Listen to this Post
In an ongoing cyberattack campaign, the Iran-linked hacking group APT42 (also known by aliases like Educated Manticore, Charming Kitten, and Mint Sandstorm) has been actively targeting Israeli journalists, cybersecurity experts, and academics. According to cybersecurity firm Check Point, the group uses highly specialized phishing attacks, masquerading as security professionals in an effort to steal email credentials and two-factor authentication (2FA) codes from their victims.
Overview of
APT42 has been running an intricate and highly focused phishing operation since mid-June 2025, primarily aimed at Israeli targets in the cybersecurity sector. The attackers deploy advanced social engineering and spear-phishing tactics, directing victims to fake Gmail login pages or Google Meet invitations in order to harvest login credentials. This method allows the hackers to intercept both passwords and 2FA codes, enabling them to gain unauthorized access to accounts.
The groupâs phishing efforts focus on three main categories: credential harvesting, surveillance operations, and the deployment of malware. Through these tactics, APT42 has successfully compromised the accounts of high-value targets in Israelâs cybersecurity and academic sectors, relying on tactics that include email and WhatsApp communication. These fake communications often appear as professional invitations for online or in-person meetings, which build trust before directing the victims to credential-stealing pages.
One of the unique aspects of this campaign is the use of custom-built phishing kits. These kits, designed with React-based single-page applications (SPA), emulate popular services like Googleâs login page and 2FA process. A live keylogger and WebSocket are integrated into these phishing kits, enabling real-time data capture and transmission to the attackers.
Since the beginning of 2025, APT42 has expanded its arsenal, using phishing kits that mimic login pages for Gmail, Outlook, and Yahoo. The group’s infrastructure includes over 130 phishing-related domains, many of which were registered via NameCheap. The attackers have also shown a consistent pattern of utilizing older IPs associated with GreenCharlie, a subgroup under Educated Manticore.
What Undercode Say:
APT42âs targeting of Israeli professionals illustrates the growing sophistication of state-sponsored cyber espionage operations. While phishing attacks are nothing new, the methods used in this campaignâsuch as pre-filled login forms and the use of live keyloggersâreveal a level of professionalism and technical skill that sets this group apart from typical cybercriminals. The decision to use WhatsApp as a medium to build trust before sending phishing links is particularly notable, as it indicates an understanding of human psychology and the importance of gaining trust before executing an attack.
The React-based phishing kits employed by the group demonstrate how modern web technologies can be weaponized to carry out sophisticated, hard-to-detect attacks. By emulating login pages that users are already familiar with and using dynamic web technologies, the attackers make it significantly more challenging for their targets to discern the phishing attempt.
Moreover, the use of WebSockets to relay stolen data in real-time is a concerning development. This technique allows the attackers to monitor and intercept credentials as they are entered, making it much more efficient than older phishing methods that relied on simple form submissions.
APT42’s tactics are a wake-up call for professionals working in sensitive or trust-based environments. The attackers are clearly targeting high-value individuals whose accounts can provide access to critical information or assets. This focus on credential theft and surveillance operations suggests that the group is looking to maintain a long-term presence in the systems of its targets, rather than simply executing one-off attacks.
đ Fact Checker Results
Credential Harvesting: â
Verified that APT42 has been actively using phishing kits to harvest credentials and 2FA codes from high-value targets in Israel.
Phishing Kit Technology: â
Confirmed the use of custom-built React-based phishing kits, which closely imitate popular login pages.
Infrastructure: â
Over 130 phishing-related domains have been registered, supporting the widespread nature of the attack.
đ Prediction
As state-sponsored threat actors continue to refine their tactics, it is likely that APT42’s operations will evolve even further. The integration of new technologies, such as AI-driven phishing messages and more sophisticated malware, may become even more prevalent in future campaigns. Given the scale and persistence of APT42âs operations, professionals working in cybersecurity and related fields should be on high alert for even more advanced social engineering attacks. This groupâs focus on stealing credentials to further espionage objectives suggests that they will continue to target individuals in positions of trust, seeking access to both personal and organizational data.
The use of AI-generated messages and other advanced social engineering tactics points toward a future where phishing attacks become more personalized and harder to detect. Victims may be more easily manipulated by attackers who understand their behavior and psychological triggers. As the tools used by these cybercriminals become more sophisticated, it is essential for individuals and organizations to remain vigilant and adopt robust cybersecurity measures, including multi-factor authentication (MFA) and frequent security awareness training.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
