Categories: Cyber AttackPhishing

Iranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential Election

APT42 is an APT group that is believed to be backed by the Iranian government, and this group primarily focuses on cyber espionage.

Besides this, APT42 is also well-known for other illicit activities. Apart from cyber espionage, they also conduct phishing campaigns, and data exfiltration against a wide range of entities.

However, specifically, they target entities that are linked with military and strategic interests.

Recently, cybersecurity experts at Google’s Threat Analysis Group (TAG) identified that APT42 launched a massive phishing campaign to attack the US presidential election.

Iranian APT42 Group

APT42 is associated with the Iranian Revolutionary Guard Corps and has enhanced its hacking activities targeted at prominent personalities in Israel and the US.

These high-profile targets represented 60% of all the geographical regions the group hacked into within this period.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Their victims span a wide range, including current and former government officials, political campaign staff, diplomats, think tank researchers, academics, and NGO workers involved in foreign policy discussions. 

In April 2024, the group made Israeli targets even more of an interest for them, especially those related to military or defense sectors.

APT42 employs diverse types of advanced phishing techniques through the abuse of cloud services such as Google Sites, Drive, Gmail, Dropbox, and OneDrive for hosting their malware, phishing pages, and malicious redirects.

Their methods include creating fake petitions (such as one purportedly from the Jewish Agency for Israel), impersonating legitimate organizations like the Washington Institute for Near East Policy, and using typosquat domains like “understandingthewar[.]org” to mimic the Institute for the Study of War

Government-backed attacker warning (Source – TAG)

The success of the group in credential phishing has been attained through their persistence and heavy use of social engineering.

Google, in response, implemented different countermeasures such as resetting the compromised accounts, warning targeted users, disrupting malicious Google Sites pages, and adding harmful domains to the Safe Browsing blocklist.

Despite attempts by Google, APT42 is rapidly adapting its strategies demonstrating its agility in aligning with Iran’s changing political and military goals, and is a continued danger to well-known targets in the region.

APT42 tried to hack into accounts affiliated with the two biggest political party campaigns in America during the years 2020 and beyond.

The group also goes for highly developed tricks like individualized harvesting tools for credentials (GCollection, LCollection, YCollection) and manipulation of victims on social media.

To make their phishing pages credible, they abuse services like Google Sites, OneDrive, and Dropbox, often tailoring their approach based on extensive reconnaissance of their targets’ security settings and geographic locations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Raga Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago