Secureworks researchers have discovered a new Iran-linked state-backed cyber-espionage campaign aimed at female human rights activists actively involved in political affairs and human rights in the Middle East region.

The campaign has been attributed to a threat group that cybersecurity company tracks as Cobalt Illusion most commonly known as APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The group is suspected of operating on behalf of various Iranian government entities and the Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO) and has been known for its previous cyber-espionage operations against academics, activists, diplomats, journalists, politicians, and researchers that focus on Iran. Phishing and bulk data collection are core tactics of the group’s operations.

In its latest social engineering campaign Cobalt Illusion contacted potential victims using a fake Twitter persona who offered them to contribute to an Atlantic Council report in progress.

“Over a period of days or weeks, Cobalt Illusion develops a rapport with the target and then attempts to phish credentials or deploy malware to the target's computer or mobile device,” the researchers noted. “It is common for Cobalt Illusion to interact with its targets multiple times over different messaging platforms. The threat actors first send benign links and documents to build rapport. They then send a malicious link or document to phish credentials for systems that Cobalt Illusion seeks to access.”

Last year, the Cobalt Illusion threat group was observed using a novel tool named Hyperscrape that can steal data from Gmail, Yahoo!, and Microsoft Outlook accounts. The tool is written in .NET for Windows PCs and is designed to run on the attacker's machine and download victims’ inboxes using previously obtained credentials.