A cyber-espionage group thought to be working on behalf of the Iranian government used the recent Christmas holidays to launch a mobile phishing campaign directed against targets in the Persian Gulf, Europe, and the U.S., including think tanks, political research organizations, professors, journalists, and environmental activists.

The hacker group known as Charming Kitten, APT35 or Phosphorous, sent fake text messages from “Google Account Recovery” and fake emails with Christmas content, according to a new report from the cybersecurity team CERFTA focused on tracking down Iranian cyber criminals and state-sponsored hackers.

“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents. Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” the team said.

The hackers focused their attacks on individuals’ online accounts, especially personal emails (Gmail, Yahoo! and Outlook) and business emails (organization and university emails). Once compromising an account using stolen credentials, they would steal sensitive data from their victims.

To compromise targets the group used two methods, one of which involved fake ‘Google Account Recovery’ SMS message ostensibly sent by Google. The message contained a link, which eventually led a user to final phishing domains.

In the second scenario the hackers were sending fake emails with deceptive titles like “Merry Christmas, and sending note/book/photo and others”, which are usually sent by previously hacked emails.

“Our examination shows the hackers have used a mix of services such as ‘script.google.com’ and ‘iplogger.org’ in this campaign in order to create a chain of redirection to obfuscate their hacking operations. Redirection links initially help bypass the security layers in email services, and then provide the attackers more control to redirect the target to the final URL,” the CERFTA researchers explained.

“Charming Kitten has been constantly active in recent months and has executed other attacks at the time of writing this report. In reviewing related activity patterns of Charming Kitten and information about the infrastructure used by this hacking group, we believe the extent and scale of this campaign is significant in comparison with previous activity of Charming Kitten,” they added.