A coordinated phishing operation has zeroed in on high-profile Gmail and WhatsApp users across the Middle East, compromising email credentials and hijacking messaging accounts through convincing lures delivered over chat, according to activists and independent researchers who analyzed the attackers’ infrastructure.
Investigators traced the activity to a cluster of deceptive domains sitting behind a dynamic DNS layer, a setup that masked the true destination of links sent to targets. An exposed server-side log captured more than 850 entries from victims moving through the phishing flow, including usernames, passwords, and one-time codes — the kind of detail that turns a fake login page into a full account takeover.
How the Middle East Gmail and WhatsApp Phishing Worked
The campaign began with tailored WhatsApp messages that coaxed recipients to tap a shortened link hosted on a DuckDNS subdomain. Dynamic DNS made the destination look familiar while allowing the operators to rotate underlying servers and routes with little friction. From there, victims were silently redirected to lookalike pages hosted on dedicated infrastructure using domains themed around Google sign-ins and secure meeting rooms.
Depending on the person targeted, the page presented either a Gmail sign-in or a WhatsApp-branded prompt. The Gmail path harvested repeated credential attempts and captured two-factor authentication tokens in real time — including SMS codes in Google’s distinctive format — enabling the attackers to replay those secrets immediately. The logs functioned like a keylogger, recording every step a victim took until the correct password and code were entered.
The WhatsApp path abused the platform’s device-linking feature. Victims were shown a QR code that, once scanned, silently bound their account to an attacker-controlled device. That granted access to messages, contacts, and metadata without needing a password reset — a long-known social engineering technique that remains effective because it mimics a legitimate workflow.
Code embedded on the phishing pages also requested access to the device’s location, camera, and microphone via standard browser APIs. If a user granted permission, the page began sending GPS coordinates at short intervals and triggered burst recordings of audio and photos while the tab stayed open. While researchers did not observe stored media on the attacker’s server, the capability was active, indicating an intent to move beyond credential theft into situational surveillance.
Who Was Targeted in the Cross-Border Phishing Operation
The known victim set is small but sensitive — fewer than 50 individuals — spanning members of the Kurdish community, an academic specializing in national security, a senior Lebanese cabinet official, the head of an Israeli drone manufacturer, and at least one journalist. Several targets used U.S.-based phone numbers, underscoring the campaign’s cross-border reach.
User-agent data recorded by the attackers show the phishing pages tailored to Windows, macOS, iPhone, and Android devices. The breadth of platform coverage suggests the operators built a flexible toolkit rather than a narrow one-off lure.
Attribution Remains Unclear Amid Espionage And Crime Signs
Analysts are divided on motive and sponsorship. Some see hallmarks of an espionage effort aligned with Iran’s Islamic Revolutionary Guard Corps: highly selective targeting, WhatsApp-centric social engineering, and immediate credential and 2FA capture that enables inbox access and lateral movement. Others point to signs that the infrastructure and domain patterns are consistent with financially motivated operations, which often reuse commodity tooling and dynamic DNS to dodge shutdowns.
The truth may lie in the overlap. Iran and its rivals have a documented history of leaning on contractors and criminal groups to provide plausible deniability. That outsourcing blurs lines between intelligence collection and profit-seeking theft, especially when stolen accounts can yield both sensitive communications and access to financial services.
What is certain is the preparation: the domain cluster appeared staged ahead of the outreach wave, and the DuckDNS front acted as a nimble traffic router. Even after takedowns, this modular design makes relaunching the same playbook trivial with fresh domains and subdomains.
Why the Scheme Worked and How High-Risk Users Can Defend
The scheme exploits two predictable behaviors. First, people trust messages that arrive through familiar apps. Second, time-based one-time codes are phishable when a fake page relays them instantly to an active attacker. No malware is required when a victim willingly hands over everything needed to log in.
Defensive steps are straightforward but must be adopted before an incident. For Gmail and other critical accounts, use phishing-resistant multi-factor authentication such as hardware security keys with FIDO2; avoid SMS codes where possible. For WhatsApp, routinely audit and revoke Linked Devices, enable account protection features, and never scan QR codes presented outside the official app flow.
High-risk users should default-deny location, camera, and microphone prompts from web pages; segment communications in separate browser profiles; and treat unexpected meeting invites or login prompts received over chat as hostile until verified out-of-band. Organizations can block known dynamic DNS domains, alert on unusual device linking events, and monitor for sign-ins from atypical networks.
The takeaway from this campaign is blunt: sophisticated infrastructure is not required to compromise influential people — only convincing timing, realistic branding, and a path to capture that first tap.
