{ "id": "82ba3e9d-2c0c-4cdc-95b4-12ee59ad507e", "created_at": "2026-04-06T01:31:13.589056Z", "updated_at": "2026-04-10T03:34:00.407294Z", "deleted_at": null, "sha1_hash": "6452d798b7d028529ccb3e65dcf5c03329418b84", "title": "Taking Action Against Malicious Accounts in Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43014, "plain_text": "Taking Action Against Malicious Accounts in Iran\r\nBy isolomons\r\nPublished: 2024-08-23 · Archived: 2026-04-06 00:31:10 UTC\r\nAs part of our regular updates on notable threat disruption efforts, we’re sharing our most recent insights into a\r\nsmall cluster of likely social engineering activity on WhatsApp that our security teams blocked after investigating\r\nuser reports. This malicious activity originated in Iran and attempted to target individuals in Israel, Palestine, Iran,\r\nthe United States and the UK. This effort appeared to have focused on political and diplomatic officials, and other\r\npublic figures, including some associated with administrations of President Biden and former President Trump.\r\nOur investigation linked it to APT42 (also known as UNC788 and Mint Sandstorm), an Iranian threat actor known\r\nfor its persistent adversarial campaigns using basic phishing tactics across the internet to steal credentials to\r\npeople’s online accounts. We have previously shared our threat research related to APT42 targeting people in the\r\nMiddle East, including Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the\r\nUS, and Iran-focused academics, activists and journalists around the world.\r\nThese accounts posed as technical support for AOL, Google, Yahoo and Microsoft. Some of the people targeted by\r\nAPT42 reported these suspicious messages to WhatsApp using our in-app reporting tools. Those reported\r\nmessages enabled us to investigate this latest campaign and link it to the same hacking group responsible for\r\nsimilar attempts aimed at political, military, diplomatic and other officials, as reported by our industry peers at\r\nMicrosoft and Google.\r\nThe vigilance of these users to report the messages to us suggests that these efforts were unsuccessful. We have\r\nnot seen evidence that their accounts were compromised. We have encouraged those who reported to us to take\r\nsteps to ensure their online accounts are safe across the internet. Out of an abundance of caution and given the\r\nheightened threat environment ahead of the US election, we also shared information about this malicious activity\r\nwith law enforcement and with the presidential campaigns to encourage them to stay cautious against potential\r\nadversarial targeting.\r\nWe continue to monitor information coming from our industry peers, our own investigations and user reports and\r\nwill take action if we detect further attempts by malicious actors to target people on our apps. We strongly\r\nencourage public figures, journalists, political candidates and campaigns to remain vigilant, take advantage of\r\nprivacy and security settings, avoid engaging with messages from people they don’t know and report suspicious\r\nactivity to us.\r\nAs a reminder, cyber espionage actors typically target people across the internet to collect intelligence, manipulate\r\nthem into revealing information and compromise their devices and accounts. When we disrupt these operations,\r\nwe take down their accounts, block their domains from being shared on our platform and notify people who we\r\nbelieve were targeted by these malicious groups. Learn more about our threat disruption efforts.\r\nhttps://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/\r\nPage 1 of 2\n\nSource: https://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/\r\nhttps://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/" ], "report_names": [ "taking-action-against-malicious-accounts-in-iran" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47fa514e-15a8-4adb-a782-e2ffb12944d8", "created_at": "2024-04-24T02:00:49.644637Z", "updated_at": "2026-04-10T02:00:05.423196Z", "deleted_at": null, "main_name": "UNC788", "aliases": [ "UNC788" ], "source_name": "MITRE:UNC788", "tools": [ "HilalRAT" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439073, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6452d798b7d028529ccb3e65dcf5c03329418b84.pdf", "text": "https://archive.orkl.eu/6452d798b7d028529ccb3e65dcf5c03329418b84.txt", "img": "https://archive.orkl.eu/6452d798b7d028529ccb3e65dcf5c03329418b84.jpg" } }