Mandiant has found one of the unique Iranian counterintelligence movements that focuses on prospective representatives of foreign intelligence services, particularly in Israel. The operation was conducted by Iranian state-sponsored cyberpunks between 2017 and March 2024 and included over 35 Farsi-language fake recruiting sites, which outlined job offers and content suitable to the state of Israel. These pages targeted and systematically gathered personal, occupational, and educational details to determine possible HUMINT nominees.

Technical Analysis

This procedure carries hints of APT42, an Iranian group with IRGC-IO affiliations, also known to utilize social media for outreach and targeting dissidents, activists, and expatriates. Notably, the objectives were enlarged along with the campaign and perpetrators moved against Arabic-speaking intelligence societies that are linked with Syria and Lebanon.  Mandiant’s inspection did not recognize any attempt connected to US election interference. 

The company has aimed to undermine the operation, closing down related accounts and delivering website users with protective standards. This campaign reveals how the Iranian government resumes efforts to rescue its intelligence services and perhaps contain those dangers into government repression.

In this special cyber espionage movement, which is complicated in nature, fake Israeli recruitment sites focus on Farsi-speaking people and recruit them using social engineering techniques. Connections are spread with sites like X (aka Twitter) and some virasty, to ma­licious websites such as topwor4u[.]com and beparas[.]com.

These sites are hosted on WordPress and mimic HR mechanisms such as “Optima HR” or “Kandovan HR”, with content and career options related to Israel and cybersecurity and intelligence. The sites’ structures were discovered to be similar, with some including telegram communications handling the “IL” (Israel), such as hxxps://t[.]me/PhantomIL13 and hxxps://t[.]me/getDmIL. An investigation of beparas[.]com also determined and raised the WordPress login handle “miladix” linked to an avatar picture Gravatar oddities with sha256-form email records.

The campaign makes use of both the desktop and mobile versions of the sites, which bear Israeli sites and graphics. These websites have forms that need personal and work-related data such as their names, birth dates, emails, physical addresses, academic history, and work history.

The cycle of raids contains the distribution of a connection, condition of fake content, and assembling data. A link to an Iranian software designer was triangulated via Miladix [.]com, regardless, no such links could be verified.

This activity appears to be introduced to watching the actions of Iranian nationals with cybersecurity skills for intelligence or recruitment purposes. The “Axis of Resistance” operation applied refined cyber espionage tactics targeting Syria and Hezbollah. The research revealed dishonest recruitment sites such as “Optima HR,” “VIP Human Solutions,”, which compelled native Farsi and Arabic speakers with safety and espionage backgrounds.

The sites had power and authority structures and templates associated with decoy content’s association to Israel for primary images, plus phone contacts bearing (+972), telegram group chats ( hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw). Mandiant’s research discovered links to parts like vipjobsglobal[.]com and different Telegram accounts. The campaign, presumed to be related to Israeli Mossad, was used from at least 2018 to 2023.