--- title: "Iranian-Aligned Cybercriminal Group targets Researchers, Academics, and Journalists with Sophisticated Phishing Campaign | Phish Protection" description: "Iranian-Aligned Cybercriminal Group targets Researchers, Academics, and Journalists with Sophisticated Phishing Campaign: TA453, an Iranian-aligned." image: "https://phishprotection.com/og/blog/iranian-cybercriminals-target-researchers-academics-and-journalists-with-phishing.png" canonical: "https://phishprotection.com/blog/iranian-cybercriminals-target-researchers-academics-and-journalists-with-phishing/" --- Quick Answer TA453, an Iranian-aligned cybercriminal group, is harvesting credentials by employing \*\*multi-persona impersonation\*\*. This article shares details about TA453, its Korg remote template injection, how TA453's \[phishing\](/resources/what-is-phishing) campaign works, how to check if you are a target, and how to protect yourself. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firanian-cybercriminals-target-researchers-academics-and-journalists-with-phishing%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Iranian-Aligned%20Cybercriminal%20Group%20targets%20Researchers%2C%20Academics%2C%20and%20Journalists%20with%20Sophisticated%20Phishing%20Campaign&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firanian-cybercriminals-target-researchers-academics-and-journalists-with-phishing%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Firanian-cybercriminals-target-researchers-academics-and-journalists-with-phishing%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Firanian-cybercriminals-target-researchers-academics-and-journalists-with-phishing%2F&title=Iranian-Aligned%20Cybercriminal%20Group%20targets%20Researchers%2C%20Academics%2C%20and%20Journalists%20with%20Sophisticated%20Phishing%20Campaign "Share on Reddit") [ ](mailto:?subject=Iranian-Aligned%20Cybercriminal%20Group%20targets%20Researchers%2C%20Academics%2C%20and%20Journalists%20with%20Sophisticated%20Phishing%20Campaign&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Firanian-cybercriminals-target-researchers-academics-and-journalists-with-phishing%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/09/email-phishing-protection-4543.jpg) TA453, an Iranian-aligned cybercriminal group, is harvesting credentials by employing **multi-persona impersonation**. This article shares details about TA453, its Korg remote template injection, how TA453’s [phishing](/resources/what-is-phishing) campaign works, how to check if you are a target, and how to protect yourself. It seems new [cybercrime](https://english.kyodonews.net/news/2023/03/9f3b81442087-cybercrime-in-japan-hits-record-high-in-2022-ransomware-cases-surge.html) tactics are the latest craze cybercriminals are adopting these days. There is news of fresh and signature malicious tactics for causing mayhem to **steal data and deliver payloads**. The latest in this line is an Iranian **sock puppet phishing** creation. The sophisticated phishing tactic incorporates multiple impersonation accounts to lure victims, deliver **malicious payloads** that collect confidential information from the victim’s system and exfiltrate it to the cybercrime group. Let us see who the [cybercriminal](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) behind this sock puppet campaign are and how they carry out their malicious intentions. \*\* \*\* ### Who is TA453? **TA453** is the name of the Iranian-aligned cybercriminal group behind the [sock puppet](https://www.techtarget.com/whatis/definition/sock-puppet#:~:text=A%20sock%20puppet%2C%20in%20the,such%20as%20Facebook%20or%20Twitter.) campaign targeting **innocent users** with the help of multiple impersonation accounts. TA453 is a part of the **IRGC (Islamic Revolutionary Guard Corps)** and has been causing malice in the past by **impersonating journalists** to target policy experts. TA453 is known for its unique [social engineering](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-accounts-customer-data) technique that experts call the Multi-Persona Impersonation, which utilizes two or more personas on a single email thread to boost the legitimacy and effectiveness of the phishing campaign. This recent sock puppet campaign is the latest in their line of targeting Middle Eastern affairs and **nuclear security structures**. ### Who does the TA453 Target? TA453 delves deep into masquerading and impersonation campaigns by posing as policy-adjacent individuals or journalists. _The [threat actor](/phishing-awareness/threat-actors-breach-reddit-and-access-internal-documents-code-and-business-systems) establishes trust by offering help to collaborate with their victims and has targeted academics, journalists, diplomats, human rights workers, and policymakers the most._ TA453’s malicious actors initiate benign conversations and social engineering tactics to dupe victims and **harvest their credentials**. Most of the cybercriminal group’s past activity involved **one-to-one discussions**. According to[Proofpoint’s researchers](https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo), the approach shifted into a new one in June 2022. ![Email phishing protection](https://media.mailhop.org/phishprotection/images/2022/09/email-phishing-protection-4543.jpg) ### What is TA453’s Remote Template Injection? TA453’s latest campaigns included [OneDrive](/uncategorized/using-microsofts-onedrive-be-afraid-be-very-afraid) links with malicious documents . The documents are TA453’S **remote template injection** documents with password protection that download the **macro-enabled template** documents from 354pstw4a5f8.filecloudonline\[.