Washington-based cybersecurity firm Volexity has revealed that Iranian hackers have been launching spear phishing attacks against Middle Eastern policy experts.

Researchers at Volexity said Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453) has been collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists.

“In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content," the firm said.

In one case of spear-phishing campaign mentioned by the security firm, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. Spear phishing is when cybercriminals send emails that look like they are from a trusted source to trick specific people or departments in a company to steal secret information. CharmingCypress controlled access to the webinar platform, requiring targets to install malware-laden VPN applications prior to granting access.

In September and October 2023, CharmingCypress engaged in a series of spear-phishing attacks in which they masqueraded as the Rasanah International Institute for Iranian Studies (IIIS). CharmingCypress registered multiple, typo-squatted domains (rasaneh-iiis[.]org) for use in these attacks that are similar to the organization’s actual domain, rasanah-iiis[.]org. Rasanah International Institute for Iranian Studies is a research institute in Riyadh, Saudi Arabia, focusing on Iran’s politics.

“Inspecting the fake webinar portal shows the threat actor invested a significant level of effort,” Volexity said, adding that “The portal included the logo of the impersonated organization within a full web portal interface."