Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 12, 2026 · 5 min read

Iranian Hackers Are Posing as Cybersecurity Experts to Steal Journalists' Gmail Credentials

APT42, an Iranian state sponsored hacking group, is impersonating security professionals to phish high profile targets using AI crafted messages and custom React based credential theft kits.

A dimly lit journalist workspace with a laptop displaying an email inbox, reflecting a shadowy figure in the screen

A New Wave of State Sponsored Phishing

An Iranian hacking group known as APT42 has launched a sophisticated phishing campaign targeting Israeli journalists, cybersecurity researchers, and computer science professors. The group, also tracked as Charming Kitten, Educated Manticore, and Mint Sandstorm, has been linked to Iran's Islamic Revolutionary Guard Corps.

According to a Check Point investigation, the campaign began in mid 2025 and has intensified through early 2026. Israel's National Cyber Directorate has issued warnings about the ongoing threat, and the attackers show no signs of stopping.

How the Attack Works

The attackers don't open with a malicious link. Instead, they build trust first. Posing as employees of legitimate cybersecurity firms, they reach out via email and WhatsApp with polished, AI generated messages proposing fake meetings or professional collaborations.

Only after establishing rapport do they send a link. That link leads to a credential harvesting page that looks nearly identical to a Gmail, Outlook, or Yahoo login screen. The fake pages come prefilled with the victim's email address to add realism, and they mimic Google's two factor authentication prompts to capture both passwords and 2FA codes in real time.

APT42 operates aggressively once a conversation is underway. Most attacks either succeed or fail within a day or two, with operators pressuring targets over WhatsApp to click the link before suspicion sets in.

Custom Built Phishing Infrastructure

What makes this campaign technically notable is the sophistication of the phishing toolkit. Researchers identified custom built React single page applications with dynamic routing, real time WebSocket connections for data exfiltration, and live keylogger functionality that captures credentials as they are typed.

The group also uses spoofed Google Meet invitations hosted on legitimate Google Sites domains, making the lures harder to detect. Over 130 phishing related domains have been identified, many registered through NameCheap. Older IP addresses in the infrastructure match GreenCharlie, a known APT42 subgroup.

Why Journalists Are Prime Targets

APT42 has a long history of targeting individuals perceived as threats to the Iranian regime. Journalists, NGO leaders, human rights activists, and academic researchers top the list. Compromising a journalist's email doesn't just expose their private communications. It reveals source identities, unpublished investigations, and contact networks that intelligence agencies can exploit.

The group has also targeted political campaigns and policy experts in the United States. Google's Threat Analysis Group has previously documented APT42 campaigns aimed at both the Trump and Biden campaigns during the 2024 US election cycle.

How to Protect Yourself

State sponsored phishing campaigns like this one exploit trust, not just technical vulnerabilities. Here's how to reduce your risk:

  • Verify unsolicited contact independently. If someone claiming to be a cybersecurity professional reaches out about a meeting or collaboration, verify their identity through the company's official website or a known contact, not through the information they provide.
  • Use hardware security keys. FIDO2 hardware keys like YubiKey are resistant to the phishing techniques APT42 uses. Unlike SMS or app based 2FA, hardware keys cannot be intercepted through fake login pages.
  • Enable Google Advanced Protection. Google's Advanced Protection Program requires hardware keys for login and restricts third party app access to your Google account. It is specifically designed for journalists, activists, and political campaigns.
  • Be suspicious of urgency. APT42 operators push targets to click links quickly. Legitimate professionals don't pressure you to log in to something immediately.
  • Check URLs carefully. Before entering credentials on any page, verify the domain matches the service you expect. Shortened URLs from unfamiliar services should be treated as suspicious.

The Bigger Picture

APT42's campaign is a reminder that email remains the primary attack surface for state sponsored espionage. The combination of AI generated messages, real time credential interception, and social engineering over multiple channels represents a significant escalation in phishing sophistication.

For anyone whose work involves sensitive communications, the assumption should be that your inbox is a target. Hardware based authentication, encrypted messaging with verified contacts, and a healthy skepticism toward unsolicited professional outreach are no longer optional precautions. They are baseline requirements.