article featured image


Human rights activists, reporters, researchers, professors, diplomats, and politicians working in the Middle East are being targeted in an ongoing social engineering and credential phishing effort.

These attacks have been linked to Iranian state hackers, APT42, which has been shown to have similarities with Charming Kitten (also known as APT35 or Phosphorus).

Details About the Campaign

Human Rights Watch (HRW) said in a report shared on Monday, December 5, 2022, that hackers targeted at least 20 high-profile individuals between September 15 and November 25, 2022.

Three of them had their emails and personal data compromised. The victims are a major U.S. newspaper correspondent, a Gulf-based women’s rights advocate, and Nicholas Noe, a Lebanon-based advocacy specialist for Refugees International.

The digital break-in entailed gaining access to their emails, cloud storage, calendars, and contacts, as well as exfiltrating the entire data associated with their Google accounts in the form of archive files through Google Takeout.


“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups. This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region,” says Abir Ghattas, information security director at Human Rights Watch.

The attack starts with a phishing message on WhatsApp that falsely invites the target to a conference and contains a malicious URL. The social engineering tactics include fake login pages of Microsoft, Google, and Yahoo! designed to steal credentials. These pages are even capable to bypass two-factor authentication (2FA) using adversary-in-the-middle (AiTM) attacks.

Details About the Hackers

“The attribution to APT42 is based on overlaps in the source code of the phishing page with that of another spoofed registration page that, in turn, was associated to a credential theft attack mounted by an Iran-nexus actor (aka TAG-56) against an unnamed U.S. think tank”, according to The Hacker News.

The same code was utilized also in another fake page created for a social engineering attack by the Charming Kitten group and discovered by Google TAG in October 2021.

Both APT35 and APT42 have links with Islamic Revolutionary Guard Corps (IRGC), APT42 preferring to target individuals and entities for domestic politics and foreign policy.

“In a Middle East region rife with surveillance threats for activists, it’s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region’s embattled activists, journalists, and civil society leaders,” Abir Ghattas said.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.