Mastodawn

Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

The Threat Codex Jan 20

How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East
#CharmingKitten #WhatsApp
https://techcrunch.com/2026/01/16/how-a-hacking-campaign-targeted-high-profile-gmail-and-whatsapp-users-across-the-middle-east/

How a hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East | TechCrunch

The phishing campaign targeted users on WhatsApp, including an Iranian-British activist, and stole the credentials of a Lebanese cabinet minister and at least one journalist.

TechCrunch

Webrecord Media Dec 26

APT35 Sızıntısı: Siber casusluktan fiziksel suikast planlarına
#apt35 #CharmingKitten #İran #nationstate

https://webrecord.media/apt35-sizintisi-siber-casusluktan-fiziksel-suikast-planlarina/

APT35 Sızıntısı: Siber casusluktan fiziksel suikast planlarına

Aralık 2025 başı itibarıyla siber güvenlik dünyası, APT grupları özelinde son yıllardaki en büyük sızıntılarından birine tanık oldu. İran Devrim Muhafızları (IRGC) ile doğrudan bağlantılı olduğu bilinen Charming Kitten (diğer adlarıyla APT35, Phosphorus) grubuna ait operasyonel kayıtlar, çalışan bilgileri ve iç işleyiş dokümanları "KittenBusters" adıyla GitHub üzerinden sızdırıldı. Bu sızıntı,

Webrecord

jomo Aug 19, 2025

0day Browser RCE von Charming Kitten / APT35 oder schlechte Berichterstattung?

Angeblich wurde auf einen Link geklickt und dadurch™ der Rechner infiziert.

https://archive.is/QkX57

#Berlin #Badenberg #CharmingKitten #apt35

SchreibeEinfach May 23, 2025

Hannah Neumann ist Vorsitzende der Iran-Delegation im EU-Parlament. Sie kämpft für Demokratie. Jetzt wurde sie Ziel eines Hackerangriffs. Das ist ein direkter Angriff auf unsere Werte. Wer schweigt, macht sich mitschuldig. #Iran #Demokratie #EUParlament #CharmingKitten #EinfacheSprache

SchreibeEinfach May 23, 2025

Iran greift nicht nur sein eigenes Volk an. Jetzt auch EU-Politiker. Die Hackergruppe „Charming Kitten“ wollte Hannah Neumann ausspionieren. Warum? Weil sie sich für Freiheit und Menschenrechte einsetzt. Wer so handelt, zeigt, wie gefährlich Diktaturen sind. #Iran #CharmingKitten #Neumann #EU #EinfacheSprache

Uncle Joe Dec 27, 2024

BellaCiao,BellaCiao from the magic hound to the poor sod who's account is browned the magic that with the new year comes spies and hounds and hides it's crumbs whether social media or email links do not click if it blinks or stinks thehackernews.com/2024/12/iran... #apt35 #charmingkitten #magichound

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Kaspersky uncovers BellaCPP malware by Iranian APT35, targeting systems in Asia without web shell use.

The Hacker News

Threat Insight Oct 9, 2024

New APT insight from Proofpoint ⬇️

This week, our team observed IRGC/Iraninan-aligned threat group #TA453 continue their phishing efforts despite the recent unsealing of indictments and sanctions by the U.S. government.

Specifically, Proofpoint observed TA453 masquerade as the Centre for Feminist Foreign Policy (CFFP) to target individuals associated with U.S. based universities, media companies, and politically adjacent social benefit organizations.

Today #CISA and the @FBI released a resource guide titled, “How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations.” It sets a good baseline on ways to protect against a variety of threat actors, including TA453. https://www.cisa.gov/resources-tools/resources/how-protect-against-iranian-targeting-accounts-associated-national-political-organizations

TA453 overlaps with reporting on #CharmingKitten, #MintSandstorm, #CharmingCypress and #APT42.

See our recent blog post to learn more about TA453’s malware evolution. https://ow.ly/OrXE50THoKZ

The Threat Codex Sep 30, 2024

Iranian Cyber Actors Targeting Personal Accounts to Support Operations
#CharmingKitten
https://www.ic3.gov/Media/News/2024/240927.pdf

Threat Insight Aug 23, 2024

The Iran-aligned threat actor who compromised the Trump campaign's email systems is known in the cybersecurity research community as #TA453, #APT42, or #CharmingKitten.

"The group's appearance in the U.S. election is noteworthy, sources told @Reuters, because of their invasive #espionage approach against high-value targets in Washington and Israel."

Read the article for insights from Joshua Miller of Proofpoint and other experts: https://www.reuters.com/world/trump-campaigns-iranian-hackers-have-dangerous-history-deep-expertise-2024-08-23/

The Iranians who hacked Trump's campaign have deep expertise

The Iranian hacking team that compromised the campaign of Republican presidential candidate Donald Trump is known for placing surveillance software on the mobile phones of its victims, enabling them to record calls, steal texts and silently turn on cameras and microphones, according to researchers and experts who follow the group.

Reuters