apt attack

BadBlood campaign targeting American and Israeli medical researchers By TA453

In the second half of 2020, the Iranian threat group launched a credential campaign aimed at senior medical personnel in the United States and Israel specializing in genetics, neurology and oncology research. Researchers named the event BadBlood based on medical goals and the ongoing geopolitical tensions between Iran and Israel.

TA453 (also known as CHARMING KITTEN and PHOSPHORUS) has historically been associated with the Islamic Revolutionary Guard Corps (IRGC), an group that mainly targets dissidents, academics, diplomats, and journalists.

In the malicious activity in December 2020, used a controlled Gmail account to pretend to be a famous Israeli physicist. The account (zajfman.daniel[@]gmail.com) sent an email with the subject “Nuclear weapons at a glance: Israel” and contained social engineering decoys related to Israel’s nuclear capabilities. These malicious emails contain links to the domain 1drv[.]casa controlled by TA453. Clicking on the URL will open a site that pretends to be the Microsoft OneDrive service. The site contains a PDF document logo named CBP-9075.pdf.


When users try to view and download PDF documents, 1drv[.]casa will provide a fake Microsoft login page that attempts to obtain user credentials. Clicking on any other hyperlink in the web page will cause the same redirect to the fake Microsoft login page, except for “Create one!”, which points to the legitimate Microsoft Outlook “Sign Up” page.

At present, researchers cannot determine the motives of the attackers to carry out BadBlood activities. This activity can show that is interested in the patient information of the target medical staff, or is intended to use the recipient’s account in further activities. Although this activity may represent the TA453 group’s change of target, it may also be an outlier, reflecting TA453’s specific priority intelligence mission.