US agencies warn of surge in Iranian state-sponsored spear‑phishing

US agencies and cybersecurity researchers are sounding the alarm over a rise in Iranian state-sponsored spear-phishing attacks. These attacks focus on high-profile individuals, employing advanced tactics to steal Google account credentials while circumventing two-factor authentication measures.

What happened 

US cybersecurity agencies, including CISA, FBI, and international partners, have issued a warning about an escalation in spear phishing attacks orchestrated by Iranian state-sponsored actors. These campaigns target high-value individuals, journalists, cybersecurity professionals, and computer science professors, primarily in Israel. The attackers are leveraging AI-enhanced social engineering, including fake Gmail login pages and Google Meet invitations, to steal credentials and bypass two-factor authentication (2FA).

Going deeper 

The threat actors behind these operations are associated with the IRGC-linked APT group often referred to as “Educated Manticore,” “Charming Kitten,” or APT35/APT42. Strategies include:

• Domain-specific phishing kits: Over 130 unique malicious domains were spun up, sometimes one or two per individual target, hosting phishing landing pages mimicking legitimate Google login interfaces. 
• WhatsApp and email lures: Messages impersonated trusted contacts (e.g., a “Sarah Novominski” from a respected Israeli security firm), using WhatsApp or email to build rapport before delivering phishing links. 
• AI-enhanced precision: Attackers used advanced AI to craft flawless messages devoid of spelling or grammar mistakes. The phishing kit was built with React and WebSocket tech, and included a passive keylogger to capture keystrokes during the process. 
• 2FA bypass: Victims’ credentials and 2FA codes were captured in real-time, enabling full account takeover through relay attacks.

The most active hacktivist groups include: 

• Mr Hamza
• Keymous
• Mysterious Team
• Team Fearless
• GARUDA_ERROR_SYSTEM
• Dark Storm Team
• Arabian Ghosts
• Cyber Fattah
• CYBER U.N.I.T.Y
• NoName057(16)

Most targeted sectors:

• Government
• Defense
• Telecom
• Financial services
• Technology

What was said 

According to the security agencies, “Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.” 

In the numbers

Recent reports from Censys and SOCRadar shed light on the scale of internet-exposed industrial devices and the surge in cyberattacks linked to the 2025 Iran-Israel conflict: 

Device exposure by vendor (via Censys):

• Tridium Niagara: 43,167 internet-exposed devices
• Red Lion: 2,639 devices
• Unitronics: 1,697 devices (most commonly found in Australia)
• Orpak SiteOmat: 123 devices
• Geographic hotspots for Tridium Niagara exposure: Germany, Sweden, Japan
• Most exposed country overall: United States

Cyberattack activity (via SOCRadar):

• Total reported cyberattack claims: 600+ (June 12–27, 2025)
• Attack claims by country:
  • Israel: 441 attacks
  • United States: 69 attacks
  • India: 34 attacks
  • Jordan: 33 attacks
  • Saudi Arabia: 13 attacks
• Distributed Denial-of-Service (DDoS) specifics:
  • Israel: 357 DDoS claims
  • Share of global DDoS claims: 74%

Take action

If you’re among the targeted demographic, exercise extreme caution around unsolicited meeting invitations or emails asking for credentials, even if they seem to come from trusted sources. Safeguard your accounts by using hardware-based multi-factor authentication, verifying domain names before logging in, and applying phishing-resistant email protections.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is spear-phishing?

Spear-phishing is a targeted cyberattack where attackers impersonate a trusted source, such as a colleague or known organization, to trick individuals into revealing sensitive information like passwords or clicking malicious links.

How do these attacks work?

Victims receive seemingly legitimate emails or WhatsApp messages, often mimicking Google services like Gmail or Meet. These messages direct users to fake login pages designed to steal credentials and bypass two-factor authentication (2FA).

What makes these campaigns difficult to detect?

The attackers use AI to generate flawless, convincing messages and advanced phishing kits that mimic real login pages. These kits can capture login details and 2FA codes in real time, making them highly effective.