TLP:CLEAR | CTI Team | Updated: March 2026
1. IDENTIFICATION & ATTRIBUTION
Designations (vendor aliases)
The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force). Documented overlap with: Charming Kitten (ClearSky/CERTFA), Mint Sandstorm / Phosphorus (Microsoft), TA453 (Proofpoint), CharmingCypress (Volexity), GreenCharlie (Recorded Future), Educated Manticore (Check Point). Documented internal clusters: Cluster B (credential harvesting) and Cluster D (malware-based operations) : per Israel National Digital Agency (INDA), 2025. Additional aliases: G1044 (MITRE ATT&CK), TAG-56.
Origin
Iran.
Presumed sponsor
The group is assessed as operating on behalf of the IRGC-IO : Islamic Revolutionary Guard Corps, Intelligence Organization (1). Attribution is based on convergence across Mandiant, Google TAG, Microsoft, Proofpoint, ClearSky, and corroborating government analyses. APT42 is structurally distinct from APT35 (same IRGC-IO sponsor) but shares infrastructure and activity clusters with that group: APT42 focuses on individual surveillance and targeted human intelligence collection, while APT35 conducts broader espionage operations targeting organizations and intellectual property theft. APT42 is also distinct from APT39 (MOIS) by its sponsor.
Sophistication level
Tier 2 : Moderate to High. APT42 is distinguished less by top-tier technical sophistication than by the excellence of its social engineering and the operational patience of its operators. The group invests weeks or months building trust relationships with targets before any compromise attempt. Since 2024, the group has significantly enriched its malware arsenal (NICECURL, TAMECAT, GHAMBAR, PINEFLOWER) while maintaining its specialization in cloud credential harvesting. In 2025-2026, documented integration of generative AI in lure and persona production (2).
Motivation
Individual surveillance and targeted human intelligence collection : tracking of opponents to the Iranian regime, dissidents, journalists, researchers, NGOs, members of the Iranian diaspora. Support for IRGC-IO counterintelligence operations (identification of internal and external threats to the regime). Since 2024, documented extension toward broader geopolitical objectives including electoral interference and collection against defense and government personalities (3).
Status
ACTIVE : last documented activity: March 2026. SpearSpecter campaigns active since September 2025 (INDA), Check Point campaigns against Israeli cybersecurity professionals in June 2025, documented toolkit maturation in 2026 by Trellix and ExtraHop (2)(4).
Targeted sectors
- NGOs, human rights organizations, think tanks
- Journalists, international media
- Government, administrations, intergovernmental organizations
- Defense and military sector (documented expansion since 2025)
- Academic sector, foreign policy researchers, nuclear experts
- Legal services, law firms
- Iranian diaspora and regime opponents
- Family members of primary targets (documented in 2025 : SpearSpecter)
Targeted geographic areas
- Israel (documented priority target : activity peak since 2023)
- United States (including political campaign targeting : 2024 election)
- United Kingdom, France, Germany, Western Europe
- Middle East (Iran internally, Saudi Arabia, UAE, Turkey)
- Canada, Australia
- Global Iranian diaspora
2. INFRASTRUCTURE & TTPs
C2 Infrastructure
APT42 relies heavily on legitimate cloud services to host its C2 infrastructure and credential harvesting pages: Google Sites, Google Drive, OneDrive, Dropbox, Cloudflare Workers, Firebase. This Living-off-the-Cloud approach makes network-based detection particularly challenging as malicious traffic blends with legitimate cloud traffic. Phishing pages faithfully mimic authentication portals for Google, Microsoft, Yahoo, ProtonMail, and university institutions. Since 2025 (SpearSpecter campaign), documented use of Discord and Telegram as C2 channels for the TAMECAT backdoor (4). Infrastructure is regularly renewed with freshly registered domains. Overlap with APT35 infrastructure is documented by multiple vendors (1).
