The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single email thread to target their victims.
TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.
The attack chain starts with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature.
Since mid-June 2022. the attackers employed a new technique named Multi-Persona Impersonation (MPI), wherein they used not one but several actor-controlled personas in the same email conversation to trick the victims into believing that the message is legitimate.
The embedded link is a OneDrive link that downloads a Microsoft Office document.
A day after the initial email, one of the personas involved in the discussion responded to the email thread likely in an attempt to establish the veracity of the request and solicit a response from the target. This second message doesn’t include malicious documents or links.
