Iranian state-sponsored actors are continuing their social engineering campaigns by impersonating a U.S. think tank. The cybersecurity company attributed the activity to a hacking group it tracks as Cobalt Illusion, and which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor has been well-documented over the years. The group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the government.
"It is common for Cobalt Illusion to interact with its targets multiple times over different messaging platforms," SecureWorks said. "The threat actors first send benign links and documents to build rapport. They then send a malicious link or document to phish credentials for systems that Cobalt Illusion seeks to access." Chief among its tactics include leveraging credential harvesting to gain control of victims' mailboxes as well as employing custom tools like HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts using the stolen passwords.
This latest campaign sees the group impersonating a U.S. think tank in order to target female researchers who are active in the field of political affairs and human rights in the Middle East region.
Chief among its tactics include leveraging credential harvesting to gain control of victims' mailboxes as well as employing custom tools like HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts using the stolen passwords.