Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.