An activity cluster under the name "Educated Manticore" has been linked to a wave of phishing attacks targeting Israel, and the cluster is suspected to be of Iranian origin. These attacks are conducted with payloads of ransomware and other types of malware, including a Windows backdoor called PowerLess. The group has also shown "strong overlaps" with a hacking crew with multiple names, including APT35, Charming Kitten, Cobalt Illusion, and other names. The attack is masked behind a decoy document in English, Arabic, and Hebrew, with a description that seems to show academic content about Iraq from a legitimate entity called the Arab Science and Technology Foundation. Additionally, the PowerLess backdoor allows an adversary to run keylogging software, steal data from web browsers and apps, take screenshots, and record audio. Analysis of the attacks also showed that two scripts are downloaded from a remote server and executed, but no concrete information on post-infection activities have been observed yet.