Cyber Espionage Unveiled: High-Profile Gmail and WhatsApp Users in the Middle East Targeted
In a recent cyber espionage campaign, high-profile individuals across the Middle East have been targeted through sophisticated phishing attacks aimed at compromising Gmail and WhatsApp accounts. The campaign has successfully stolen credentials from victims, raising concerns about the potential for future phishing activities.
Victims and Scope
The campaign has affected fewer than 50 individuals, including members of the Kurdish community, academics, government officials, business leaders, and other senior figures across the broader Iranian diaspora and Middle East. The identities of some victims are known, but the full extent of the campaign remains unclear. It is possible that there are more victims than currently identified, which could provide further insight into the targeting and motives behind the attacks.
Potential Attribution
The perpetrators behind this campaign have not been identified. However, the nature of the attacks suggests possible involvement of government-backed actors. For instance, a state-sponsored group might seek to steal email passwords and two-factor authentication codes from high-value targets, such as politicians or journalists, to access confidential information. Given Iran’s current isolation from the international community, both the Iranian government and foreign entities with interests in Iran’s affairs could plausibly be interested in monitoring communications of influential Iranian-linked individuals.
The timing and targeting of this phishing campaign suggest it could be an espionage effort aimed at gathering information about specific individuals. Gary Miller, a security researcher at Citizen Lab and mobile espionage expert, reviewed the phishing code and some exposed data from the attacker’s server. Miller noted that the attack certainly [had] the hallmarks of an IRGC-linked spearphishing campaign, referring to highly targeted email hacks carried out by Iran’s Islamic Revolutionary Guard Corps (IRGC), a faction of Iran’s military known for conducting cyberattacks. He pointed to indications such as the international scope of victim targeting, credential theft, abuse of popular messaging platforms like WhatsApp, and social engineering techniques used in the phishing link.
Alternative Motivations
Alternatively, financially motivated hackers could use stolen Gmail passwords and two-factor codes from high-value targets, such as company executives, to steal proprietary business information or access cryptocurrency and bank accounts. However, the campaign’s focus on accessing victims’ location and device media is unusual for financially motivated actors, who might have little use for pictures and audio recordings.
Ian Campbell, a threat researcher at DomainTools, analyzed the domain names used in the campaign to understand their setup and any connections to previously known infrastructure. He found that while the campaign targeted victims during Iran’s ongoing nationwide protests, its infrastructure had been set up weeks earlier. Most of the domains connected to this campaign were registered in early November 2025, with one related domain created in August 2025. Campbell described the domains as medium to high risk and suggested they appear to be linked to a cybercrime operation driven by financial motivations.
Outsourcing Cyberattacks
Iran’s government has been known to outsource cyberattacks to criminal hacking groups, presumably to shield its involvement in hacking operations against its citizens. The U.S. Treasury has sanctioned Iranian companies in the past for acting as fronts for Iran’s IRGC and conducting cyberattacks, such as launching targeted phishing and social engineering attacks.
Security Recommendations
As Miller notes, This drives home the point that clicking on unsolicited WhatsApp links, no matter how convincing, is a high-risk, unsafe practice.
