Iranian APT “Educated Manticore” Unleashes AI-Powered Phishing & Keylogging Against Critics
Ddos 
Check Point Research has uncovered a new wave of targeted cyber-espionage activity linked to Educated Manticore, an Iranian threat group operating under the umbrella of the Islamic Revolutionary Guard Corps β Intelligence Organization (IRGC-IO). Also tracked as APT42, Charming Kitten, or Mint Sandstorm, the group is exploiting ongoing geopolitical tensions between Iran and Israel to target high-profile individuals in academia, journalism, and cybersecurity.
The campaignsβactive since mid-June 2025βemploy tailored spear-phishing messages crafted with precision. Using fake identities posing as assistants to tech executives or researchers, the attackers initiate contact via email and WhatsApp, avoiding suspicious links in the initial messages.
βIn all cases, the initial message contains no links, but the attackers quickly gain the victimsβ trustβ¦ ultimately guiding them to an online meeting link that leads to attacker-controlled phishing infrastructure,β the report explains.
Some messages even suggest in-person meetings in Tel Aviv, raising concerns that the operation could extend into the physical realm.
The phishing messages are crafted with a level of polish indicative of AI-assisted writing. Despite their grammatical precision and formal tone, subtle inconsistencies reveal their deceptive originβsuch as mismatched sender names in emails. These minor anomalies are critical clues for the vigilant.
Once trust is established, victims are guided to custom phishing kits hosted on malicious domains. The phishing kits are Single Page Applications (SPAs) built with React, capable of emulating a full Google Authentication flowβincluding multi-factor authentication (2FA) steps.
βThe phishing kit used by Educated Manticore is implemented as a Single Page Application (SPA)β¦ The page is never reloadedβ¦ and dynamically renders each authentication step.β
Victims are prompted through stages such as SMS verification, authenticator apps, and email-based 2FAβall designed to bypass modern authentication defenses. The kit even supports passive keylogging, transmitting every keystroke to the attacker in real-time via WebSocket connections.
βIn addition to collecting inputs at the time of specific step submission, this keylogger records every character typed β even if the user abandons the form or never submits it.β
To further build credibility, attackers send Google Meet invitations hosted on Google Sites. These fake pages display hardcoded images that redirect to attacker-controlled infrastructure. They are designed to trick victims into initiating what appears to be a legitimate video meeting.
βThe fake page is designed to resemble a legitimate Google Meet meeting pageβ¦ All function identically: when the user clicks on the image, they are redirected to the attackerβs website.β
Check Point attributes this campaign to Educated Manticore, a long-active Iranian APT group known for high-value espionage. Their infrastructure includes over 130 phishing domains and multiple kits targeting Gmail, Outlook, and Yahoo platforms, each tailored to bypass respective security mechanisms.
These domains are often registered via NameCheap, and the infrastructure overlaps with the threat cluster known as GreenCharlie, a subgroup within Educated Manticore.
Related Posts:
- Void Manticore: Iranian State-Sponsored Cyber Warfare Exposed
- Russian APT UNC6293 Exploits Google Application-Specific Passwords to Hack Critics
- Iranian APT42 Ramps Up Phishing Campaigns Against Israel, U.S. Election Targets
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
