Iranian Threat Activity: RedKitten NGO Targeting and APT42 TAMECAT Credential Theft
Reporting describes two separate Iran-linked espionage efforts. HarfangLab detailed a campaign dubbed RedKitten targeting human-rights NGOs and individuals documenting abuses, using a lure delivered as a Farsi-named 7z archive containing macro-enabled Excel (.xlsm) files. When victims enable the malicious VBA, it drops a C# implant (AppVStreamingUX_Multi_User.dll) via AppDomainManager injection; the operation uses GitHub and Google Drive for configuration/payload retrieval and Telegram for command-and-control, and researchers noted code characteristics consistent with LLM-assisted development.
Separately, Pulsedive research (as summarized) attributed a PowerShell backdoor called TAMECAT to APT42, describing social-engineering via impersonated WhatsApp contacts and links abusing the search-ms URI handler, followed by VBScript-based staging and delivery mechanisms including WebDAV-hosted LNKs disguised as PDFs. TAMECAT was reported to steal credentials from Microsoft Edge and Chrome, establish persistence (e.g., logon scripts and registry run keys), and use multiple C2 channels (including Telegram, Discord, Firebase, and Cloudflare Workers). Other items in the set cover unrelated events: a supply-chain compromise of eScan antivirus update infrastructure distributing a backdoor, and Fortinet’s reporting on Interlock ransomware activity affecting primarily UK/US organizations (not Iran-linked).
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Iranian State-Linked Threat Activity and Related Supply-Chain/Developer Targeting Research
Multiple reports detail **Iranian-linked espionage activity** and tooling updates. SafeBreach described follow-on findings on the Iranian state-sponsored actor **“Prince of Persia,”** including at least three active variants of **Foudre** and **Tonnerre** malware, newly identified C2 infrastructure, and a **Telegram-based data exfiltration** channel; after publication, the actor rapidly rotated C2 servers and Telegram accounts, attempted to obscure victim-tracking artifacts, and appeared to attempt a retaliatory action against researchers that resembled prior attacks against open-source Python libraries. Separately, Plone (a Python-based CMS) reported it **prevented a supply-chain compromise** after an attacker used a stolen developer **GitHub personal access token** to force-push whitespace-obfuscated malicious JavaScript into multiple repositories; the changes were detected before any official release, and GitHub assessed the payload was intended to compromise **other developers** (persistence via shell startup scripts, RCE, and theft of credentials/API keys/browser profiles/crypto wallet files). Additional Iranian activity was reported in an espionage campaign attributed to **APT42** (IRGC-linked) using **TAMECAT**, a modular, largely in-memory **PowerShell backdoor** delivered after prolonged social engineering (e.g., WhatsApp rapport-building), with modules for browser data theft, screenshots, and file discovery; however, separate research on the **Lazarus** “Contagious Interview” campaign (fake job interviews and AnyDesk RAT backdoors) is unrelated to the Iranian-focused activity described elsewhere.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks agoIranian APT42 SpearSpecter Campaign Targets Defense Sector with TAMECAT Backdoor
Iranian state-backed threat group APT42, also known as Charming Kitten and Educated Manticore, has launched a sophisticated cyberespionage campaign dubbed SpearSpecter, targeting high-profile defense and government organizations as well as their officials and family members. The campaign leverages weeks-long social engineering lures via WhatsApp to gain initial access, followed by credential theft through redirection to fake meeting pages. For long-term persistence, the attackers deploy a fileless PowerShell-based backdoor named TAMECAT, which enables command execution, reconnaissance, file harvesting, and browser data exfiltration. The campaign demonstrates advanced operational security and agility, with infrastructure designed for prolonged espionage against high-value targets. Researchers note that TAMECAT's capabilities allow attackers to maintain stealth and flexibility, executing further PowerShell code and adapting their operations based on their objectives. The Israel National Digital Agency highlighted that these attacks are distinct from previous APT42 campaigns, reflecting a continuous evolution in tactics. The campaign's focus on defense and government entities underscores the persistent threat posed by Iranian cyber operations to critical infrastructure and sensitive sectors worldwide.
3 months ago