{ "id": "4a0c7f99-b156-4bff-95ca-d0f8a09301ed", "created_at": "2026-04-29T08:21:50.366814Z", "updated_at": "2026-04-29T10:42:11.107292Z", "deleted_at": null, "sha1_hash": "9f4ec3d20c150dbcbb127c8dbe7e8ad5b05d8bfa", "title": "With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1531340, "plain_text": "With Fake News And Femmes Fatales, Iran's Spies Learn To Love\r\nFacebook\r\nBy Thomas Brewster\r\nPublished: 2017-07-27 · Archived: 2026-04-29 07:12:06 UTC\r\nIran is honing its Facebook fakes, according to research.\r\nSecureWorks\r\nBefore she disappeared from Facebook, Mia Ash was a fun-loving, young photographer who used the world's\r\nbiggest social network to showcase her work. Ash was popular too. Stretching back to April 2016, she'd\r\nbefriended a lot of individuals, as many as 500, with similar interests. Her looks almost certainly helped her\r\napparent popularity.\r\nAsh was thrown off of Facebook earlier this year, though. Not for any obvious infraction. But because Facebook\r\nhad been handed proof by SecureWorks researcher Allison Wikoff that convinced them Ash was a fake. Not only\r\nthat, her persona has been tied by Wikoff to one of Iran's busiest cyberespionage groups, known as OilRig.\r\nAlongside profiles across LinkedIn and DeviantArt, Ash was one of the most developed fakes Wikoff had ever\r\nseen in her years researching spy activity on the web. “What we’ve seen in the past is just a fake LinkedIn profile,\r\nbut this had LinkedIn, Facebook, a Blogger profile, two domains, two email addresses, and WhatsApp.\r\nTraditionally we haven’t seen across the board,\" Wikoff told Forbes.\r\nAccording to the researcher, Ash was active shortly after a surge in hacker activity from OilRig in December, as\r\npreviously reported by Forbes. Using stolen images of a real young woman from Romania, Ash reached out to an\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/\r\nPage 1 of 3\n\nemployee of a targeted organization in the Middle East, the name of which SecureWorks isn’t reporting, sharing\r\nan interest in photography, shifting initial contact from her LinkedIn profile with more than 500 connections to her\r\nFacebook account. A relationship, albeit a fake one, was established, with chats over WhatsApp too. (Forbes and\r\nSecureWorks have attempted to contact the woman whose images were used, but with no success).\r\nEventually, she sent an email to the unwitting target, containing an Excel file, a supposed survey to do with\r\nphotography. She asked him to open it on his corporate network, which he did. Then OilRig’s signature malware,\r\nknown as PupyRAT, attempted to run and steal passwords for the corporate network. Fortunately, in that case, the\r\nsecurity products of the organization sprung into action and prevented any data loss.\r\nDespite the failure of the attack, Ash provides proof that OilRig has become adept at creating fake online\r\npersonas. Wikoff says Ash tried and in many cases succeeded in grooming a range of technical individuals\r\nworking for Middle East and Africa, most working in the oil and gas field. She was convincing enough to befriend\r\nan oil and gas cybersecurity pro with 10 years experience, according to Wikoff.\r\nFake news from Iran?\r\nBut Ash was one of a large number of fake profiles developed by Iranian-linked hacker groups over recent years,\r\nas they hone their craft. In recent months they've been experimenting with fake news outlets too. A separate group\r\nbelieved to be of Iranian origin, known as Charming Kitten, set up the blandly-named BritishNews, spamming a\r\nsignificant amount of content earlier this year, up to a sudden stop in April, according to a report handed to Forbes\r\nby Israeli security firm ClearSky.\r\nThe fake agency used stolen content from across the web and was designed to draw in targets to visit the official\r\nBritishNews website, from where malware would be delivered. The fake agency had a fake employee too. Again,\r\nLinkedIn was key to creating the persona, though it's unclear just who Charming Kitten was trying to target with\r\nBritishNews.\r\nThe only employee of the fake BritishNews agency, according to ClearSky.\r\nClearSky\r\nClearSky also reported on another fake profile earlier this week, believed to have been established by yet another\r\nIranian-linked hacker crew called CopyKitten. Back in 2013, the crew had set up a handful of Facebook profiles to\r\nspread links to a copy of Israeli news site Haaretz. One Facebook fraud, named Amanda Morgan, was still active\r\nup to this month and was also promoting a fake news service called Emet Press. No malware were delivered over\r\nthe sites and ClearSky believes they were only set up to establish trust. Most have now had their social sites cut\r\ndown, others simply remain dormant, said ClearSky head of intelligence Eyal Sela.\r\nIran's use of personas isn't new. Historically, Iran's defense and intelligence units have long been linked to social\r\nmedia-led campaigns. The Newscaster attacks of 2014, for instance, saw myriad LinkedIn personas set up profiles\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/\r\nPage 2 of 3\n\nposing as journalists. It's only the quality of the fakes that's increasing.\r\nFacebook response\r\nFor its part Facebook has been responsive to requests to remove fake profiles. Alex Stamos, chief security officer\r\nfor Facebook, told Forbes the company would be taking more of a manual approach rather than relying on\r\nautomated technologies for dealing with nation state-sponsored fakes.\r\n\"A lot of that work ... is more about looking for the patterns of malicious behavior that are expressed by those\r\nkinds of grooming attacks by advanced nation state adversaries,\" Stamos said. \"That would be more of a manual\r\nprocess that's helped by automation.\"\r\nWith Iran not giving up on its social exploitation, expect that game of whack-a-mole to continue.\r\nSource: https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespion\r\nage/\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/" ], "report_names": [ "iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-29T10:39:54.868915Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T10:39:54.627822Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-29T10:39:53.047131Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Mint Sandstorm", "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T10:39:54.717235Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T10:39:54.629395Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T10:39:54.782061Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T10:39:53.084482Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Twisted Kitten", "Helix Kitten", "APT 34", "APT34", "IRN2", "ATK40", "TA452", "Cobalt Gypsy", "Crambus", "G0049", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-29T10:39:55.367443Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-29T10:39:55.495091Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T10:39:55.397649Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450910, "ts_updated_at": 1777459331, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9f4ec3d20c150dbcbb127c8dbe7e8ad5b05d8bfa.pdf", "text": "https://archive.orkl.eu/9f4ec3d20c150dbcbb127c8dbe7e8ad5b05d8bfa.txt", "img": "https://archive.orkl.eu/9f4ec3d20c150dbcbb127c8dbe7e8ad5b05d8bfa.jpg" } }