\]com. A similar filecloudonline\[.\]com host is observed in multiple TA453 sock puppet campaigns with the **download template Korg**. Korg includes three [macros](https://thehackernews.com/2022/02/microsoft-disables-internet-macros-in.html), Module1.bas, Module2.bas, and ThisDocument.cls that collect and **exfiltrate information** such as: The victim’s username The list of running processes The victim’s **public IP (Internet Protocol) address** from my-ip.io All the information is exfiltrated using [Telegram API](https://towardsdatascience.com/introduction-to-the-telegram-api-b0cd220dbed2). According to Proofpoint, there is no follow-up on TA453’s exploitation capabilities as it has only accumulated information, which is an\*\* abnormal approach\*\* for TA453 macros. _The lack of code execution or C2 (Command and Control) capabilities means that infected devices and victims could face **further exploitation**_. \*\* \*\* ### How do TA453’s Campaigns Work, and How have They Evolved? TA453 took on a new approach when the cybercriminal group masqueraded as Aaron Stein, the **Director of Research at FRPI**. Aaron Stein, the threat actor, initiated conversations by inquiring about the Gulf States, [Abraham Accords](https://byjus.com/current-affairs/abraham-accords/), and Israel aimed as a pretext, but these were later rumored to be **specific intelligence questions** tasked to the cybercriminal group. As Aaron Stein, the cybercriminals employed its\*\* signature\*\* Multi-Persona Impersonation and started **CCing (Carbon Copy-ing)** others, namely Richard Wike, the Director of Global Attitudes Research at PEW. Here is a look at one such email shared by Proofpoint. Following the above email, the threat actor initiated an **email threat**, this time initiating from Richard Wike’s side, soliciting responses from the target. Once the email conversation flows , the threat actors send [phishing links](https://www.financialexpress.com/life/technology-google-takes-down-phishing-links-that-took-advantage-of-twitters-ongoing-blue-tick-overhaul-2768202/) designed to harvest the credentials of victims, oblivious to the fact that **they are duped**. \*\* \*\* ### TA453 Targets Research Specialists TA453 also targeted **genome research specialists** masquerading as one Harold Ott and used **two other accounts** under the names Clair Parry and Dr. Andrew Marshall. The former is the supposed Assistant Director at the Center for Universal Health, and the latter is the Chief Editor of Nature Biotechnology. Three Multi-Persona Impersonations made this [email threat](https://www.reliaquest.com/blog/email-exotic-lily/?web%5Fview=true) when the threat actor initiated dialogue as Harald, bringing the topic of organ regeneration as bait. After email conversations, Harald delivered a OneDrive link. The link downloaded a **malicious word document** to the victim’s system under the name, “Ott-Lab 371.docx.” The document was exploitation of Remote Template Injection and **downloaded** “Korg,” as reported by Proofpoint and PwC. \*\* \*\* ### TA453’s Latest Group Attacks TA453 did not stop there and initiated another attack campaign as **Carroll Doherty**. The threat actor reached out to two academics at the same university who were involved in **nuclear arms control**. This time, the topic of discussion was a possible clash between the US and Russia . The Multi-Persona approach took another turn as this time it included three additional threat actor-controlled [email accounts](https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/) to target both victims, namely “Daniel Krcmaric,” “Aaron Stein,” and “Sharan Grewal.” After getting an initial response, the **secondary email** did not get the desired response. The threat actor then sent two additional emails with the malicious OneDrive link that downloaded the document, ” The possible US-Russia clash.docx .” The threat actor also sent a third email as Aaron, dropping his previous persona, Carroll, from the [email thread](https://www.techopedia.com/definition/1503/email-thread). The email included an apology and the same OneDrive link with the document that used the **remote template injection**, which downloads Korg. \*\* \*\* ![Anti phishing software](https://media.mailhop.org/phishprotection/images/2022/09/anti-phishing-software-2319.jpg) ### Are You a Target of TA453’s Sock Puppet Phishing Campaign? Researchers at Proofpoint, PwC, and the US Department of Justice have been **assessing all evidence** regarding TA453’s campaign. The threat actor operates in support of the IRGC (Islamic Revolutionary Guard Corps), and its goals resonate with the **IRGC-IO priorities**. TA453 selects its targets based on three things: Victimology Techniques Infrastructure The threat actor has taken a simple idea that has formed a **sophisticated approach** to lure victims and harvest their credentials. With its past **targeting of journalists**, academics, and [researchers](https://thehackernews.com/2023/02/researchers-link-sidewinder-group-to.html), you might get a clear idea if you are a target of this campaign. _Regardless, it is always best to stay protected and avoid such emails._ \*\* \*\* ### How to Keep Safe From the TA453 Phishing Campaign? Subgroups of