In recent days, phishing campaigns attributed to Iran-linked groups have emerged, targeting both Gmail and Telegram accounts. These campaigns rely on deceptive tactics designed to trick users into disclosing sensitive credentials. For instance, some users received emails containing fake PDF attachments. While the files appear legitimate at first glance, they include links or icons—such as a Google Drive icon—that redirect unsuspecting users to a fraudulent site. Once there, users are prompted to enter their Gmail login details. This campaign is believed to be orchestrated by hackers associated with the Islamic Republic, who are attempting to compromise accounts and steal information.
In parallel, Telegram users, particularly human rights activists and journalists, have also been targeted. Another phishing campaign has been reported using a new, suspicious domain (hxxps://spam-telegram[.]org). In these cases, victims receive seemingly authentic notifications or messages urging them to log in through a link. The goal is to harvest their Telegram credentials and gain access to their private communications.
These efforts demonstrate a coordinated strategy by Iran-backed groups to compromise the accounts of those who may hold sensitive information or communicate about human rights-related matters.
IoCs:
hjrd49gj40s32ttu597f9q7udoi49dh29ahqifaaws8u22q[.]site
drives[.]googles[.]com-id-sddsdssd[.]fu58di30d8u8u2t976kg90i4fuj48duy7398wa73ahfd398a3suhyu456eh2q[.]site
hjrd49gj4dh54sj28917eryfg8ajudoi49dh29ahqifaaws8u22q[.]site
drives[.]googles[.]com[.]hjrd49gj4dh54sj28917eryfg8ajudoi49dh29ahqifaaws8u22q[.]site
accent-going-session[.]bond
cheking-panel[.]site
cheking-panel-step[.]site
human-queer-write[.]cyou
forward-goal-inner[.]digital
join-room-host[.]site
join-room-check[.]site