Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

Iranian Educated Manticore Targets Leading Tech Academics

Medium
Malwareeducated manticoreiranapt42charming kittencharmpower - s0674powerless - s1012t1566t1056t1592t1056.001t1590.002t1566.002t1589.002t1593.002t1087t1083t1598.002
Published: Thu Jun 26 2025 (06/26/2025, 21:01:42 UTC)
Source: AlienVault OTX General

Description

The Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, cyber security experts and computer science professors. The attackers posed as fictitious assistants to technology executives or researchers, directing victims to fake Gmail login pages or Google Meet invitations. This allowed them to intercept passwords and 2FA codes, gaining unauthorized access to victims' accounts. The group used a custom phishing kit implemented as a Single Page Application built with React, supporting various Google authentication flows and enabling 2FA relay attacks. The infrastructure relied on over 130 unique domains resolving to multiple IP addresses. Despite increased exposure, Educated Manticore continues to pose a persistent threat, particularly to individuals in Israel during the Iran-Israel conflict escalation.

AI-Powered Analysis

AILast updated: 06/26/2025, 21:20:07 UTC

Technical Analysis

Educated Manticore is an Iranian state-sponsored threat group linked to the Islamic Revolutionary Guard Corps (IRGC). This group has been conducting targeted spear-phishing campaigns aimed at Israeli journalists, cybersecurity professionals, and computer science academics. The attackers impersonate fictitious assistants to technology executives or researchers, leveraging social engineering to lure victims into interacting with malicious content. The core attack vector involves directing victims to counterfeit Gmail login pages or fraudulent Google Meet invitations. These phishing pages are crafted as Single Page Applications (SPAs) using React, enabling sophisticated mimicry of legitimate Google authentication flows. This design supports the interception of both passwords and two-factor authentication (2FA) codes through relay attacks, effectively bypassing standard 2FA protections. The infrastructure supporting these campaigns is extensive, utilizing over 130 unique domains that resolve to multiple IP addresses, indicating a robust and resilient command and control setup. Despite increased visibility and exposure of their tactics, Educated Manticore remains an active and persistent threat, particularly in the context of heightened tensions between Iran and Israel. The group’s use of advanced phishing kits and multi-domain infrastructure demonstrates a high level of operational capability and adaptability, targeting high-value individuals in the technology and academic sectors to gain unauthorized access to sensitive accounts and information.

Potential Impact

For European organizations, the direct targeting of Israeli individuals may seem geographically limited; however, the tactics and tools employed by Educated Manticore pose a broader risk to European academia, technology sectors, and media professionals, especially those with connections or collaborations involving Israeli counterparts. Successful compromises could lead to unauthorized access to sensitive research data, intellectual property theft, and exposure of confidential communications. The interception of 2FA codes undermines a critical security layer, increasing the risk of account takeovers and lateral movement within networks. Additionally, the use of sophisticated phishing infrastructure suggests potential for expansion of targeting beyond Israel, possibly affecting European entities engaged in similar fields or geopolitical contexts. The persistent nature of this threat group and their evolving techniques necessitate vigilance, as compromised accounts could be leveraged for espionage, disinformation campaigns, or further cyber operations impacting European interests.

Mitigation Recommendations

European organizations should implement targeted anti-phishing training emphasizing the recognition of sophisticated social engineering tactics, including impersonation of trusted contacts and the use of realistic fake login portals. Deploy advanced email filtering solutions capable of detecting and blocking phishing domains, especially those mimicking Google services. Employ multi-factor authentication methods resistant to relay attacks, such as hardware security keys (e.g., FIDO2/WebAuthn) instead of SMS or app-based codes. Regularly audit and monitor account login patterns for anomalies indicative of credential compromise. Establish threat intelligence sharing with peers and national cybersecurity centers to stay informed about emerging phishing domains and tactics linked to Educated Manticore. Encourage the use of browser isolation or sandboxing technologies when accessing email and collaboration platforms to reduce exposure to malicious scripts. Finally, maintain an updated inventory of trusted domains and implement domain-based message authentication, reporting, and conformance (DMARC) policies to reduce phishing email spoofing.

