Iran-backed APT35 deploys AI tools in spear-phishing Israeli tech professionals

Check Point attributes the activity to “Educated Manticore,” a threat group aligned with Iranian APTs like APT35 and APT42, known for using social engineering and fake personas to infiltrate networks and steal intelligence

A sophisticated cyber-espionage campaign originating from an Iranian state-sponsored group has been targeting Israeli cybersecurity professionals, journalists, and academics in recent weeks, according to a new report by cybersecurity firm Check Point.

The campaign, believed to be linked to the Islamic Revolutionary Guard Corps (IRGC), involves spear-phishing tactics aimed at stealing credentials and sensitive information. The attackers masquerade as assistants to technology executives or researchers, using email and WhatsApp to reach their targets. Victims are then tricked into clicking links that redirect them to convincingly crafted fake login pages resembling Google services such as Gmail and Google Meet.

Check Point attributes the activity to a threat group it tracks as “Educated Manticore,” which shares characteristics with several well-known Iranian APT (Advanced Persistent Threat) groups, including APT35 and APT42. These groups are notorious for using social engineering and fake personas to infiltrate networks and gather intelligence.

One deceptive WhatsApp message cited in the report invited a cybersecurity expert to an urgent online meeting regarding an AI-based threat detection system, exploiting heightened tensions between Iran and Israel. The message was crafted to appear credible and urgent, leveraging current geopolitical anxieties to build trust.

Stealth tactics in cyber espionage

The phishing kit employed by the hackers uses advanced techniques, including React-based Single Page Applications (SPA) and real-time WebSocket communication. This allows them to steal login credentials, including two-factor authentication (2FA) codes, without raising suspicion. Additionally, the kit features a passive keylogger that captures all keystrokes—enabling attackers to harvest data even if users do not complete the login process.

Check Point's analysts believe that some of the messages and decoy websites were likely generated using AI tools, citing their polished language and structured formatting. Attackers have also used legitimate-looking domains, including ones hosted on Google Sites, to make fake meeting invitations more convincing.

This renewed wave of attacks began in mid-June, coinciding with the recent outbreak of hostilities between Iran and Israel. The hackers’ tactics show signs of increasing agility—quickly deploying infrastructure and dismantling it when detected, making defense and attribution more difficult.

Security experts warn that as the geopolitical situation continues to evolve, targeted cyber campaigns like this one are likely to become more frequent and more technically advanced.