Skip to main content
Mallory
Back to threat actors
🇮🇷 IR16 malware familiesExploits CVEs in the wild

APT42

Also known asAPT42educated_manticore

APT42 is an Iranian state-linked cyber espionage threat actor associated with the Islamic Revolutionary Guard Corps, specifically described in the content as IRGC-IO affiliated, and overlapping with APT35 activity. Known aliases in the provided content include APT42, Educated Manticore, Charming Kitten, and Mint Sandstorm. The group is described as highly focused on espionage and identity-centric intrusions, prioritizing social engineering, credential harvesting, adversary-in-the-middle phishing, MFA interception, and session hijacking. The content states that APT42 commonly begins with legitimate contact over email, WhatsApp, or Telegram, builds trust over time, and then delivers phishing links; it has also impersonated services such as WhatsApp, Microsoft Teams, Google Meet, Dropbox, YouTube, and media or think tank brands using typosquatted domains and hosted phishing pages on platforms including Google Sites, OneDrive, and Cloudflare Workers. Reported targets include journalists, researchers, dissidents, political consultants, Israeli journalists and academics, Israeli military, government, and diplomatic organizations, and both Democratic and Republican U.S. presidential campaign personnel. The content states that in 2024 APT42 compromised Trump campaign materials, stole internal documents, and attempted to leak them to journalists, and that Google and Microsoft reported targeting of both U.S. presidential campaigns. Post-compromise, APT42 is described as using built-in Microsoft 365 features and publicly available tools to avoid detection, including registering its own MFA authenticator, reading Outlook mail, and downloading files from OneDrive and SharePoint. Malware and tooling mentioned in the content include NICECURL, VINETHORN, GHAMBAR, and POWERPOST. NICECURL communicated with command and control over HTTPS; APT42 also encoded C2 traffic with Base64, used anonymized infrastructure and VPSs to interact with victim environments, masqueraded the VINETHORN payload as a VPN application, collected system information with malware such as GHAMBAR and POWERPOST, modified Registry keys for persistence, and used scheduled tasks for persistence. The content also notes that APT42 leaves minimal endpoint artifacts and may be more visible in cloud and proxy logs.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Independent Media
  • Academia & Research

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

57 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics80 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1598×3
Phishing for Information
T1598.003
Spearphishing Link
TA0042
Resource Development
5 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1583.003×2
Virtual Private Server
T1585
Establish Accounts
T1585.002
Email Accounts
T1586
Compromise Accounts
T1588
Obtain Capabilities
T1588.002×3
Tool
T1608×2
Stage Capabilities
T1608.001×2
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
3 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1190
Exploit Public-Facing Application
T1566×8
Phishing
T1566.001
Spearphishing Attachment
T1566.002×3
Spearphishing Link
T1566.003
Spearphishing via Service
TA0002
Execution
5 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.005
Visual Basic
T1129
Shared Modules
T1574
Hijack Execution Flow
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1112×6
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
5 techniques
T1036×2
Masquerading
T1036.003
Rename Legitimate Utilities
T1036.005
Match Legitimate Resource Name or Location
T1070
Indicator Removal
T1070.008
Clear Mailbox Data
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1574
Hijack Execution Flow
T1620
Reflective Code Loading
TA0112
Defense Impairment
2 techniques
T1112×6
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
5 techniques
T1056
Input Capture
T1056.001
Keylogging
T1111×2
Multi-Factor Authentication Interception
T1539×5
Steal Web Session Cookie
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1621
Multi-Factor Authentication Request Generation
TA0007
Discovery
4 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1082×2
System Information Discovery
T1518
Software Discovery
T1518.001
Security Software Discovery
TA0009
Collection
3 techniques
T1056
Input Capture
T1056.001
Keylogging
T1114
Email Collection
T1114.002
Remote Email Collection
T1530
Data from Cloud Storage
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×4
Web Protocols
T1102
Web Service
T1132×2
Data Encoding
T1132.001
Standard Encoding
T1573
Encrypted Channel
T1573.002
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
ARSENAL

Associated malware families

16 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
TAMECATTAMECAT’s attack flow is highly automated, proceeding from initial user interaction with a malicious file to complete data exfiltration without perceptible intrusion.5Apr 28, 2026
NICECURLNICECURL has used HTTPS for C2 communications.3May 26, 2026
VINETHORNAPT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.3Mar 18, 2026
BLUELIGHTBLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.2Mar 18, 2026
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026

11 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

64 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

64 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
codebyNews
Jun 1, 2026
APT42 и Seedworm: credential harvesting без малвари

Iranian cyber-espionage group focused on targeting specific individuals such as journalists, researchers, dissidents, and political consultants. The group uses social engineering, credential harvesting, adversary-in-the-middle phishing, MFA interception, session cookie theft, and then operates inside cloud services such as Microsoft 365 for email and document collection without deploying malware on endpoints.

Read more
osint team blogNews
Apr 28, 2026
TAMECAT: APT42’s New PowerShell Backdoor Targeting Military and Government Officials | by Excalibra | Apr, 2026 | OSINT Team

Uses social engineering priming to build trust with victims before delivering malicious files.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping57

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal16

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables64

Domains, IPs, and hashes tied to this actor, refreshed continuously.