Affected Countries

IsraelIsrael
GermanyGermany
United KingdomUnited Kingdom
FranceFrance
NetherlandsNetherlands
SwedenSweden
Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/"]
Adversary
Educated Manticore
Pulse Id
685db537f7a98c26737b6b3b
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip146.19.254.238
CC=US ASN=AS35913 dedipath
ip185.130.226.71
CC=NL ASN=AS57043 hostkey b.v.
ip194.11.226.29
CC=GB ASN=AS48655 techvow ltd
ip194.11.226.46
CC=GB ASN=AS48655 techvow ltd
ip194.11.226.5
CC=GB ASN=AS48655 techvow ltd
ip194.11.226.9
CC=GB ASN=AS48655 techvow ltd
ip194.61.120.185
CC=RU ASN=AS57271 bitweb llc
ip195.66.213.132
CC=UA ASN=ASNone
ip2.56.126.230
CC=US ASN=AS35913 dedipath
ip45.12.2.158
CC=UA ASN=AS30860 virtual systems llc
ip45.143.166.230
CC=RU ASN=AS210512 internet technologies llc
ip91.222.173.141
CC=UA ASN=ASNone

Domain

ValueDescriptionCopy
domainadams-cooling.online
domainalbert-company.online
domainalex-mendez-fire.info
domainalison624.online
domainall-for-city.info
domainalpha-man.info
domainamg-car-ger.info
domainanna-blog.info
domainarizonaclub.me
domainarrow-click.info
domainbackback.info
domainbecker624.online
domainbest85best.online
domainbestshopu.online
domainbeta-man.info
domainblack-friday-store.online
domainbook-handwrite.online
domainbracs-lion.online
domaincc-newton.info
domaincity-splash.online
domainclame-rade.online
domaincloth-model.blog
domainclothes-show.online
domainconn-ectionor.cfd
domainconnect-room.online
domaincook-tips.info
domaincourse-math.info
domaincrysus-h.info
domaincrysus-p.info
domaincyberlattice.pro
domaindmn-for-car.online
domaindmn-for-hall.online
domaindoor-black-meter.online
domainencryption-redirect.online
domainest5090.online
domaineverything-here.info
domainexir-juice.online
domainexpressmarket.online
domainfirst-course.online
domainfood-tips-blog.online
domaingallery-shop.online
domaingood-news.cfd
domaingood-news.fashion
domaingood-student.online
domaingoods-companies.online
domainhealthy-lifestyle.fit
domainhrd-dmn.info
domainhuman-fly900.online
domainidea-home.online
domaininfinit-world.info
domainlenan-rex.online
domainlesson-first.info
domainlive-coaching.online
domainlive-conn.online
domainlive-content.online
domainlive-gml.online
domainlive-meet.blog
domainlive-meet.cfd
domainlive-meet.cloud
domainlive-meet.info
domainlive-meet.live
domainlive-message.online
domainloads-ideas.online
domainlynda-tricks.online
domainmake-house.online
domainmaster-club.info
domainmeet-work.info
domainmessage-live.online
domainnetwork-game.xyz
domainnetwork-review.xyz
domainnetwork-show-a.online
domainnetwork-show.online
domainnice-goods.online
domainnormal-dmn.info
domainnsim-pa.info
domainnsim-ph.info
domainntp-clock-h.info
domainntp-clock-p.info
domainonline-room.online
domainoptio-nalynk.online
domainpa-crtdomain.info
domainpanel-meeting.info
domainpanel-network.online
domainpanel-redirect.online
domainph-crtdomain.info
domainph-work.info
domainplatinum-cnt.info
domainpnl-worth.online
domainprj-pa.info
domainprj-ph.info
domainprt-max.online
domainptr-cc.online
domainques-tion-ing.xyz
domainrap-art.info
domainreading-course.online
domainredirect-review.online
domainreg-d.info
domainricardo-mell.online
domainroland-cc.online
domainroyalsoul.online
domainsendly-ink.shop
domainshadow-network.best
domainshaer-likn.store
domainshow-verify.xyz
domainsky-writer.online
domainsocks.beauty
domainspring-club.info
domainstadium-fresh.online
domainsteve-brown.info
domainstorm-wave.online
domainsuite-moral.info
domainteammate-live.online
domainthomas-mark.xyz
domaintomas-company.online
domaintop-game.online
domainude-final.online
domainwarning-d.info
domainwarplogic.pro
domainwash-less.online
domainwer-d.info
domainwhite-car.online
domainwhite-life-bl.info
domainwhite-life.info
domainwood-house.online
domainword-course.online
domainwork-meeting.info
domainworld-shop.online
domainyamal-group.online
domainzra-roll.online

Threat ID: 685db5f7ca1063fb8748f6e7

Added to database: 6/26/2025, 9:04:55 PM

Last enriched: 6/26/2025, 9:20:07 PM

Last updated: 8/15/2025, 6:49:45 PM

Views: 19

Related Threats

ThreatFox IOCs for 2025-08-17

Medium
MalwareMon Aug 18 2025

ThreatFox IOCs for 2025-08-16

Medium
MalwareSun Aug 17 2025

Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities

Medium
MalwareSat Aug 16 2025

ThreatFox IOCs for 2025-08-15

Medium
MalwareSat Aug 16 2025

Threat Actor Profile: Interlock Ransomware

Medium
MalwareFri Aug 15 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats