{ "id": "cef891e9-94a8-4d36-92c0-6bb6adda2d3b", "created_at": "2026-04-06T00:14:27.655131Z", "updated_at": "2026-04-10T03:36:00.848038Z", "deleted_at": null, "sha1_hash": "d63a740757b9e2bcd63bb1948f76b60f8dd9f587", "title": "Educated Manticore Reemerges: Iranian Spear-Phishing Campaign Targeting High-Profile Figures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 123871, "plain_text": "Educated Manticore Reemerges: Iranian Spear-Phishing\r\nCampaign Targeting High-Profile Figures\r\nBy matthewsu\r\nPublished: 2025-06-25 · Archived: 2026-04-02 11:03:50 UTC\r\nAmid growing warnings from agencies like the FBI and DHS about Iranian cyber activity, Check Point Research\r\nis sharing fresh, real-world examples from the past few days to shed light on how these threats are playing out in\r\npractice. We’ve identified the reemergence of an active, global spear-phishing campaign attributed to the Iranian\r\nthreat actor Educated Manticore, also tracked as APT42, Charming Kitten, and Mint Sandstorm. Associated with\r\nthe IRGC Intelligence Organization, this group is known to target public figures around the world. Currently, the\r\ncampaign is executing sophisticated credential theft operations against high-profile individuals in Israel, while the\r\nreal scope of the campaign is likely much wider, both geographically and by industry.\r\nFollowing the escalation in Iran–Israel tensions, the group has intensified its efforts, this time impersonating\r\nIsraeli institutions, diplomats, and tech professionals.\r\nWide-Reaching, Highly Targeted Campaign\r\nThis campaign marks a broader scope of Iranian cyber ops, using tailored spear-phishing creating fictitious\r\npersonas tied to existing entities, precise timing, and multi-channel outreach to extract credentials and bypass\r\nMFA.\r\nHigh-Value Targets: Academics, Journalists, and Beyond\r\nWe have observed attacks against:\r\nLeading Israeli computer science academics and cyber security researchers\r\nrominent journalists known for covering geopolitical and intelligence topics\r\nWhile recent activity focuses on Israeli targets, Educated Manticore has a broader history of global operations. In\r\nthe past, the group has masqueraded as prominent international media outlets and NGOs — including The\r\nWashington Post (US), The Economist (UK), Khaleej Times (UAE), Azadliq (Azerbaijan), and others — to phish\r\njournalists, researchers, and geopolitical figures in regions aligned with Iran’s strategic interests. These operations\r\nfollow the same pattern: trust-building through impersonation, followed by credential harvesting and surveillance.\r\nOver 100 Registered Phishing Domains\r\nWe’ve identified over 100 phishing domains tailored to each target, with phishing pages often mimicking:\r\nGoogle, Outlook, and Yahoo\r\nThe links have since been blocked and are no longer available\r\nEvent scheduling or meeting platforms such as Google Meet\r\nhttps://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/\r\nPage 1 of 3\n\nFigure 1: Fake image redirecting to the attackers’ servers\r\nInitial Contact Varies by Target\r\nAttackers use multiple communication channels to initiate contact, including:\r\nEmail addresses\r\nPrivate messaging apps (e.g., WhatsApp)\r\nFigure 2: Fake image redirecting to the attackers’ servers.\r\nFigure 3: A prominent reporter was targeted with messages purporting to be from one of the prime minister’s\r\nadvisors and a former Israeli ambassador to the United States (source: Mako)\r\nhttps://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/\r\nPage 2 of 3\n\nThe Phishing Flow: Fake Google Login or Meeting Invites\r\nOnce contact is established, victims are typically directed to:\r\nFake Google sign-in pages, often pre-filled with their email address\r\nFake Google Meet invitations hosted on phishing domains\r\nThese pages mimic legitimate login flows using advanced web development frameworks.\r\nBypassing 2FA: Social Engineering at Play\r\nEducated Manticore also works to bypass 2FA by tricking victims into sharing them as part of the phishing chain,\r\nenabling full account takeover.\r\nProposal for Physical Meetings\r\nIn one incident, a target received a WhatsApp message inviting them to an in-person meeting in Tel Aviv. While\r\nthe goal may have been to rush the victim to confirm an online session, this raises the concern that the campaign\r\ncould extend beyond cyber space.\r\nTailored Impersonation: From Low-Level Staff to Major Institutions\r\nThe impersonation style is highly adaptive. In some cases, attackers pose as:\r\nMid-level employees at major Israeli firms\r\nStaff from the Prime Minister’s Office\r\nProfessionals affiliated with well-known tech companies\r\nEmails are grammatically correct, formally structured, and may have been assisted by AI tools. However, subtle\r\ninconsistencies, such as minor name misspellings, can give them away.\r\nRecommendations\r\nThis evolving campaign poses a serious threat to academic, policy, and media sectors. Individuals should be\r\ncautious when receiving unsolicited meeting invitations, even from seemingly credible sources.\r\nIf You’re in a High-Risk Sector:\r\nVerify the identity of the sender or caller using known channels like reliable social media accounts\r\nAlways verify the URL before entering credentials into any site handling sensitive information\r\nEnable and monitor 2FA and be suspicious of any request to share codes\r\nReport suspicious contact to your organization’s security team\r\nCheck Point Research continues to monitor this activity and will share updates as new indicators and techniques\r\nare uncovered. Check Point’s Harmony Email and Collaboration and Zero Phishing protect customers by detecting\r\nand blocking such attacks and targeted phishing attempts.\r\nCheck out Check Point Research’s report for a comprehensive understanding of the spear-phishing campaign.\r\nSource: https://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/\r\nhttps://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.checkpoint.com/security/educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures/" ], "report_names": [ "educated-manticore-reemerges-iranian-spear-phishing-campaign-targeting-high-profile-figures" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434467, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d63a740757b9e2bcd63bb1948f76b60f8dd9f587.pdf", "text": "https://archive.orkl.eu/d63a740757b9e2bcd63bb1948f76b60f8dd9f587.txt", "img": "https://archive.orkl.eu/d63a740757b9e2bcd63bb1948f76b60f8dd9f587.jpg" } }