- From at least late 2020 and through 2022, TA453 has engaged in campaigns that deviate from the group’s expected phishing techniques and target victimology.
- In these campaigns, TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
- Proofpoint researchers assess with moderate confidence that this activity reflects a flexible mandate to the Islamic Revolutionary Guard Corps’ (IRGC) intelligence requirements.
- Further, a sub-cluster of TA453 activity demonstrates a possible directive to support covert, and even kinetic, operations of the IRGC.
Since at least late 2020, Proofpoint researchers have observed aberrations in TA453 (which overlaps with groups publicly known as Charming Kitten, PHOSPHORUS, and APT42) phishing activity in which the threat actor has stepped away from its typical phishing techniques and target victimology. A hallmark of TA453’s email campaigns is that they almost always target academics, researchers, diplomats, dissidents, journalists, human rights workers, and use web beacons in the message bodies before eventually attempting to harvest a target’s credentials. Such campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation.
By comparison, TA453’s outlier campaigns have targeted medical researchers, an aerospace engineer, a realtor, and travel agencies, among others. They have leveraged new-to-TA453 phishing techniques including compromised accounts, malware, and confrontational lures. Proofpoint judges with moderate confidence that this atypical activity reflects TA453’s dynamic support to ad hoc Islamic Revolutionary Guard Corps’ (IRGC) intelligence requirements. This activity also provides researchers with a better understanding of the IRGC’s mandate and insight into TA453’s potential support of IRGC surveillance and attempted kinetic operations.