A sophisticated PowerShell-based malware named TAMECAT has emerged as a critical threat to enterprise security, targeting login credentials stored in Microsoft Edge and Chrome browsers.
This malware operates as part of espionage campaigns conducted by APT42, an Iranian state-sponsored cyber-espionage group that has been actively targeting high-value senior defense and government officials worldwide.
The threat demonstrates advanced capabilities in credential theft, data exfiltration, and persistent access to compromised systems.
TAMECAT employs a multi-stage infection process that begins with social engineering tactics.
The attackers impersonate trusted WhatsApp contacts and send victims malicious links that abuse the search-ms URI protocol handler.
Once activated, the malware downloads a VBScript that performs antivirus detection on the target system to determine the appropriate execution path.
.webp)
This initial reconnaissance allows the malware to adapt its deployment strategy based on the security environment it encounters.
Pulsedive Threat Research analysts identified TAMECAT as leveraging multiple command-and-control channels, including Telegram bots, Discord, Firebase, and Cloudflare Workers infrastructure.
The malware’s modular architecture enables it to download additional PowerShell scripts and execute various commands remotely.
Each module serves a specific purpose, ranging from browser credential extraction to screen capture and file system crawling, making it a comprehensive surveillance tool.
The threat actors behind TAMECAT utilize WebDAV servers to deliver malicious LNK files disguised as PDF documents.
.webp)
When executed, these files trigger a chain of events that establish persistence through logon scripts and registry run keys.
The malware communicates with its command-and-control infrastructure using encrypted channels, employing AES encryption with predefined keys to protect stolen data during transit.
This layered approach to obfuscation makes detection significantly more challenging for traditional security tools.
TAMECAT implements sophisticated techniques to extract login credentials from both Microsoft Edge and Chrome browsers.
The malware utilizes Microsoft Edge’s remote debugging feature to access browser data while the application is running.
For Chrome, TAMECAT suspends the browser process temporarily to gain unrestricted access to stored credential databases.
.webp)
This dual-capability approach ensures the malware can harvest sensitive authentication information regardless of which browser the victim prefers.
The credential extraction module operates entirely in memory, leaving minimal forensic traces on the infected system.
.webp)
Once credentials are collected, TAMECAT employs its Download Module and a specialized DLL component called Runs.dll to chunk the stolen data into smaller segments before exfiltration.
This segmentation strategy helps the malware evade network monitoring tools that might flag large data transfers.
The exfiltration process uses multiple channels simultaneously, including FTP and HTTPS protocols, providing redundancy in case one communication path becomes blocked or monitored.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
