Iran-Linked Hackers Target Middle East Officials via WhatsApp

Security researchers have uncovered a sophisticated cyber-espionage campaign targeting high-profile individuals across the Middle East. The operation, first identified by UK-based Iranian activist Nariman Gharib and subsequently verified by cybersecurity experts, uses multi-stage phishing attacks to hijack WhatsApp accounts and steal Gmail credentials from government officials, journalists, and activists.

Evidence suggests the campaign bears the operational hallmarks of APT42, a threat group repeatedly linked to Iran's Islamic Revolutionary Guard Corps.

Who Got Targeted

The attackers went after people who would have valuable intelligence on Iran-related matters. Confirmed victims include a senior Lebanese cabinet minister, the head of an Israeli drone manufacturing firm, academics specializing in regional security, and journalists covering Middle Eastern affairs.

Fewer than 50 individuals appear to have been compromised, but the selection wasn't random. The targets span the Kurdish diaspora community, government officials involved in Iran policy, and business leaders with connections to the region.

How the Attacks Worked

The campaign employed two parallel attack vectors, both designed to bypass security controls and capture authentication credentials.

WhatsApp Account Hijacking

Attackers distributed phishing links through WhatsApp messages, using dynamic DNS providers to mask malicious subdomains. Victims who clicked through encountered what appeared to be a WhatsApp Web login page displaying a live QR code.

The twist: that QR code came from the attacker's own browser session. When victims scanned it with their phones, they unwittingly granted full access to their encrypted messages and contact lists. The attacker's session synced immediately, providing real-time access to all WhatsApp communications.

Gmail Credential Theft

For email access, the operators deployed pixel-perfect replicas of Google's sign-in page. These fake portals intercepted not just usernames and passwords but two-factor authentication codes as well. With those elements captured, attackers gained complete inbox access.

Real-Time Surveillance Capabilities

The campaign went beyond credential theft. Researchers found that the phishing infrastructure could capture camera photos and audio from victim devices at intervals of three to five seconds—provided users had granted browser-level permissions during the phishing interaction.

Location tracking also continued as long as victims kept the phishing tab open. This surveillance component suggests the operators wanted more than stored communications; they wanted live intelligence on their targets.

Attribution to APT42

Gary Miller, a mobile espionage researcher at Citizen Lab who analyzed the phishing code and data from attacker infrastructure, noted the campaign "certainly had the hallmarks of an IRGC-linked spearphishing campaign."

APT42 has conducted similar credential-harvesting operations against dissidents, journalists, and policy experts for years. The group's targeting patterns align with Iranian intelligence priorities, focusing on individuals who could provide insight into foreign policy decisions affecting Tehran.

Some researchers observed overlap between the campaign infrastructure and financially-motivated cybercrime operations, raising the possibility that elements were outsourced. Iran has previously used criminal groups as cutouts to maintain deniability in operations targeting dissidents abroad.

The Bigger Picture

This campaign illustrates how state-sponsored actors increasingly target mobile platforms and consumer messaging services to reach high-value individuals. Corporate security controls mean little when attackers can route victims to personal devices where endpoint protection doesn't exist.

WhatsApp's QR-based web login—designed for convenience—becomes a vulnerability when users can be tricked into scanning attacker-controlled codes. Google's two-factor authentication helps, but not when real-time phishing captures the codes before they expire.

For individuals in sensitive positions, the defensive options remain limited. Using hardware security keys instead of SMS or app-based 2FA provides stronger protection against credential theft. Treating unexpected QR codes with the same suspicion as unexpected links reduces WhatsApp hijacking risk.

But ultimately, sophisticated nation-state actors will continue finding ways to reach targets who hold intelligence of interest. The tools evolve; the targeting calculus doesn't.