A state backed Iranian cyber espionage group, commonly known as APT42, has been observed conducting a new intelligence collection campaign aimed at individuals and organizations connected to national security. The Israel National Digital Agency (INDA) has named this ongoing operation SpearSpecter after identifying its activity in early September 2025.
Highly Targeted Social Engineering Operations
INDA researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman reported that the group has been specifically targeting senior officials working in defense and government sectors. The attackers use personalized social engineering approaches, such as sending invitations to high level conferences or arranging seemingly important meetings intended to lure their targets.
A notable element of the campaign is its expansion beyond primary individuals to include their family members. By attacking the social circle around the target, the attackers gain broader access points and put added psychological pressure on the intended victim.
APT42 has a long history of carrying out convincing social engineering efforts. Google Mandiant first detailed this cluster in 2022 and highlighted its overlaps with several well known IRGC associated groups including APT35, Charming Kitten, TA453, Mint Sandstorm, and others. Their operations often span several days or weeks, during which the attackers build trust, impersonate familiar contacts, and eventually deliver malicious links or payloads.
As recently as June 2025, Check Point revealed another campaign where APT42 approached Israeli technology and cybersecurity professionals by posing as executives or researchers through email and WhatsApp messages.
According to Goldman, SpearSpecter and the June 2025 incidents were driven by separate sub groups within APT42. Cluster D focused on malware centered operations, while Cluster B specialized in credential harvesting.
Campaign Flexibility and Dual Objectives
INDA emphasized that SpearSpecter adapts its strategy depending on the value and purpose of each target. In credential theft scenarios, victims are redirected to fake meeting pages crafted to steal login credentials. When persistent access is the objective, the attackers deploy a PowerShell based backdoor known as TAMECAT, which APT42 has used repeatedly in prior intrusions.
Attack Chain and Malware Delivery Method
The operation commonly starts with impersonation on WhatsApp, where attackers pose as trusted contacts. They send a link claiming it leads to a necessary document for an upcoming event or meeting. Clicking the link initiates a redirect that ultimately delivers a WebDAV hosted Windows shortcut file (LNK) disguised as a PDF by using the “search ms:” protocol handler.
This malicious LNK file connects to a Cloudflare Workers subdomain to download a batch script that serves as a loader for TAMECAT. Once deployed, TAMECAT activates multiple modules designed for remote command execution, data theft, and ongoing surveillance.
Multi Channel Command and Control Architecture
TAMECAT communicates over three different channels, which enhances its chances of maintaining control even if one path is blocked. These channels include HTTPS, Telegram, and Discord.
For Telegram based communication, the malware monitors commands issued by an attacker controlled bot, then fetches and executes additional PowerShell scripts from various Cloudflare Workers subdomains. On Discord, the malware interacts through webhook URLs to send device information and receive instructions from a dedicated channel.
INDA noted that analysis of recovered Discord accounts showed that APT42 uses messages from specific users to deliver personalized commands to different infected machines, effectively creating a centralized collaborative environment for multiple operations.
Data Theft, Reconnaissance, and Surveillance Abilities
TAMECAT is equipped with numerous capabilities designed to support long term espionage. These include:
• Gathering system information and conducting reconnaissance
• Stealing files based on predefined extensions
• Extracting data from Google Chrome and Microsoft Edge
• Collecting Outlook mailbox content
• Capturing screenshots at 15 second intervals
The stolen data is exfiltrated using HTTPS or FTP channels.
Evasion Techniques and Stealth Framework
To avoid detection, the malware uses strategic stealth measures. These include encrypted communications, obfuscated code, in memory execution to reduce forensic traces, and the use of legitimate system binaries (LOLBins) to disguise malicious activity.
