Iranian state-backed threat actor APT42 has been employing sophisticated social engineering attacks to breach corporate networks and cloud environments. Disguising themselves as journalists, NGO representatives, or event organizers, APT42 uses spear-phishing techniques to trick their targets into clicking malicious links. These links direct victims to fake login pages that mimic legitimate services like Google and Microsoft, harvesting their account credentials and multi-factor authentication tokens.
Once APT42 gains access, they deploy custom backdoors named Nicecurl and Tamecat. Nicecurl, a VBScript-based backdoor, enables command execution, payload downloading, and data mining, while Tamecat, a PowerShell backdoor, offers extensive system manipulation capabilities. These tools allow APT42 to execute commands, exfiltrate data, and maintain a persistent presence in the victim’s environment. The attackers carefully use built-in cloud tool features and clear browsing histories to evade detection, making their actions blend seamlessly with normal operations.
APT42 has been active since at least 2015, targeting a range of organizations, including NGOs, media outlets, educational institutes, activists, and legal services, primarily in Western and Middle Eastern regions. Their tactics include using typosquatted domains to pose as reputable media organizations such as the Washington Post and The Economist. Once trust is established with the victim, they send links to decoy documents, leading to credential harvesting and malware deployment.
Security researchers from Google and other firms have been tracking APT42’s activities, highlighting the need for robust cybersecurity measures. Organizations are advised to stay vigilant, educate their employees about social engineering tactics, and ensure their systems are up-to-date with the latest security patches. Detailed indicators of compromise (IoCs) and YARA rules for detecting Nicecurl and Tamecat are available in Google’s comprehensive report on APT42’s recent campaigns.
