Charming Kitten, the APT group believed to be based out of Iran, is active again and looking to acquire sensitive information as it masquerades as U.K. scholars. The phishing campaign was launched around the month of January this year.

Operation SpoofedScholars

Hackers behind the phishing campaign, dubbed Operation SpoofedScholars, presented themselves as U.K. scholars working with the University of London’s School of Oriental and African Studies.
  • The attackers create their credential phishing infrastructure by targeting a legit site of an academic institution. Moreover, they use personalized credential harvesting pages masked as registration links to lure victims.
  • Targeted individuals included experts such as professors, think tanks, and journalists covering Middle Eastern-related affairs.
  • The attempted connections to U.K. scholars were elaborated and extensive, and sometimes included long conversations.
  • Once trust is gained over the conversation, a registration link is sent to victims which is actually the compromised website of the University of London’s SOAS radio; it was rigged with credentials harvesting capabilities.

Charming's activities and attribution

Proofpoint analysts have made some connections between the current and previous campaigns of the group and aligned its motive with the Islamic Revolutionary Guard Corps (IRGC), which is to collect intelligence from individuals.
  • A credentials-harvesting campaign that happened in the month of March, named as BadBlood, was observed targeting the medical professionals and harvested credentials. But experts did not confidently attribute the attack to the IRGC.
  • But, the recent operation involved similar TTPs (use of free email providers for spoofing and credential phishing) to the previous campaigns along with the historical consistency of targets, implying similar interests of the nexus.


The way Charming Kitten has used legitimate and compromised sites for infection shows its increased sophistication. The APT group is continuously innovating and developing new ways of attacking users. Thus, it is very important that organizations have a security strategy in place to stay protected.

Cyware Publisher