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html\r\nPage 1 of 2\n\nThe group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has\r\nexhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the\r\ngovernment.\r\n\"It is common for Cobalt Illusion to interact with its targets multiple times over different messaging platforms,\"\r\nSecureWorks said. \"The threat actors first send benign links and documents to build rapport. They then send a\r\nmalicious link or document to phish credentials for systems that Cobalt Illusion seeks to access.\"\r\nChief among its tactics include leveraging credential harvesting to gain control of victims' mailboxes as well as\r\nemploying custom tools like HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo!, and\r\nMicrosoft Outlook accounts using the stolen passwords.\r\nAnother bespoke malware linked to the group is a C++-based Telegram \"grabber\" tool that facilitates data\r\nharvesting on a large scale from Telegram accounts after obtaining the target's credentials.\r\nThe latest activity involves the adversary passing off as an employee of the Atlantic Council, a U.S.-based think\r\ntank, and reaching out to political affairs and human rights researchers under the pretext of contributing to a\r\nreport.\r\nTo make the ruse convincing, the social media accounts associated with the fraudulent \"Sara Shokouhi\" persona\r\n(@SaShokouhi on Twitter and @sarashokouhii on Instagram) have been tweeting or engaging with posts that are\r\nsupportive of ongoing protests in Iran. The bios also claim Shokouhi has a PhD in Middle East politics.\r\nWhat's more, the profile photos in these accounts, per Secureworks, are said to have been taken from an Instagram\r\naccount belonging to a psychologist and tarot card reader based in Russia.\r\nIt's not immediately clear if the effort resulted in any successful phishing attacks. The Twitter account, created in\r\nOctober 2022, remains active to date as is the Instagram account.\r\n\"Phishing and bulk data collection are core tactics of Cobalt Illusion,\" Rafe Pilling, principal researcher and Iran\r\nthematic lead at Secureworks CTU, said in a statement.\r\n\"The group undertakes intelligence gathering, often human focused intelligence, like extracting the contents of\r\nmailboxes, contact lists, travel plans, relationships, physical location, etc. This intel is likely blended with other\r\nsources and used to inform military and security operations by Iran, foreign and domestic.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html\r\nhttps://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html" ], "report_names": [ "iranian-hackers-target-women-involved.html" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434109, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/591f38e64a8fc5de79661c5c363eeda05302bc80.pdf", "text": "https://archive.orkl.eu/591f38e64a8fc5de79661c5c363eeda05302bc80.txt", "img": "https://archive.orkl.eu/591f38e64a8fc5de79661c5c363eeda05302bc80.jpg" } }