Iranian hackers targeted Jewish figure with malware attached to podcast invite, researchers say

Hackers with suspected ties to Iran’s military targeted a prominent Jewish religious figure in a phishing campaign, researchers said Tuesday. 

In July, the hackers reportedly used multiple email addresses pretending to belong to the research director for the Institute for the Study of War (ISW), an American-based think tank. 

Using the spoofed address, the hackers invited the unnamed victim to appear on a podcast hosted by ISW. After an email exchange, the hackers delivered a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024.zip,” which contained a malware called BlackSmith that is designed to “enable intelligence gathering and exfiltration.” 

Researchers at Proofpoint, which released a report on the incident on Tuesday, said it could not link the campaign “directly to individual members of the Islamic Revolutionary Guard Corps (IRGC)” but said the activity was conducted by actors who others have tracked for years. 

The researchers found at least two links between the campaign and a group with previous links to the IRGC that goes by the names APT42, Mint Sandstorm, Charming Kitten and TA453. 

APT42 was accused last week by Google of targeting high-profile individuals in the U.S. and Israel, including several people affiliated with both major U.S. presidential campaigns.

One of the URL shorteners used in the Proofpoint-tracked campaign was cited by Google Threat Intelligence Group in May 2024 as tied to APT42. Proofpoint said use of the BlackSmith intelligence collection toolkit is a hallmark of Iran-backed attacks. 

The researchers also found the group’s targeting lined up with the reported priorities of the IRGC Intelligence Organization (IRGC-IO).

Joshua Miller, staff APT threat researcher at Proofpoint, said the actors — which they track as TA453 — are part of a consistent pattern of phishing campaigns reflecting “IRGC intelligence priorities.” 

“This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests,” he said. “TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics.”

IRGC directives have “led to targeting a series of diplomatic and political entities, ranging from embassies in Tehran to US political campaigns,” the report said.

While the lure of a podcast interview was a new tactic, the group has used a number of different social engineering techniques to convince targets to download or open malicious content, according to Proofpoint. 

The incident involved multiple emails between the hackers and the victim before malware was introduced. 

Proofpoint said it first saw Iranian actors spoofing the ISW in phishing campaigns starting in February after they registered a domain in January. The hackers sent the fake podcast invite to multiple email addresses controlled by the religious figure — another hallmark of nation-state hackers. 

Ahead of the 2024 U.S. presidential election, cybersecurity companies and governments have reported a significant increase in malicious cyber activity emanating from Iran. 

In addition to the report from Google last week, Microsoft and the campaign of former President Donald Trump have accused Iran of hacking attempts. The FBI later said it is investigating Iran-backed cyberattacks on both presidential campaigns. 

On Friday, artificial intelligence giant OpenAI said it took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation.

OpenAI said the operation used ChatGPT to create material focused on the conflict in Gaza, Israel’s presence at the Olympic Games, the U.S. presidential election, politics in Venezuela, and Scottish independence.