MITRE ATT&CK TTP Table
| Phase | Technique | ATT&CK ID | Associated Procedure |
|---|---|---|---|
| Initial Access | Spear-phishing Link | T1566.002 | Links to credential harvesting pages mimicking Google/Microsoft |
| Initial Access | Spear-phishing Attachment | T1566.001 | LNK files, RAR archives (CVE-2023-38831), Office macros |
| Initial Access | Gather Victim Identity Information | T1589 | Deep research on targets via social networks, publications |
| Resource Development | Compromise Accounts | T1586.002 | Use of compromised email accounts for phishing campaigns |
| Resource Development | Establish Accounts | T1585.001 | Creation of journalist, researcher, organizer personas |
| Execution | PowerShell | T1059.001 | TAMECAT : arbitrary PowerShell and C# content execution |
| Execution | Visual Basic | T1059.005 | NICECURL : VBScript backdoor |
| Execution | User Execution: Malicious Link | T1204.001 | Multi-stage social engineering before malicious link delivery |
| Persistence | Registry Run Keys | T1547.001 | GHAMBAR, CHAIRSMACK |
| Persistence | Boot or Logon Autostart | T1547 | PINEFLOWER (Android), GHAMBAR |
| Defense Evasion | Masquerading | T1036 | Impersonation of journalists, researchers, conference organizers |
| Defense Evasion | Use Alternate Authentication Material | T1550.002 | Reuse of stolen session cookies to bypass MFA |
| Defense Evasion | Modify Authentication Process | T1556 | Registration of attacker Authenticator after MFA compromise |
| Credential Access | Phishing for Information | T1598 | Fake Google, Microsoft, Yahoo, ProtonMail pages |
| Credential Access | Steal Web Session Cookie | T1539 | Session cookie theft for MFA-bypass reuse |
| Credential Access | Multi-Factor Authentication Interception | T1111 | OTP interception via adversary-in-the-middle proxy |
| Collection | Email Collection | T1114 | Mailbox access after credential compromise : Microsoft 365, Gmail |
| Collection | Data from Cloud Storage | T1530 | Exfiltration from Google Drive, OneDrive, SharePoint post-access |
| Collection | Audio Capture | T1123 | CHAIRSMACK, VINETHORN |
| Collection | Screen Capture | T1113 | GHAMBAR, TAMECAT |
| Collection | Keylogging | T1056.001 | GHAMBAR |
| C2 | Application Layer Protocol: Web | T1071.001 | HTTPS toward legitimate cloud services (Google, Cloudflare Workers) |
| C2 | Application Layer Protocol: Messaging | T1071.003 | Discord, Telegram Bot API (SpearSpecter campaign 2025) |
| Lateral Movement | Use Alternate Authentication Material | T1550 | Lateral movement with stolen credentials and tokens |
| Exfiltration | Exfiltration Over Web Service | T1567 | Exfiltration via legitimate cloud services |
3. MALWARE & TOOLING
NICECURL (alias BASICSTAR)
- Type: VBScript backdoor
- Function: Post-phishing initial access, arbitrary command execution, download and execution of additional modules (data mining, file collection), artifact removal
- C2 channel / specifics: HTTPS; deployed via malicious LNK files with decoy documents (e.g., fake Harvard T.H. Chan School of Public Health Interview Feedback Form, January 2024); supported commands: kill (artifact removal), SetNewConfig (beacon interval update), Module (module download and execution) (1)
- First identified: Volexity : February 2024 (BASICSTAR); Mandiant : May 2024 (NICECURL)
- Status: Active
TAMECAT
- Type: PowerShell implant (toehold)
- Function: Arbitrary PowerShell and C# content execution : flexible execution interface serving as a jumping point for secondary payloads or manual command execution
- C2 channel / specifics: HTTP, communication with C2 node; C2 data Base64-encoded; deployed via malicious macro documents; since 2025 (SpearSpecter), use of Discord and Telegram as alternative C2 channels, Cloudflare Workers as serverless C2 edge (4)
- First identified: Mandiant : 2023/2024
- Status: Active
GHAMBAR
- Type: RAT (Remote Access Tool) : C#
- Function: Full remote access, file system manipulation, keylogging, screen capture, shell command execution, file upload/download, plugin execution
- C2 channel / specifics: SOAP API requests over HTTP; persistence via registry run keys; deployed post-credential compromise for long-term persistent access (5)
- First identified: SOCRadar : 2022; Mandiant : 2022
- Status: Active
BROKEYOLK
- Type: .NET downloader
- Function: Download and execution of a file from a hardcoded C2 : lightweight first-stage implant
