Iranian cyberspies behind major Christmas SMS spear-phishing campaign

Iranian hackers managed to successfully hide URLs to phishing sites behind legitimate google.com links.
Written by Catalin Cimpanu, Contributor
Christmas tree
Image: Rodion Kutsaev

An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages.

"Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect," said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.

"The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents," it added.

CERTFA said it detected attacks targeting members of think tanks, political research centers, university professors, journalists, and environmental activists.

The victims were located in countries around the Persian Gulf, Europe, and the US.

How an attack unfolded

CERTFA researchers said that this particular campaign exhibited an advanced degree of complexity. Victims received spear-phishing messages from the attackers not only via email but also via SMS, a channel that not many threat actors use on a regular basis.

While the SMS messages posed as Google security alerts, the emails leveraged previously hacked accounts and tried to play on the festive mood with holiday-related lures.

The common denominator in both campaigns was that Charming Kitten operators managed to successfully hide their attacks behind a legitimate Google URL of https://www.google[.]com/url?q=https://script.google.com/xxxx, which would have fooled even the most tech-savvy recipients.


But behind the hood, CERTFA said that the legitimate Google URL would end up bouncing the user through different websites and eventually bring him to a phishing page, where they'd be asked for login credentials for personal email services like Gmail, Yahoo, and Outlook, but also business emails.


The CERTFA team noted that this wasn't the first time that Charming Kitten managed to successfully hide links to spear-phishing websites behind Google URLs.

The company points to a previous report from January 2020, exposing a Charming Kitten operation that abused sites.google.com links.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards