Charming Kitten APT Launched Spoofing Attacks Against Key Personalities

Without evaluating the authenticity of received emails, clicking on any embedded link could redirect victims to a legitimate-looking yet malicious domain. An Iranian threat actor, known as Phosphorus APT (aka Charming Kitten or APT 35), has been seen launching such attacks recently for intelligence collection purposes.

Targeting international conference attendees

Microsoft’s Threat Intelligence Information Center has uncovered a series of cyberattacks by Phosphorous APT, masquerading as conference organizers to target more than 100 high-profile potential attendees.
  • The attacks were launched by sending spoofed invitations by mail to the individuals of the upcoming Munich Security Conference and the Think 20 Summit in Saudi Arabia.
  • The attackers have been targeting former government officials, ambassadors, policy experts, academics, and leaders from non-governmental organizations offering remote sessions to attend events during the Covid-19 pandemic.
  • The attackers redirected the victims to a fake account login page via embedded links for credential harvesting, which they could later use to log into the victims’ mailbox to gather further sensitive information or launch more malicious attacks.

Recent attacks

APT 35 has mostly been working on espionage activities to gather data related to intelligence.
  • In August, APT 35 had targeted academic experts, human rights activists, and journalists specialized in Iranian affairs, first via LinkedIn messages and subsequently, Whatsapp calls to gain victims’ trust.
  • In June, APT 35 was suspected of launching cyberattacks against major U.S. presidential campaigns.

Closing statement

From setting a new WhatsApp phone call trend to masquerading as event organizers, nation-state cyberattackers routinely pursue sensitive information they can use for their benefit. In such cases, individuals need to carefully consider their online actions and avoid falling prey to baits, enable 2FA, and ignore connecting to insecure public networks.