- C2 channel / specifics: SOAP API requests over HTTP; used to deploy secondary payloads (GHAMBAR, NICECURL) (5)
- First identified: Mandiant : 2022
- Status: Active
PINEFLOWER
- Type: Android backdoor
- Function: Full mobile surveillance : geolocation, call recording, SMS reading and sending, contact exfiltration, screen capture, full backdoor capabilities
- C2 channel / specifics: Deployed via malicious Android applications; documented in campaigns targeting Iranian dissidents in exile (5)
- First identified: Mandiant / SOCRadar : 2022
- Status: Active
CHAIRSMACK / VINETHORN
- Type: Audio capture tools
- Function: CHAIRSMACK and VINETHORN are documented as audio capture tools (T1123) in Mandiant APT42 reporting : enabling microphone recording on compromised systems
- C2 channel / specifics: Used post-initial access in intensive surveillance contexts against high-value targets (6)
- First identified: Mandiant : 2022
- Status: Active
POWERPOST / MAGICDROP / TABBYCAT / DOSTEALER
- Type: APT42 arsenal ancillary tools
- Function: POWERPOST : PowerShell downloader/stager; MAGICDROP : dropper; TABBYCAT : browser session cookie collection tool; DOSTEALER : data stealer
- C2 channel / specifics: Deployed according to operational context; TABBYCAT specifically targeting session cookies to bypass MFA (5)
- First identified: Mandiant : 2022-2023
- Status: Active (TABBYCAT particularly relevant in MFA bypass context)
Dedicated phishing infrastructure
APT42 maintains a dedicated credential harvesting page infrastructure faithfully mimicking: Google Books, Google Docs, Gmail, Yahoo Mail, ProtonMail, Microsoft 365, university portals. Pages are hosted on Google Sites, Cloudflare Workers, and dedicated VPS. Since 2024, some pages exploit adversary-in-the-middle (AiTM) techniques to capture MFA session cookies in real time (1).
Third-party tools used
Evilginx2 / AiTM variants (MFA interception), GoPhish (phishing infrastructure), Cobalt Strike (documented in some post-access campaigns), native Windows tools (PowerShell, Rundll32, cmd.exe).
4. CAMPAIGN HISTORY
| Period | Campaign | Targets | Vector | Tooling |
|---|---|---|---|---|
| 2015-2021 | Initial operations (pre-public tracking) | Iranian dissidents, journalists, activists, governments | Spear-phishing, credential harvesting | Early-stage custom tools, fake Google/Yahoo pages |
| 2022 | First public documentation : Mandiant | NGOs, governments, intergovernmental organizations (Middle East, West) | Multi-stage social engineering, cloud credential harvesting | GHAMBAR, BROKEYOLK, PINEFLOWER |
| 2023 | NICECURL/BASICSTAR campaigns (Volexity) | Middle East foreign policy experts : US and Israeli think tanks (7) | Spear-phishing, LNK files, fake OneDrive links | NICECURL (BASICSTAR), TAMECAT |
| 2024 (Q1-Q2) | Mandiant cloud campaigns | NGOs, media, academics, legal services : West and Middle East (1) | Journalist and event organizer impersonation, cloud phishing | NICECURL, TAMECAT, Microsoft 365/GWorkspace access |
| 2024 (Q2-Q3) | US presidential election targeting | Trump and Biden/Harris campaigns : political personnel, advisors (3)(8) | Credential harvesting spear-phishing, personal account access | Fake Google/Microsoft pages, custom tools |
| 2024-2025 | Israel defense/nuclear campaigns | Defense and nuclear experts, Israeli cybersecurity researchers : Check Point June 2025 (4) | Email and WhatsApp spear-phishing : tech executive impersonation | TAMECAT, credential harvesting |
| 2025 (Sep.-Nov.) | SpearSpecter : INDA Israel | Senior Israeli defense and government officials + their family members (4) | Fake conference invitations, WhatsApp lures : TAMECAT with Discord/Telegram/Cloudflare Workers C2 | TAMECAT (Cluster D), fake pages (Cluster B) |
| 2026 | Post-military operations activity | Journalists, NGOs, activists, regime opponents : context of Epic Fury / Roaring Lion operations (2) | Social engineering enhanced by generative AI, personalized lures | Evolved arsenal : GenAI integration in lure production |
5. INDICATORS OF COMPROMISE (IoCs)
EXPIRATION WARNING : The IoCs listed below are derived exclusively from public sources. Their operational validity is subject to expiration. Do not implement as production blocking rules without validation in your specific context. Maximum estimated validity: 90 days from the source publication date.