the TA453 cybercriminal group send **malicious links** in the first email or may send them after an email conversation, including various personas . There are many indicators of a **possible compromise** that may help identify if any [email conversation](https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email-conversations-to-insert-malicious-documents/), especially Multi-Persona Impersonations, such as: - \_ Presence of Gmail, Outlook, Hotmail, or AOL email addresses as opposed to institutional ones. Presence of additional email accounts in the CC. Replies to **black emails**. Requests to collaborate or inquiries on certain topics relating to Middle Eastern issues. Presence of [malicious links](https://www.indiatoday.in/technology/news/story/mumbai-man-clicked-on-malicious-link-and-lost-over-35-lakh-here-is-what-happened-2311669-2022-12-21) often to **Zoom Calls**, OneDrive documents, and draft attachments. ### Final Words Cybercriminals are evolving their tactics **regularly**, and the TA453 sock puppet phishing campaign for delivering payloads is an effective approach whose endpoint is **still questionable**. Thus, email security and [phishing protection](/) should be a top priority for each individual. As a precautionary measure, you should look for the above indicators of compromise and refrain from engaging with malicious [phishing emails](/content/stop-phishing-emails). ## Topics [ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 23m Anatomy of a Trust-Based Attack: Deconstructing the Nifty.com Phishing Campaign and the New Frontier of Corporate Defense Jun 10, 2025 ](/blog/anatomy-of-a-trust-based-attack-deconstructing-the-nifty-com-phishing-campaign-and-the-new-frontier-of-corporate-defense/)[ Foundational 5m Business Essentials: The Top Email Marketing Security Strategies for 2023 Dec 13, 2022 ](/blog/business-essentials-top-email-marketing-security-strategies-2023/)[ Foundational 5m Interserve Fined $5 Million by ICO and Why Anti-Phishing Measures are the Need of the Hour Oct 28, 2022 ](/blog/interserve-fined-5-million-ico-anti-phishing-measures-hour/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Iranian-Aligned Cybercriminal Group targets Researchers, Academics, and Journalists with Sophisticated Phishing Campaign","description":"Iranian-Aligned Cybercriminal Group targets Researchers, Academics, and Journalists with Sophisticated Phishing Campaign: TA453, an Iranian-aligned.","url":"https://phishprotection.com/blog/iranian-cybercriminals-target-researchers-academics-and-journalists-with-phishing/","datePublished":"2022-09-21T12:21:43.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-09-21T12:21:43.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/iranian-cybercriminals-target-researchers-academics-and-journalists-with-phishing/"},"articleSection":"foundational","keywords":"Phishing, Phishing Awareness","wordCount":1235,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/09/email-phishing-protection-4543.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Who is TA453?","acceptedAnswer":{"@type":"Answer","text":"**TA453** is the name of the Iranian-aligned cybercriminal group behind the [sock puppet](https://www.techtarget.com/whatis/definition/sock-puppet#:~:text=A%20sock%20puppet%2C%20in%20the,such%20as%20Facebook%20or%20Twitter.) campaign targeting **innocent users** with the help of multiple imperson..."}},{"@type":"Question","name":"Who does the TA453 Target?","acceptedAnswer":{"@type":"Answer","text":"TA453 delves deep into masquerading and impersonation campaigns by posing as policy-adjacent individuals or journalists. _The [threat actor](/phishing-awareness/threat-actors-breach-reddit-and-access-internal-documents-code-and-business-systems) establishes trust by offering help to collaborate w..."}},{"@type":"Question","name":"What is TA453's Remote Template Injection?","acceptedAnswer":{"@type":"Answer","text":"TA453's latest campaigns included [OneDrive](/uncategorized/using-microsofts-onedrive-be-afraid-be-very-afraid) links with"}},{"@type":"Question","name":"How do TA453's Campaigns Work, and How have They Evolved?","acceptedAnswer":{"@type":"Answer","text":"TA453 took on a new approach when the cybercriminal group masqueraded as Aaron Stein, the **Director of Research at FRPI**. Aaron Stein, the threat actor, initiated conversations by inquiring about the Gulf States, [Abraham Accords](https://byjus.com/current-affairs/abraham-accords/), and Israel ..."}},{"@type":"Question","name":"Are You a Target of TA453's Sock Puppet Phishing Campaign?","acceptedAnswer":{"@type":"Answer","text":"Researchers at Proofpoint, PwC, and the US Department of Justice have been **assessing all evidence** regarding TA453's campaign. The threat actor operates in support of the IRGC (Islamic Revolutionary Guard Corps), and its goals resonate with the **IRGC-IO priorities**."}},{"@type":"Question","name":"How to Keep Safe From the TA453 Phishing Campaign?","acceptedAnswer":{"@type":"Answer","text":"Subgroups of the TA453 cybercriminal group send **malicious links** in the first email or may send them after an email conversation, including"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Iranian-Aligned Cybercriminal Group targets Researchers, Academics, and Journalists with Sophisticated Phishing Campaign","item":"https://phishprotection.com/blog/iranian-cybercriminals-target-researchers-academics-and-journalists-with-phishing/"}]} ```