🎯 Iranian Phishing Campaign Targets Israeli Officials, Journalists, and Academics in 2025
Israeli security services have foiled 85 cyberattacks linked to Iranian actors using phishing via WhatsApp, Telegram, and fake meeting invites. Learn how the attack worked and how to stay protected.
In one of the most aggressive cyber-espionage campaigns of 2025, Iranian-linked hackers have launched over 85 coordinated phishing attacks targeting Israeli politicians, journalists, academics, and public officials.
According to Israeli security services, these attacks were part of a broader influence and intelligence-gathering operation designed to infiltrate inboxes, steal sensitive credentials, and deploy malware via common communication platforms like WhatsApp, Telegram, and email.
🧠 The Attack Breakdown
🎯 Targeted Individuals:
- Government officials and policymakers
- Journalists and media personnel
- Academic researchers and think-tank professionals
- Public-facing influencers within Israeli institutions
🧰 Delivery Methods:
Attackers leveraged:
- WhatsApp messages with fake Google Meet invitations
- Telegram links impersonating government correspondence
- Spoofed email domains mimicking Israeli institutions
Once clicked, victims were directed to:
- Credential harvesting pages posing as Google or Microsoft login portals
- Trojan-laced download links disguised as meeting attachments
- Form submissions collecting sensitive metadata and PII (personally identifiable information)
🧨 Iranian Tactics: Known and Evolving
This campaign closely resembles prior activity attributed to APT35 (Charming Kitten) and TA453, both linked to the Islamic Revolutionary Guard Corps (IRGC). These groups are known for:
- Long-form social engineering using fake personas
- Malware embedded in benign documents
- Exploiting trust between regional officials and media
This time, the emphasis on trusted messaging platforms like WhatsApp and Telegram indicates a strategic shift toward informal, real-time communication channels.
🔎 Timeline of Activity (as reported)
- Q1–Q2 2025: Israeli security agencies observed phishing attempts sent to officials across multiple government departments.
- June 2025: Public disclosure of 85 foiled attacks, signaling heightened cyber offensive activity from Iran.
The campaign ran parallel to growing geopolitical tension between Israel and Iran, with cyber operations appearing as a digital extension of broader diplomatic hostility.
🧪 Technical Indicators (TTPs)
| Indicator | Description |
|---|---|
invites-google.com.meet-sso/login | Phishing page spoofing Google Meet login |
@gov-support.org.il | Spoofed sender domain for email impersonation |
| Telegram link redirects | Redirecting to malware-hosting cloud drives |
| Trojan filename example | invite-schedule-brief.exe (executed on click) |
⚠️ Important: These IOCs are fictionalized for education. Always cross-reference with real threat intel feeds.
🛡️ How to Defend Against These Targeted Phishing Attacks
1. Zero Trust Mindset
Assume messages—even from “trusted” platforms—can be faked. Train staff and officials to verify identities out-of-band (e.g., call the sender directly).
2. Link Intelligence Scanning
Use email and messaging security tools that auto-scan embedded URLs and detect obfuscated phishing links.
3. Multi-Factor Authentication (MFA)
Even if credentials are compromised, MFA can block access. Enforce it organization-wide.
4. Threat Simulation & Tabletop Exercises
Conduct spear phishing simulations across executives and public staff to improve real-time recognition.
5. Use Secure Communication Platforms
Move sensitive conversations to end-to-end encrypted and auditable platforms like Signal or secure internal portals.
🧭 Strategic Implications
This campaign is more than digital mischief—it’s state-level cyber-espionage with political, military, and diplomatic consequences.
- For Israel: The foiled attacks prove effective cyber defense—but also underscore growing Iranian aggression.
- For Iran: These operations show increasing technical sophistication and adaptive targeting strategies.
- For the rest of the world: It’s a reminder that phishing isn’t just mass spam anymore—it’s weaponized precision.
🔚 Final Thoughts
Cyber warfare isn’t a future scenario—it’s happening right now in inboxes, DMs, and meeting invites.
The Iranian phishing campaign against Israeli public figures in 2025 is just one chapter in an escalating digital cold war, where every message is a potential weapon, and every click could trigger an international incident.
🧠 Sources & References
- i24 News – Israeli Security Services Foil 85 Cyberattacks
- MITRE ATT&CK Techniques: T1566, T1059, T1203
- Past APT35 Reports by Microsoft, CISA, and Proofpoint