Credential Theft Alert: APT35’s New ‘Webinar’ Phishing Bypasses 2FA with Conference Lures

By CyberDudeBivash • October 01, 2025, 08:28 PM IST • APT Threat Intelligence Report

The Iranian state-sponsored espionage group **APT35 (Charming Kitten)** has launched a new, highly sophisticated spear-phishing campaign that successfully bypasses traditional Multi-Factor Authentication (MFA). The group is leveraging its hallmark social engineering tactics, sending convincing but fake “webinar” and “conference” invitations to its high-value targets in academia, journalism, and government. The goal of this campaign is not to deploy malware, but to perform a full account takeover by stealing not just credentials, but the authenticated session itself. This **Attacker-in-the-Middle (AiTM)** technique renders common 2FA methods like SMS codes and authenticator apps completely ineffective. This is our urgent breakdown of the group’s evolving TTPs and the critical defenses required to counter this advanced threat.

Disclosure: This is a threat intelligence report for security professionals and high-risk individuals. It contains our full suite of affiliate links to best-in-class security solutions. Your support helps fund our independent research.

Recommended by CyberDudeBivash — The Anti-Phishing Stack

YubiKey Hardware Keys — The only technical control that reliably defeats AiTM phishing attacks. This is the #1 defense.
Cybersecurity Awareness Training — Train your high-risk users to spot the sophisticated social engineering lures used by APTs.

Worried You’re a Target? Need a Personal Security Audit?
Hire CyberDudeBivash for personal security consultations for high-risk individuals.

Threat Report: Table of Contents

Chapter 1: Threat Actor Profile — APT35 (Charming Kitten)

APT35 is a highly persistent and patient threat actor. Their operations are characterized by meticulous reconnaissance and social engineering. They don’t use flashy zero-days; they master the art of manipulating the human target. Their primary goal is to gain access to email and social media accounts of their targets to gather intelligence, monitor communications, steal contact lists, and use the compromised accounts to launch further attacks against their victims’ networks.

Chapter 2: The Kill Chain — From Webinar Invite to Account Takeover

The DarkCloud campaign is a classic example of a modern, evasive attack chain. It’s designed to defeat security tools that only inspect the initial entry vector.

**Reconnaissance:** The attackers identify a target—for example, a university professor specializing in Middle Eastern policy. They find their email address and research their recent publications and conference appearances.
**The Lure:** The attacker, spoofing the identity of a real academic from a respected institution, sends a personalized email inviting the professor to speak at a (fake) upcoming webinar on a topic they have written about. The email is professional, flattering, and includes a link to “register and view the agenda.”
**The Phishing Site (AiTM):** The registration link directs the target to a malicious website. This site is not a simple credential harvester; it’s a real-time proxy that loads the legitimate login page (e.g., from Google or Microsoft) within its own frame.
**Credential & Session Theft:** The victim, seeing the familiar Google login page, enters their username and password. The proxy instantly passes this to Google. Google then challenges the user for their 2FA code. The user enters the code from their authenticator app or approves the push notification. The proxy captures this and passes it to Google. Google, seeing all correct credentials, authenticates the user and sends a session cookie back to the proxy. The attacker’s server saves this cookie.
**Account Takeover & Espionage:** The attacker now uses the stolen session cookie in their own browser. They are now logged in as the professor. They immediately set up email forwarding rules to silently copy all incoming and outgoing mail, download the entire mailbox history, and steal the contact list for their next wave of attacks. The victim is redirected to a fake agenda page and is unaware their account has been completely compromised.

Chapter 3: Technical Deep Dive — How AiTM Phishing Bypasses MFA

The weakness of traditional MFA is that it relies on a secret (a code or a push approval) that a human can be tricked into giving to a fake website. The Attacker-in-the-Middle (AiTM) automates this theft.

The attacker’s phishing server acts like a man in the middle, sitting between you and the real website. When you enter your password, the server passes it on. When you enter your 2FA code, the server passes that on too. The real website, seeing a valid password and a valid code, has no reason to be suspicious. It authenticates the session and issues the session cookie—the golden ticket—which the attacker’s server promptly steals. As we’ve discussed before, this is why **SMS 2FA is Dead**, but the same principle applies to even more “secure” methods like authenticator apps.

Chapter 4: The Defender’s Playbook — The Primacy of Phishing-Resistant MFA

You cannot train your way out of this problem. While user awareness is important, a determined, targeted attack from an APT group will eventually succeed. The only reliable defense is a technical control that breaks the kill chain entirely.

The solution is **Phishing-Resistant MFA**. This is achieved with hardware security keys that use the **FIDO2/WebAuthn** standard. Here’s why it works:

A hardware key is cryptographically bound to the real website’s domain name (e.g., `accounts.google.com`).
When you try to log in on the attacker’s fake site (`accounts.g00gle.com`), your browser tells the key which domain is asking for authentication.
The key sees the domain is wrong and **refuses to operate**. It simply will not produce the cryptographic signature needed to log in.

The attack is stopped cold. The attacker cannot steal a credential that is never generated. This is the only way to reliably defeat AiTM attacks.

The Only Real Solution to AiTM Phishing:

Stop relying on phishable MFA. The time to upgrade is now. Our definitive guide explains the technology and which product to buy.

➡️ The Ultimate Guide to Phishing-Resistant MFA and Hardware Keys (Featuring YubiKey)

Chapter 5: Strategic Summary & Indicators of Compromise (IOCs)

APT35 remains a dedicated and evolving threat. Their focus on credential theft and their mastery of social engineering make them a persistent risk to their target set. This new campaign demonstrates their adoption of more technically sophisticated AiTM techniques to bypass the growing adoption of traditional MFA. Organizations and individuals at risk must respond by migrating to phishing-resistant authentication technologies.

Indicators of Compromise (IOCs)

Security teams should be aware of TTPs and hunt for the following patterns associated with APT35:

**Domains:** Look for typosquatted domains related to academic institutions or conferences (e.g., `munich-security-conference.net` instead of `.org`).
**Email Subjects:** Invitations to “Nuclear Security” webinars, “Middle East Policy” conferences, or requests to review academic papers.
**User-Agent:** Monitor for successful MFA logins immediately followed by account access from a different, unusual user-agent or geographic location.

🔒 Secure Your Organization with CyberDudeBivash

APT Threat Intelligence & Executive Briefings
Security Awareness Training for High-Risk Users
Zero Trust & Identity Security Consulting

About the Author

CyberDudeBivash is a cybersecurity strategist and researcher with over 15 years of experience tracking nation-state actors, analyzing phishing campaigns, and architecting identity security solutions. He provides strategic advisory services to CISOs and boards across the APAC region. [Last Updated: October 01, 2025]

#CyberDudeBivash #APT35 #CharmingKitten #Phishing #MFA #AiTM #CyberSecurity #ThreatIntel #InfoSec #Espionage #YubiKey

Cyberdudebivash