Germany’s Federal Office for the Protection of the Constitution (BfV) has issued a warning regarding cyber attacks targeting Iranian individuals and organizations in the country [1] [2] [3]. These attacks have been attributed to Charming Kitten, an Iranian cyberespionage group known for its focus on government and military sectors [4].


Charming Kitten [1] [2] [3] [4], also known as APT35 [1] [2], Mint Sandstorm [1] [2] [3], TA453 [1] [2] [3], and Yellow Garuda [1] [2] [3], has a history of employing social engineering and fake online identities to carry out its operations. The group often poses as journalists or NGO employees to deceive its victims. They utilize phishing tactics, sending deceptive links that mimic well-known service providers like Google and Microsoft, tricking victims into entering their login information on fraudulent pages [3].

The Google Threat Analysis Group (TAG) has identified a specific malware called HYPERSCRAPE [1] [2] [3], which Charming Kitten uses to extract user data from Gmail [3], Yahoo! [1] [2] [3], and Microsoft Outlook accounts [1] [2] [3].

Recently, Charming Kitten has shifted its tactics and now poses as journalists to infect targets’ devices with malware. Instead of using traditional methods like emails and SMS, they now utilize LinkedIn and WhatsApp messages to deploy the malware [4]. To avoid detection [4], the group has created a sophisticated LinkedIn account, impersonating Persian-speaking journalists [4]. They request victims’ details in exchange for participation in a webinar and employ both malicious links and files in their compromise attempts [4]. Charming Kitten frequently contacts victims, urging them to engage with their accounts on the site “Akademie DW.” These tactics bear resemblance to those used by North Korean hackers [4].

In addition to their phishing campaigns, Charming Kitten is also involved in a mobile malware campaign that specifically targets customers of four Iranian banks: Bank Mellat, Bank Saderat [3], Resalat Bank [3], and the Central Bank of Iran. This campaign utilizes fake Android apps to steal sensitive information [3], including internet banking login credentials [3], credit card details [3], and intercepted SMS messages used for multi-factor authentication [3].

The activities of Charming Kitten have been reported by various organizations, including Certfa Lab, Human Rights Watch [2], and Sophos [2].


The cyber attacks carried out by Charming Kitten pose a significant threat to Iranian individuals and organizations in Germany. The group’s use of social engineering, fake online identities [2] [3], and phishing tactics highlights the need for increased awareness and vigilance among potential targets. The shift towards posing as journalists and utilizing LinkedIn and WhatsApp messages demonstrates the group’s adaptability and determination to evade detection.

Mitigating these attacks requires a multi-faceted approach, including educating individuals and organizations about the risks of social engineering and phishing, implementing strong security measures, and staying updated on the latest cyber threats. Cooperation between government agencies, cybersecurity firms, and international organizations is crucial in combating the activities of groups like Charming Kitten.

Looking ahead, it is essential to monitor the evolving tactics and techniques employed by Charming Kitten and other cyberespionage groups. As technology advances and cyber threats become more sophisticated, it is imperative to remain proactive in defending against these attacks and safeguarding sensitive information.