Nate Nelson, Contributing Writer February 5, 2026 4 Min Read Source: Per Bengston via Alamy Stock Photo As mass protests flare at home, Iranian attackers have been carrying out spear-phishing attacks against their perceived enemies abroad. The Iranian government has a long, storied history targeting its enemies, be they domestic or abroad, Iranian or foreign nationals, Israeli, American, or Arabic. In recent weeks, though, as protests against the ruling regime have surged, reports of cyber spying have been flaring up. On Jan. 13, UK-based Iranian activist Nariman Gharib revealed a highly targeted spear-phishing campaign aimed at individuals abroad who are involved in Iranian affairs in one way or another. He attributed it to the Iranian Revolutionary Guard Corps (IRGC), and the phishing site supporting it quickly shut down. The espionage carried on, though, with new lures aimed at new targets. Overall, the activity appears to be focused but diffuse, with dozens of documented attacks against Iranian, Syrian, Kurdish, Lebanese, Israeli, and American targets, at the least. The First Wave: Malicious WhatsApp Links In mid-January, Gharib received a series of WhatsApp messages vague enough to sound like some sort of business thing he'd forgotten about. Experienced on the receiving end of spear-phishing attacks, he asked for the sender to call him. Instead of calling, of course, the sender urged that he follow the link. The link was hosted by the Dynamic Domain Name System (DNS) provider DuckDNS. Dynamic DNS allows attackers to hide constantly changing IP addresses behind simple phishing links. In this case, the attackers designed a URL that, if you squint hard enough, might look like a legitimate WhatsApp link. The actual domain behind it was completely different: "alex-fabow.online." TechCrunch, which worked with Gharib to analyze the campaign , could not figure out exactly what happens in the victim's browser after they click on the link, speculating, "It may be that the DuckDNS link redirects the target to a specific phishing page based on information it gleans from the user's device." If the right victim followed the link, they might see a fake Gmail login page, or a page asking for their phone number. Fortuitously, TechCrunch discovered a path traversal vulnerability that allowed them to view the attackers' entire database of stolen credentials. They found 850 records listing usernames, passwords, and two-factor authentication (2FA) codes. Gharib's link led to a WhatsApp-themed page with a QR code. Scanning the QR code would have given the attackers control over his account. In addition, the phishing page would have triggered browser notifications requesting access to his location, camera, and microphone. It then would have begun streaming his geolocation to the attacker, constantly recording audio from his device, and capturing photos using the camera every five seconds. Victims of this wave of attacks included ethnic Persians outside of Iran, people in the US, academics, businesspeople, an individual involved in Israeli drone manufacturing, a Lebanese cabinet minister, and "seemingly ordinary" Kurds, according to TechCrunch. Despite all the circumstantial evidence pointing to government direction, a researcher at DomainTools found evidence that the attackers' infrastructure was also used for cybercrime purposes, complicating attribution. The Second Wave According to Gharib, IRGC attackers have also used a variety of other phishing tactics in recent weeks. In some cases, they used a fake Telegram bot to send victims threats that their accounts would be deleted if they didn't take imminent action. Telegram quickly removed the account after it was discovered. Besides WhatsApp, Gmail, and Telegram, the attackers also farmed victims on X. They created an account impersonating Bahraini peace activist Fatema Al Harbi, and purchased a cheap blue check to lend it legitimacy. Then they started reaching out to targets, often simply by replying to their posts on X. Using a stock message format, with specific details about the target filled in like Mad Libs, they reached out to request brief interviews. Interviews provided the guise for sending fake Google Meet invites, enabling credential theft. The fake X account has since been deleted. According to Gharib, targets of recent attacks have included an Iranian journalist and a public intellectual, four Syrian opposition figures, two Israeli diplomats, and one member of the Knesset, Israel's legislative body. This week, The Jerusalem Post added a prominent American-Israeli journalist to the running list. Though the targets are high-profile and the attacks aggressive. "This campaign heavily relies on social engineering and the technique used seems less advanced than [previously observed] techniques," says SafeBreach's Tomer Bar, who tracks more sophisticated Iranian advanced persistent threat (APT) attacks against dissidents. "I assume that this is a less sophisticated Iranian nation-state threat group," and considering the variety of tactics, techniques, and procedures (TTPs) on display, it could be even more than one group. Read more about: DR Global Middle East & Africa About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson, Contributing Writer