Israel’s National Cyber Directorate recently issued an urgent alert about a targeted spear-phishing attack aimed at people working in security and defense-related areas.
The campaign uses WhatsApp messages that pretend to come from trusted organizations, inviting targets to professional conferences.
These messages contain shortened URLs that lead victims to fake websites designed to steal personal details and, in some cases, deliver harmful files. The attack shows clear signs of being carefully planned rather than random, with links to known threat groups.
The shortened URL msnl[.]ink was found at the center of this operation. This domain is part of a larger system of URL shorteners that security researchers have been watching for some time.
The fake messages appear professional and use conference themes to seem real and trustworthy. Once victims click the link, they are taken to spoofed websites that try to collect their personal and work-related information.
The fake sites look like real conference registration pages, making it hard for people to spot the danger.
Security analyst Idan Tarab identified this campaign while tracking infrastructure patterns linked to APT42, a threat group also known as Charming Kitten.
The attack shows strong connections to this Iranian state-sponsored group through its technical setup and methods. Tarab noted that the URL shortening system shows deliberate design choices that point to experienced attackers, not opportunistic criminals.
The infrastructure behind this attack reveals key technical details about how the group operates.
Analysis of msnl[.]ink shows it runs on Microsoft-IIS/10.0 servers hosted across multiple countries, including the Netherlands, Germany, Moldova, and Italy.
The setup uses custom-built URL shorteners with consistent patterns across .ink and .info domain names. This kind of infrastructure takes time and resources to build, showing that the attackers are well-funded and organized.
The hosting choices across different countries also make it harder for law enforcement to take down the operation.
Technical Infrastructure and Attribution
The connection to APT42 comes from matching infrastructure patterns that researchers have tracked over time. The URL shortening system uses specific server fingerprints and hosting services that match earlier campaigns linked to this group.
The attackers reuse the same DDNS services and domain naming patterns, creating a digital signature that security teams can track.
The Microsoft-IIS server setup is consistent across multiple domains in the network, suggesting centralized management rather than separate operations.
These technical markers help security teams identify new attacks from the same group and block them before they reach more victims. Organizations can use this information to update their security tools and train employees to spot these specific types of phishing attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
