Iran-linked threat actor targets medical professionals in the US and Israel with phishing attacks

Iran-linked threat actor targets medical professionals in the US and Israel with phishing attacks

Medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel have been targeted in a recent credential phishing campaign launched by an Iran-linked threat actor tracked by security researchers as TA453, Charming Kitten or Phosphorus.

While the previous attacks by the threat actor focused on dissidents, academics, diplomats, and journalists, this latest campaign, which Proofpoint researchers dubbed ‘BadBlood’ based on the medical focus and continued geopolitical tensions between Iran and Israel, is a deviation from the group’s usual activity.

The BadBlood campaign was first spotted in December last year and involved phishing emails sent from a Gmail account ostensibly belonging to a prominent Israeli physicist. The phishing message used the subject "Nuclear weapons at a glance: Israel" and contained social engineering lures relating to Israeli nuclear capabilities, as well as a link to a malicious attacker-controlled domain.

This link pointed potential victims to a landing site spoofing Microsoft's OneDrive service along with an image of a PDF document logo. Once a victim attempted to view and download the document they were presented with a fake Microsoft login page designed to steal users’ credentials.

“TA453 targeted less than 25 senior professionals at a variety of medical research organizations located in the US and Israel. Proofpoint analysis of the targets’ publicly available research efforts and resumes indicate TA453 targeted individuals with a background in either genetics, oncology, or neurology. These medical professionals appear to be extremely senior personnel at a variety of medical research organizations. Additionally, TA453 targeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and Iran during 2020,” Proofpoint said.

While previous reports indicate that TA453 appears to be working on behalf of the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence service, Proofpoint said that it “cannot independently attribute TA453 to the IRGC”, however, “the tactics and techniques observed in BadBlood continue to mirror those used in historic TA453 campaigns and the overall targeting of TA453 campaigns detected by Proofpoint appear to support IRGC intelligence collection priorities.”

Back to the list

Latest Posts

Cyber Security Week in Review: May 2, 2025

Cyber Security Week in Review: May 2, 2025

In brief: SonicWall warns of active exploitation of recently patched bugs, Commvault confirms a nation-state zero-day attack, and more.
2 May 2025
Nation-state hackers exploit zero-day in Commvault Azure environment

Nation-state hackers exploit zero-day in Commvault Azure environment

Additionally, SonicWall has warned that two flaws affecting its SMA100 appliances are being actively exploited in the wild.
1 May 2025
New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

After Garantex’s domains were seized, Grinex was immediately promoted in Telegram channels.
30 April 2025