MASS protests abroad have not slowed Iranian cyber operations, as Iranian threat actors have continued spear-phishing campaigns targeting expats and others connected to Iranian affairs. On 13 January, UK-based activist Nariman Gharib revealed a highly targeted spear-phishing campaign attributed to the Iranian Revolutionary Guard Corps, with the phishing site quickly shut down but espionage continuing.
The activity has targeted Iranian, Syrian, Kurdish, Lebanese, Israeli, and American individuals, among others, with dozens of documented attacks reported. In the first wave, victims received WhatsApp messages linking to a DuckDNS-hosted domain that redirected to a phishing page, potentially exposing credentials and enabling location, camera, and microphone access.
TechCrunch, which worked with Gharib to analyse the campaign, reported 850 credentials listed in the attackers’ database, including usernames, passwords, and 2FA codes. The second wave saw IRGC operatives employing tactics across Gmail, Telegram, X and other channels, including a fake Telegram bot and impersonation of a Bahraini peace activist to solicit interviews and deliver credential theft. According to TechCrunch, the campaign appears to rely heavily on social engineering and may involve more than one Iranian threat group. 5 February 2026.