Cobalt Dickens (a.k.a. Silent Librarian) is now actively targeting 380 universities, bent on stealing credentials and moving deeper into school networks.

Indicating a campaign of massive scale, at least 20 new phishing domains targeting more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United Kingdom and the United States have cropped up, bent on lifting credentials from students heading back to school.

The domains are associated with a group of Iranian cyberattackers collectively known as Cobalt Dickens or Silent Librarian. As Threatpost recently reported in a post on the group’s attack tactics, the attackers are looking to use fake, library-themed landing pages to steal students’ credentials, then use those to steal and resell intellectual property, move laterally within organizations, conduct internal phishing and more.

New details from Secureworks Counter Threat Unit (CTU) researchers this week show that in total, Cobalt Dickens is actively targeting at least 380 universities in more than 30 countries. Many universities have been targeted multiple times, the firm said.