Iranian state-sponsored threat actors have significantly escalated their cyber operations, employing sophisticated artificial intelligence-enhanced phishing campaigns to target cybersecurity researchers and academic institutions across Western nations.
The campaign, primarily attributed to APT35 (also known as Charming Kitten and Magic Hound), represents a marked evolution in Iranian cyber warfare tactics, moving beyond traditional surveillance operations to more sophisticated, high-trust social engineering attacks.
The emergence of these AI-crafted email campaigns coincides with heightened geopolitical tensions following the June 2025 Israeli and American strikes on Iranian nuclear and military facilities.
Unlike previous Iranian cyber operations that focused primarily on espionage and data collection, these new campaigns demonstrate a calculated shift toward targeting the very professionals responsible for defending against such threats.
The attacks leverage advanced AI technologies to generate convincing email content that impersonates trusted industry figures, making detection significantly more challenging for traditional security measures.
CyberProof analysts identified this campaign as part of a broader Iranian digital retaliation strategy that extends far beyond conventional geographic boundaries.
The research team noted that APT35 has fundamentally transformed its operational methodology since mid-2025, abandoning conventional surveillance approaches in favor of these sophisticated, AI-enhanced social engineering tactics.
This evolution represents one of the most significant developments in state-sponsored cyber warfare, as it specifically targets the cybersecurity community’s knowledge base and research capabilities.
The attack vectors employed in these campaigns primarily focus on establishing long-term relationships with targets through carefully crafted email exchanges.
The AI-generated content is designed to build rapport over extended periods, often spanning weeks or months, before attempting to extract sensitive information or gain unauthorized access to research networks and intellectual property.
AI-Enhanced Social Engineering Mechanisms
The technical sophistication of APT35’s AI-crafted emails centers on advanced natural language processing capabilities that analyze publicly available information about target individuals to create highly personalized and contextually relevant communications.
The malware operators utilize machine learning algorithms to study the writing patterns, professional interests, and communication styles of legitimate industry figures, enabling them to craft emails that closely mimic authentic correspondence.
These AI systems can generate content that references specific research papers, conference presentations, and industry developments relevant to the target’s field of expertise, significantly increasing the likelihood of successful engagement.
The emails often include subtle technical discussions about emerging cybersecurity threats or research methodologies, designed to appeal to the intellectual curiosity of cybersecurity professionals while gradually establishing trust and credibility with the intended victims.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->Â Try ANY.RUN Now
