Who is being targeted by Educated Manticore?

Starting mid-June 2025, top cyber and computer science experts from leading Israeli universities became the primary targets of this campaign, along with journalists and cybersecurity professionals. The targeting appears focused on Israeli academics and security researchers.

How does Educated Manticore conduct their attacks?

The threat actors send messages as fictitious employees of legitimate cybersecurity companies via email and WhatsApp communications. The objective is to extract credentials and bypass multi-factor authentication. Initial messages contain no malicious links, with attackers maintaining professional interaction until sending an online meeting link leading to phishing infrastructure.

What role does AI play in these attacks?

The initial attack is carefully prepared and assisted by AI. The emails have a professional formal tone, structured layout, and error-free grammar. However, some targets reported inconsistencies such as name mismatches between email body content and sender account names.

Are there concerns about physical surveillance or attacks?

Yes, in one concerning instance, a WhatsApp message used Iran-Israel tensions to imply urgency, with attackers even suggesting in-person meetings in Tel Aviv. This raised significant concerns about potential physical surveillance or physical attacks on targeted individuals.

How sophisticated is their technical infrastructure?

The phishing infrastructure supports authentication flows to enable two-factor authentication relay attacks, handling various mechanisms including SMS verification, Google Authenticator integration, and phone-based authentication. A concerning new aspect is a passive keylogger that captures every keystroke in real-time through persistent WebSocket connections.

How aggressive are the attackers in their approach?

The attackers were very aggressive in conversations, especially through WhatsApp, urging targets to click links. Most attacks either succeed or fail within one to two days before moving to the next target and discontinuing use of the same domain.

What geopolitical context drives this campaign?

The campaign operates within the context of ongoing Iran-Israel tensions, with attackers using this geopolitical situation to create urgency and credibility in their social engineering attempts. The focus on Israeli academics and cybersecurity professionals suggests intelligence gathering objectives related to the conflict.

What makes this campaign particularly concerning for targeted individuals?

This campaign is particularly concerning because it combines sophisticated technical capabilities (2FA bypass, real-time keylogging, AI-assisted social engineering) with potential escalation to physical surveillance or attacks. The suggestion of in-person meetings in Tel Aviv indicates the threat may extend beyond digital espionage to physical security concerns. The targeting of cybersecurity professionals also suggests an attempt to compromise individuals who should be most aware of such threats, potentially indicating very sophisticated social engineering techniques.

Scam/Phishing

Threat group Educated Manticore targets academia and cybersecurity experts

Q: What is particularly dangerous about their keylogger implementation?

The passive keylogger captures every keystroke and transmits data in real-time through persistent WebSocket connections. This keylogger records every character typed, even if the user abandons the form or never submits it, providing attackers with comprehensive visibility into victim behavior and potential additional sensitive information.

Q: How do they bypass multi-factor authentication?

Their phishing infrastructure supports two-factor authentication relay attacks, where threat actors can complete multi-factor authentication against legitimate services using stolen data. The system handles various authentication mechanisms in real-time, allowing them to bypass 2FA protections by acting as a man-in-the-middle.

published: June 26, 2025

Take action: Whatever the attack motivation or the initial social engineering, all these attacks end up with an insistence for you to click on something and enter credentials. Be extremely suspicious of unexpected emails or messages, and verify independently - all or email the organization through official contact channel on the official site. NEVER click on links or call numbers in the unexpected message.

Learn More

Checkpoint reports that a threat group known as Educated Manticore, which is suspected to be supported by Iran has escalated cyber espionage activities targeting high-profile academics, journalists, and cybersecurity professionals with social engineering context of the ongoing Iran-Israel conflict.

Starting mid-June 2025, top cyber and computer science experts from leading Israeli universities became the primary targets of this campaign:

The threat actors sent messages as fictitious employees of legitimate cybersecurity companies via email and WhatsApp communications. The objective is to extract credentials and bypass multi-factor authentication.
The initial attack is carefully prepared and assisted by AI. The emails have a professional formal tone, structured layout, and error-free grammar. Some targets reported inconsistencies such as name mismatch between email body content and sender account names.
In one instance, a WhatsApp message used the tensions between Iran and Israel to imply urgency, and the attackers even suggesting in-person meetings in Tel Aviv. This raised concerns about potential physical surveillance or physical attack on a person.
In all cases, the initial message contains no malicious links, and attackers had a professional interaction with the target until they sent an online meeting link that lead to attacker-controlled phishing infrastructure.

Initial email impersonating a fictitious Threat Intelligence Analyst. Source - CheckPoint research

The phishing infrastructure supports authentication flows to enable two-factor authentication relay attacks, where threat actors can complete multi-factor authentication against legitimate services using stolen data. The system handles various authentication mechanisms including email/username entry, SMS verification codes, password input, verification prompts, phone-based authentication, Google Authenticator integration, and security code entry.

A new and concerning aspect of the technical implementation is the incorporation of a passive keylogger that captures every keystroke and transmits the data in real-time through persistent WebSocket connections. This keylogger records every character typed, even if the user abandons the form or never submits it, providing attackers with comprehensive visibility into victim behavior and potential additional sensitive information.

The campaign used more than 130 unique domains along with numerous subdomains, using one or two domains for each targeted individual. From January 2025 onward, threat actors registered many domains used for targeted phishing operations, either hosting phishing kits or serving as backend infrastructure, with most domains registered through the NameCheap registrar.

The attackers were very aggressive in conversations, especially through WhatsApp, urging targets to click links with most attacks either succeeding or failing within one to two days before moving to the next target and discontinuing use of the same domain.

Threat group Educated Manticore targets academia and cybersecurity experts

Read More
Phishing attack impersonating Coinbase
Netflix payment phishing campaign stealing a lot of …
Be careful about Ctrl-V: clipboard and social engineering …
SMS Based scam impersonating Apple, leading victims to …
Checkpoint warns of phishing campaign that emulates potential …