Phishing Attack Targets Iranian Activists Amid Protests
A sophisticated hacking campaign is stealing credentials and spying on those connected to Iran’s protest movement.
When Iranian activist Nariman Gharib received a suspicious WhatsApp link, he uncovered a digital trap set for anyone linked to Iran’s anti-government protests. The message, seemingly innocuous, was a phishing attack designed not just to steal passwords, but to hijack accounts and conduct surveillance. As Iran enforces its longest-ever internet shutdown, this campaign exposes a terrifying new front in the digital battle for information and control.
The attack began with a targeted WhatsApp message containing a malicious link. The link used DuckDNS, a legitimate dynamic DNS service, to mask the true phishing server hosted at alex-fabow.online. This domain, registered in early November 2025, was part of a larger network including domains like meet-safe.online and whats-login.online, suggesting the operation also targeted users of virtual meeting platforms. The attackers relied on social engineering, making the link appear related to legitimate WhatsApp or meeting features.
Upon clicking, the victim’s browser was directed to a fabricated login page. For some, it mimicked a Gmail sign-in screen, meticulously copying the layout to steal email addresses and passwords. The page then prompted for the six-digit two-factor authentication (2FA) code sent via SMS, effectively bypassing this critical security layer. In other cases, as seen with Gharib, the page displayed a QR code claiming to grant access to a virtual meeting. Scanning this code with WhatsApp would instantly link the victim’s account to a device controlled by the attacker, giving them full access to chats, media, and contact lists.
What made this campaign particularly alarming was a critical flaw in the attacker’s operation. TechCrunch discovered that by manipulating the phishing page’s URL, they could access an unsecured file on the hacker’s server—a real-time log capturing every victim’s interaction. This file contained over 850 records, acting as a devastating keylogger. It stored complete credentials, incorrect password attempts, and stolen 2FA codes, along with the victim’s device “user agent,” revealing targets used Windows, macOS, iPhone, and Android.
The exposed data painted a picture of a highly selective victim list. It included a Middle Eastern academic specializing in national security, the head of an Israeli drone manufacturer, a senior Lebanese cabinet minister, journalists, and individuals with U.S. phone numbers. The list also pointed to members of the Kurdish community and the broader Iranian diaspora. The low number of known victims—fewer than 50—suggests a precise, spearphishing operation rather than a broad spam campaign.
However, the attacker’s ambitions extended beyond credential theft. The phishing page’s source code, analyzed by security researcher Runa Sandvik, contained scripts that immediately requested browser permissions for location, photos, and audio. If a victim clicked “allow,” the page would stream their geographic coordinates to the attacker every few seconds and capture bursts of camera images and microphone audio. While no location or media data was found on the server, the code proved the intent for continuous surveillance.
The central, unresolved question is attribution: who is behind this? Two distinct possibilities emerge. First, a state-backed actor, potentially linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Gary Miller of Citizen Lab noted the campaign’s “hallmarks” of IRGC-linked spearphishing: international targeting, credential theft for espionage, abuse of platforms like WhatsApp, and sophisticated social engineering. The timing—amid nationwide protests and an internet blackout—supports an espionage goal: infiltrating the communications of activists, dissidents, and foreign figures monitoring the crisis to map networks and gather intelligence.
Second, a financially motivated cybercrime group cannot be ruled out. Ian Campbell of DomainTools analyzed the infrastructure and described the domains as “medium to high risk,” likely tied to a financially driven operation. Stolen credentials could be used to access corporate emails, hijack financial accounts, or conduct ransomware attacks. Yet, the focus on location tracking and media capture is atypical for pure cybercrime, suggesting a surveillance component that aligns more with intelligence gathering.
A complicating factor is Iran’s known practice of outsourcing cyber operations to criminal groups, providing plausible deniability for state-linked activities. The U.S. Treasury has previously sanctioned Iranian firms acting as fronts for the IRGC to conduct such attacks.
Regardless of the perpetrator, the campaign underscores a brutal reality. As Miller states, “clicking on unsolicited WhatsApp links… is a high-risk, unsafe practice.” The tools of oppression and profit are blurring, using the same technical playbook. For a digitally isolated Iran, where getting information in and out is a matter of life and death, each phishing link is a potential key to unlock a life. The exposed server is now offline, but the infrastructure, built weeks before the current protest wave, suggests this is not a one-off event but a persistent, evolving threat. The true number of victims may never be known, but the lesson is clear: in the information war, the most trusted communication tools can become the most lethal weapons.
No Comments