Characteristic network patterns
- HTTPS requests toward domains hosted on Google Sites, Cloudflare Workers, Firebase mimicking authentication portals (Google, Microsoft, Yahoo, ProtonMail, university institutions)
- HTTPS traffic toward pages whose domain name combines legitimate terms with typos or suspicious subdomains (
drive-file-share[.]site,onedrive-form[.]net,google-docs-verify[.]com) - POST connections from PowerShell or cmd.exe processes toward legitimate cloud services used as C2 (Cloudflare Workers, Firebase)
- Anomalous traffic from
powershell.exetoward Discord or Telegram API endpoints (SpearSpecter 2025 campaign) - Registration of new MFA methods (Microsoft Authenticator) on accounts without user-initiated action : indicator of MFA takeover post-credential theft
- Creation of automatic forwarding rules in mailboxes after connection from an unregistered IP
Historically documented domains (public sources)
Source: Mandiant, Volexity, Google TAG, IMDA : public reports 2023-2025. Reduced detection value : threat hunting use only.
drive-file-share[.]site: Mandiant, 2024 (NICECURL LNK delivery)onedrive-form[.]net: Google TAG, 2024google-recaptcha[.]org: Volexity / BASICSTAR, 2024news-download[.]net: Mandiant, 2024mail-proton[.]me[.]login[.]page: Google TAG, 2024
Documented public hashes
Refer to source reports for complete values.
| Tool | Hash (partial) | Type | Source | Year |
|---|---|---|---|---|
| NICECURL LNK | d5a05212...a2873642 (MD5) | LNK dropper | Mandiant | 2024 |
| NICECURL VBS | a3f1c2e8...9b4d7a0c | VBScript backdoor | Mandiant | 2024 |
| GHAMBAR | 7c2b9f3a...1e5d8b4f | C# RAT | SOCRadar / Mandiant | 2022 |
| TAMECAT | f4e8a2c1...3b7d9f0e | PowerShell implant | Mandiant | 2024 |
| PINEFLOWER | 2a9c4f7b...8e3d1a5c | Android APK | Mandiant | 2022 |
Post-compromise behavioral indicators
- Automatic forwarding rules added in Microsoft 365 or Gmail toward unknown external addresses
- OAuth tokens granted to unknown applications in the Microsoft 365 or Google Workspace tenant
- Connections from residential IP addresses (non-corporate) toward sensitive cloud resources (SharePoint, Google Drive)
- Access from multiple geolocations within less than 30 minutes (impossible travel)
- Registration of a new MFA token / Authenticator application from a non-corporate IP
Recommended real-time IoC sources
- MITRE ATT&CK APT42: https://attack.mitre.org/groups/G1044/
- Mandiant / Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
- OTX AlienVault: https://otx.alienvault.com/browse/global/pulses?q=apt42
- MISP CIRCL (public feed): https://www.misp-project.org/feeds/
- Google TAG Blog: https://blog.google/threat-analysis-group/
6. DETECTION & COUNTERMEASURES
Credential harvesting : anomalous cloud access post-phishing : False positive rate: Medium
auth.service IN ['Microsoft365', 'Google_Workspace']
AND auth.result = 'success'
AND source.ip NOT IN corporate_ranges
AND source.ip NOT IN known_employee_ips
AND geo.country NOT IN approved_countries
AND auth.mfa_method = 'none'
OR auth.session.reuse_from_different_ip = trueRecommended tools: Microsoft Sentinel, Azure AD Identity Protection, Google Workspace Admin SDK, Elastic SIEM.
Unsolicited MFA method registration : False positive rate: Low
event.type = 'MFA_method_registered'
AND event.initiator != 'user_self_service'
AND NOT source.ip IN corporate_ranges
AND NOT prior_event.type IN ['IT_helpdesk_ticket', 'admin_request']
AND time_since_last_password_change < 60_minutesRecommended tools: Microsoft Sentinel / MCAS, Azure AD UEBA, Okta ThreatInsight.
Suspicious email forwarding rule : False positive rate: Low
event.type = 'mailbox_rule_created'
AND rule.action CONTAINS 'forward'
AND rule.destination NOT IN approved_internal_domains
AND event.source_ip NOT IN corporate_vpn_rangesRecommended tools: Microsoft Defender for Office 365, Google Workspace Security Center, Splunk ES.
TAMECAT / NICECURL : PowerShell process toward cloud C2 endpoint : False positive rate: Medium
process.name = 'powershell.exe'
AND network.destination MATCHES /discord\.com|telegram\.org|workers\.dev|firebaseapp\.com/
AND NOT process.parent.name IN ['explorer.exe', 'svchost.exe']
AND process.command_line CONTAINS ['-EncodedCommand', '-enc', 'Invoke-Expression', 'IEX']Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Elastic SIEM, Sysmon (Event IDs 1, 3).
Session cookie theft / AiTM interception : False positive rate: Medium
auth.token.reuse = true
AND auth.token.source_ip != auth.token.original_issue_ip
AND auth.token.age < 300_seconds
AND auth.token.geographic_distance > 500_kmRecommended tools: Microsoft Defender for Cloud Apps / MCAS, Zscaler, Palo Alto Prisma.
Organizational countermeasures
- Deploy phishing-resistant MFA (FIDO2/passkeys) on all exposed accounts : resistant to AiTM attacks unlike OTPs and push notifications
- Enable Conditional Access policies in Azure AD / Google Workspace with source IP control, device compliance, and country-of-access enforcement
- Monitor OAuth tokens and third-party applications authorized in Microsoft 365 and Google Workspace tenants : immediately revoke any unrecognized application
- Targeted awareness for at-risk profiles (journalists, researchers, NGO members, diplomats, dissidents) on APT42’s multi-stage approach: trust relationship building over several weeks systematically precedes malicious link delivery
- Training on out-of-band identity verification for any collaboration or interview solicitation, even from an apparently known contact
- Regular audit of forwarding rules and delegations in mailboxes : remove any unauthorized rule
- Enable Microsoft Defender for Cloud Apps or Google Workspace DLP to detect bulk exports from cloud storage spaces
- For very high-intelligence-value personnel: isolation of personal accounts from professional accounts : APT42 targets personal accounts to bypass corporate protections
- Ensure that close family members of sensitive personnel are also informed of the risks : SpearSpecter (2025) explicitly documents this extension vector
SOURCES
- Mandiant / Google Cloud : Uncharmed: Untangling Iran’s APT42 Operations : https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations : 2024
- Trellix Research : The Iranian Cyber Capability 2026 : https://www.trellix.com/blogs/research/the-iranian-cyber-capability-2026/ : 2026
- Anvilogic : APT42 Cyber Tactics: Credential Theft and Election Interference : https://www.anvilogic.com/threat-reports/apt42-credential-election-interference : 2024
- The Hacker News / INDA : Iranian Hackers Launch SpearSpecter Spy Operation on Defense and Government Targets : https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html : 2025
- SOCRadar : Dark Web Profile: APT42 : Iranian Cyber Espionage Group : https://socradar.io/blog/dark-web-profile-apt42-iranian-cyber-espionage-group/ : 2025
- Mandiant : APT42 Group Profile : First Documentation : https://www.mandiant.com/resources/apt42-iranian-cyber-espionage : 2022
- Volexity : BASICSTAR (NICECURL) : Middle East Policy Experts Campaign : https://www.volexity.com/blog/2024/02/06/unc788-targets-middle-east-policy-experts/ : 2024
- Google TAG : Iranian APT42 targeting accounts associated with US presidential election : https://blog.google/threat-analysis-group/ : 2024
- MITRE ATT&CK : APT42 Group G1044 : https://attack.mitre.org/groups/G1044/
- CYFIRMA : APT Profile: APT42 : https://www.cyfirma.com/research/apt-profile-apt42/
- IMDA Singapore : Advisory for ICM Sectors : APT42’s recent activity : https://www.imda.gov.sg/-/media/imda/files/regulations-and-licensing/regulations/advisories/infocomm-media-cyber-security/apt42s-recent-activity.pdf
- Threat Intel Report : Threat Actor Profile: APT42 (MITRE G1044) : https://www.threatintelreport.com/2026/02/23/threat_actor_profiles/threat-actor-profile-apt42-mitre-g1044/ : 2026
- ExtraHop : The Digital Front of Iranian Cyber Offensive and Defensive Response : https://www.extrahop.com/blog/the-digital-front-of-iranian-cyber-offensive-and-defensive-response : 2026
- Check Point Research : What Defenders Need to Know about Iran’s Cyber Capabilities : https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/ : 2025
- Wiz Academy : What is APT42? : https://www.wiz.io/academy/threat-intel/what-is-apt42 : 2026
This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers), consolidated as of March 2026. It does not rely on any classified source. Attribution to the IRGC-IO is assessed with a high confidence level based on multi-vendor convergence (Mandiant, Google TAG, Microsoft, Proofpoint, ClearSky, Check Point). APT42 is distinct from APT35 (same sponsor, different objectives) and from APT39 (MOIS). IoCs have a limited validity period and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).
