The Charming Kitten group has launched a new tactic for targeting Iranian activists. Instead of creating fake identities, they're now directly impersonating a senior Pentagon official.

The campaign begins on Telegram. Attackers use a profile with the Pentagon official's photo and information to message victims, inviting them to an "important online meeting." Interestingly, this official has been reassigned multiple times over the past year - from sensitive positions to less prominent roles - a sign that attackers are aware of internal Pentagon movements. The link they send goes to Google Sites - a legitimate domain most users trust.

The Google Sites page is designed to look exactly like a Google Meet invitation. When victims click the Join button, they're redirected to a phishing page that mimics Google's login interface.


What makes this campaign dangerous is the combination of several factors:

  1. Strategic Target Selection: Impersonating an official with credibility who was recently transferred from a more sensitive position
  2. Long-term Preparation: Evidence shows months of planning before activation
  3. Active Monitoring: Watching security channels to identify exposure timing
  4. Advanced Techniques: Using new monitoring methods recently discovered by researchers

These changes show Charming Kitten is no longer a simple phishing group - they've evolved into a threat actor with state-level capabilities.

Choosing to impersonate a real Pentagon official who has been reassigned multiple times in recent months from sensitive to less prominent positions shows Charming Kitten is becoming more sophisticated. They know that when a message comes from an official who is still at the Pentagon but no longer in their previous important roles, victims - especially political activists - are more likely to be curious and click the link.

This tactical shift is a warning for the security community. I can no longer just tell users to "watch out for suspicious links." When the link is from Google Sites and the sender has a real identity, detecting phishing becomes much harder.

Check Point Research recently published technical details of some of this group's new methods, but what's discovered in this new research - strategic target selection, monitoring of security researchers, and unique infrastructure of this campaign - shows the depth and complexity of Charming Kitten operations goes beyond what's been published so far.


For security researchers and those needing detailed information, the complete report includes:

  • The exact identity of the Pentagon official and analysis of why this choice
  • Evidence of attackers monitoring security channels
  • Over 30 domains and IoCs not in public reports
  • Precise timeline of 2-month preparation before operations


This information is available in the VIP section of the site