Iranian APT35 Hackers Target Prominent Cybersecurity Experts and Academics in Israel

Amid heightened geopolitical tensions between Iran and Israel, the Iranian state-aligned advanced persistent threat (APT) group known as Educated Manticore tracked by the wider security community as APT35, Charming Kitten, or Mint Sandstorm has intensified its cyber-espionage operations against Israeli targets.

Recent investigations by Check Point Research reveal that the group has launched a series of highly targeted spear-phishing campaigns aimed at Israeli journalists, leading cybersecurity experts, and computer science professors from prominent academic institutions.

The attack methodology leverages social engineering tactics, with threat actors posing as fictitious assistants to technology executives or researchers.

These personas initiate contact via email or WhatsApp, often employing polished, AI-assisted language to establish credibility.

Notably, the initial outreach contains no malicious links, instead relying on trust-building exchanges before directing victims to attacker-controlled phishing infrastructure.

In some instances, the attackers have gone so far as to propose in-person meetings in Tel Aviv, raising concerns about potential real-world risks beyond cyberspace.

Phishing Kits and Credential Harvesting

Once rapport is established, victims are sent links to fake Google authentication pages or Google Meet invitations.

The phishing kits employed are implemented as Single Page Applications (SPA) built with React, featuring minified and obfuscated code to evade detection.

The phishing flow is highly adaptive, dynamically rendering authentication steps based on the victim’s account security settings.

The kit supports a full range of Google authentication mechanisms including password, SMS, email code, and app-based 2FA enabling the attackers to relay multi-factor authentication (MFA) tokens in real time.

The backend infrastructure, such as that hosted at https://idea-home[.]online:8569, receives POST requests containing the victim’s session key, email, IP address, and user-agent string.

In response, the server provides task-specific configurations, such as which authentication screen to display and pre-filled victim information, further enhancing the illusion of legitimacy.

The phishing kit also maintains a persistent WebSocket connection, enabling passive keylogging of all keystrokes even if the victim abandons the form and allowing attackers to push dynamic updates or redirect the victim at any stage.

Multi-Brand Phishing

Educated Manticore’s toolkit extends beyond Google, with similar React-based phishing kits targeting Outlook and Yahoo accounts.

These kits mimic the authentication flows of their respective services and incorporate real-time keylogging capabilities.

Some campaigns utilize multi-stage phishing pages hosted on Google Sites, exploiting the inherent trust in Google’s domain to lure victims into entering their credentials.

Since January 2025, the group has registered over 130 unique domains primarily via NameCheap serving as either phishing kit hosts or backend infrastructure.

Many of these domains and IP addresses overlap with the infrastructure cluster known as GreenCharlie, believed to be a sub-cluster of Educated Manticore.

The group’s agility in rapidly deploying and retiring infrastructure enables it to evade takedowns and maintain operational effectiveness despite increased scrutiny from the cybersecurity community.

The ongoing campaigns underscore Educated Manticore’s persistent threat to Israel’s cyber and academic sectors, particularly during periods of heightened regional conflict.

By leveraging sophisticated social engineering, modern web technologies, and adaptive phishing kits, the group continues to compromise high-value targets and exfiltrate sensitive credentials and identity information.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates