Amidst escalating geopolitical tensions and explicit warnings from agencies such as the FBI and Department of Homeland Security regarding intensifying Iranian cyber operations, Check Point Research has disclosed fresh evidence of a highly sophisticated spear-phishing campaign.
Attributed to “Educated Manticore” also known as APT42, Charming Kitten, and Mint Sandstorm, and linked to the IRGC Intelligence Organization this threat actor has reemerged with a series of technically advanced attacks targeting high-profile individuals, particularly in Israel, though the campaign is understood to extend globally and across multiple industries.
Tailored Attacks Mimic Trusted Entities
The latest wave of the campaign demonstrates a marked evolution in both breadth and targeting precision.
Attackers meticulously research their intended victims, constructing fictitious personas and purporting to represent reputable Israeli institutions, diplomats, and technology professionals.
Leveraging a deep understanding of the professional circles and current events, the group employs multi-channel outreach including email and encrypted messaging platforms like WhatsApp to initiate contact.
The communication is marked by grammatically accurate, formally structured messages that can be difficult to distinguish from legitimate correspondence.
Subtle cue errors, such as minor name misspellings, remain among the few indicators of their fraudulent nature.
Once rapport is established, victims are pushed toward highly convincing phishing sites.
Over one hundred unique phishing domains have been registered, many of which closely mimic the login portals of Google, Outlook, and Yahoo, as well as platforms like Google Meet.
According to Check Point research Report, these phishing pages often feature pre-filled victim information and utilize advanced frontend frameworks to replicate legitimate interfaces, further enhancing their credibility.
In some instances, attackers have even masqueraded as mid-level employees of Israeli technology firms, personnel from the Prime Minister’s Office, and prominent journalists.
Tactics to Bypass Multi-Factor Authentication
One of the most alarming developments in this campaign is the strategic focus on bypassing multi-factor authentication (2FA).
Through real-time social engineering, victims are deceived into divulging not only their credentials but also their authentication codes, enabling attackers to facilitate complete account takeover.
This methodical approach to circumventing MFA represents a significant escalation in the threat level posed by this group. The campaign’s victimology is equally notable for its emphasis on high-value targets.
Recent attacks have focused on leading Israeli academics in computer science and cyber security, as well as journalists known for reporting on intelligence and regional affairs. However, Educated Manticore’s reach is not limited to Israel.
The group has a documented history of global operations, frequently posing as international media outlets and non-governmental organizations including The Washington Post, The Economist, Khaleej Times, and Azadliq to target individuals aligned with Iran’s strategic interests.
While most interactions remain digital, at least one documented incident has seen attackers extend their operations into the physical domain, inviting a victim to a face-to-face meeting in Tel Aviv.
This suggests the potential for hybrid threats that blend cyber and physical tactics to achieve their objectives.
Given its wide geographical range, breadth of industry focus, and technical sophistication, this campaign represents a substantial threat to academic, policy, and media sectors worldwide.
Experts urge individuals, particularly those in high-risk roles, to exercise heightened caution when receiving unsolicited meeting invitations or emails even from apparently credible sources.
The evolving nature of Educated Manticore’s tactics underscores the imperative for organizations and individuals alike to maintain robust cyber hygiene practices and to remain vigilant against social engineering techniques that can bypass even advanced security controls.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
