Charming Kitten Hackers Attempt to Steal Email Login Information with Fake Job Offer


A hacker group popularly known as the Charming Kitten Hackers have been exposed to using fake job offers to steal the email login information of targets according to a recent report. Charming Kitten Hackers is also known as the Ajax Security Team, or Phosphorus or APT35.

They are strongly linked to the Iranian government just like any other powerful hacker group. They make use of the popular email tricks but a more dangerous strategy as they win the trust of targets through impersonation. From the report, their main focus is to steal email credentials and access accounts to cause further damage.

Charming Kitten Hackers

Image Source:

Charming Kitten Hackers attempt to get targets to click on a malicious link which is the main goal of the hackers who try to steal login information. In a bid to make their email more genuine and get enough victims, they impersonate popular journalists, Iranian activists, people from academia, and people who are permanent residents in other countries.

According to a report, many hacking incidents have been said to be backed by the Iranian government. However, they have rejected all reports accusing the government of sponsoring any hacker group.

Erfran Kasraie, Iran-born German academic was one of the targets of this phishing campaign. According to him, he received an email coming from well-known journalists claiming to be working for a very popular media. This self-acclaimed journalist made it look like he is a fan of the target. The hackers then presented a job offer asking him to agree to an interview. They claimed the interview was about an important receiver’s achievement. They then provided a link for the target to open if he agrees to the interview.

According to the information gathered, targets are redirected to a page that requires them to enter their email credentials to access the questionnaire.
It is worth noting that the hackers do not send just any ordinary link in the phishing campaign, but a malicious link that leads targets to a malicious website designed to look like a genuine-looking one. Visiting the website will give the hackers access to the IP address of the victim, web browsers, and details of the operating system. They gather all the needed data to make it easy for targeted attacks.

After agreeing to the interview, individuals are presented with a page that has the download form. On this page is found a logo of the said news source. The logo gives the website a professional look and also clear any form of doubt. On the same page is found a button that causes a direct download. The website also asks individuals to enter their email credentials and enter a two-factor authentication code. This process is meant to get the Google authentication code from the targets through a fake SMS to access their Google accounts. The Hackers have recently come up with new methods in a campaign that is meant to deceive individuals to fall for the deception. 

On a recent discovery, hackers have taken advantage of the coronavirus to launch a phishing campaign meant to steal the credentials of individuals. The hackers mostly use global events that can easily get the trust of individuals to open a malicious link or download a malicious attachment.

This phishing campaign asks targets to open a PDF to read updates of the coronavirus and ways to prevent themselves from contracting it. The death of Kobe Bryant was also used by hackers to launch a campaign. The first success of their phishing campaign lies in the action of the targets to open the email. It is therefore important to be very sure of a message sent via email before taking any action of clicking on a provided link. 

Charming Kitten Hackers

Image source:

The phishing campaign orchestrated by the Charming Kitten Hackers involves malware that is capable of changing the settings of windows firewall and registry. In their first mode of attack, they made use of a Payload named pdgRegistry.exe. The malware then executes the most important order of the assignment by creating a backdoor that makes it possible for the Charming Kitten Hackers to operate the infected device remotely.

The information obtained from the questionnaire website is used at this stage to launch a customized malware attack. The malware evades the anti-spam system of email service providers using legitimate links. The Charming Kitten Hackers take advantage of the malware’s ability to hide behind Google Drive and other services according to the report to get into the web traffic and bypass firewall. It is important for individuals to update their device’s security tools and not easily fall for these fake emails.

Source: 2-Spyware

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Deep_Web_directories #Hidden_Wiki_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links #Best_Dark_web_Websites


Please enter your comment!
Please enter your name here