An Iranian cyberespionage group has adopted new tactics by impersonating journalists to target individuals through LinkedIn and WhatsApp, aiming to deliver malware to their devices. This development marks a strategic shift for the “Charming Kitten” APT group, identified by Israeli cybersecurity firm Clearsky. Since July 2020, the group has been using fraudulent emails claiming to be from outlets like Deutsche Welle and the Jewish Journal as part of its approach to persuade targets into interacting with malicious links.
In an analysis released by Clearsky, it was noted that this is the first instance where the group has executed a watering hole attack via WhatsApp and LinkedIn. The attackers initiated contact by sending messages or making phone calls to victims, further enhancing their deceptive engagement strategy. After notifying Deutsche Welle about the impersonation incident, the broadcaster confirmed that the reporter’s credentials were misused without their knowledge and that no communication had taken place with the identified victim in recent weeks.
Known by various aliases such as APT35 and Parastoo, Charming Kitten has a history of targeting sensitive information from human rights advocates, researchers, and media entities since at least December 2017. This campaign exemplifies the group’s ongoing espionage efforts, relying on social engineering techniques to manipulate individuals into compliance.
The compromised Deutsche Welle domain served as a vector for information-stealing malware delivered through WhatsApp. Victims were first lured into conversation via email, followed by an invitation to transition the dialogue to WhatsApp. If recipients declined, attacks would continue via a fabricated LinkedIn profile. This orchestrated engagement is tailored to build trust while facilitating exposure to malicious content.
In one notable case, the attacker escalated efforts by both messaging and calling a potential victim to foster trust and seduce them into connecting to a webinar via a previously shared malicious link. This tactic underscores a concerning evolution in their operations, demonstrating an unparalleled level of audacity in communication that risks exposing their own fabricated identities.
Historically, this is not the first encounter with social media channel usage for espionage by Iranian hackers. A previous operation identified as “Operation Newscaster” involved the creation of fictitious Facebook accounts and a fake news website to surveil military and political figures across various nations.
In this latest operation, the attackers’ willingness to engage victims via direct phone calls, while using a legitimate-sounding German number, deviates from the infamous tactics often observed. These new strategies may include adversarial techniques listed in the MITRE ATT&CK framework, such as initial access through phishing and social engineering, persistence through manipulative engagements, and potential privilege escalation accessed via compromised account credentials.
As the landscape of cyber threats continues to evolve, it is vital for businesses and individuals within sensitive sectors to maintain vigilance. Awareness of such tactics can enhance cybersecurity posture and better prepare for malicious intent. The dynamic nature of these techniques emphasizes the growing need for robust defense methodologies against increasingly sophisticated cyber adversaries.
