Ongoing APT35 Phishing Campaign Uncovered: Iranian Group Impersonates Video Conferencing Services

The Stormshield Cyber Threat Intelligence (CTI) team has uncovered new phishing infrastructure tied to APT35, also known as Mint Sandstorm, Charming Kitten, or Educated Manticore. Their findings expand on a recent Check Point report, showing that the Iranian state-linked group continues to operate video conferencing–themed phishing campaigns against high-value targets in the Middle East and beyond.

During active threat hunting, Stormshield analysts identified two suspicious servers. According to the report, “They share a lot of similarities with servers reported by Check Point on APT35. The servers are active and resolve multiple domains used for phishing purpose.”

Using the SilentPush platform, the team tracked distinctive HTML pages used across APT35 domains, notably featuring a “four colored dots” loading animation—a tactic consistent with infrastructure uncovered earlier in 2025.

The investigation revealed two previously undocumented IPs:

• 84.200.193[.]20 (AS 214036 Ultahost, Inc.) – linked to the domain rohan63[.]xyz.
• 79.132.131[.]184 (AS 39378 SERVINGA) – hosting 49 domains, all using the .online TLD.

Stormshield notes, “All domains seem to be used for phishing purpose, most of them masquerading as video conferencing related domains, with naming such as meet.go0gle[.]online or meet.video-connect[.]online.”

This fits a pattern dating back to 2023, where APT35 weaponized Google Meet–style phishing lures to trick victims into entering credentials.

The report outlines methods defenders can use to spot APT35 domains:

• Query strings: “Searching on VirusTotal for URL with the online TLD and the query ‘?invitation’ yields results.” Several submissions from Israel and Sweden were identified between July and September 2025.
• Subdomain patterns: Simply hunting for subdomains starting with “viliam.” uncovered more than 100 potential domains. While not all are malicious, the researchers confirm it’s “a good way to start looking for it.”

APT35 remains focused on regional espionage. Stormshield concludes, “The campaign reported by Check Point is still ongoing. APT35 did not change the way they set up their phishing domains since their last reported activity. It makes the task easier for defender to track their activities. The submitted URLs suggest that this campaign is still targeting Israel.”

Related Posts:

• From US to UAE: APT35 Expands Reach in Cyber Espionage
• SentinelLABS Reveals How North Korean “Contagious Interview” Operators Abuse Threat Intel Platforms
• Israel filed a suit against Apple on the iPhone
• Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters