Mandiant details a suspected Iranian counterintelligence operation that uses fake recruitment sites to harvest personal data from Iranians and individuals connected to foreign intelligence, active since 2017. The campaign spreads via social media with Israel-related decoy content and shows ties to historic Iran-nexus operations like VIP Human Solutions and APT42. #APT42 #VIPHumanSolutions
Keypoints
- Mandiant identifies a suspected Iranian counterintelligence operation aimed at collecting data on perceived threats.
- The operation targets Iranian dissidents, activists, and Farsi speakers both domestically and abroad.
- Fake recruitment websites were used to lure individuals into providing personal information.
- The campaign has been linked to the Iranian regime and shows similarities to past operations by APT42.
- Social media platforms were utilized to promote over 35 fake recruitment sites with Israel-related decoy content.
- The operation has been ongoing since at least 2017 and may extend to support Iranian allies in Syria and Lebanon.
- Mandiant has taken steps to block and disrupt the activities of the threat actors involved.
MITRE Techniques
- [T1566] Phishing β Initial Access via social engineering through fake recruitment websites and social media links to lure targets into providing data. βUse of fake recruitment websites to collect personal information from targets.β βDissemination of links through social media accounts to lure individuals into providing details.β
- [T1056] Input Capture β Collecting personal and professional details through fake forms on recruitment websites. βFake forms on recruitment websites to capture personal and professional details from users.β
Indicators of Compromise
- [Domain] Domains used for fake recruitment platforms β beparas[.]com, miladix[.]com
- [URL] Telegram contact links used to coordinate β hxxps://t[.]me/DreamyJobs_com, https://www.youtube.com/@vipjobsglobal1819
- [Email] Contact email observed β sendcv@vipjobsglobal[.]com