The Iranian state-sponsored threat actor known as APT42 has initiated a focused espionage campaign, dubbed SpearSpecter by the Israel National Digital Agency (INDA), targeting individuals and organizations of specific interest to the Islamic Revolutionary Guard Corps (IRGC). This activity, which began in early September 2025 and is currently assessed to be ongoing, has primarily focused on high-value senior defense and government officials. The attackers employ highly customized and effective social engineering tactics, often posing as known contacts, to lure victims into interacting with them. What is particularly noteworthy about this campaign is its expanded scope, which includes the family members of primary targets, thereby creating a broader attack surface and applying additional psychological pressure.
A key characteristic of APT42 is its mastery of convincing social engineering, with campaigns often running for extended periods—sometimes days or weeks—to meticulously build trust and an illusion of authenticity with the targets. These ruses frequently involve inviting targets to prestigious conferences or arranging significant meetings to lower their guard before delivering a malicious payload or tricking them into clicking on booby-trapped links. APT42 was first publicly documented in 2022 by Google Mandiant and shares operational overlaps with several other IRGC-affiliated threat clusters, including APT35, Mint Sandstorm (formerly Phosphorus), and Magic Hound, highlighting its place within a larger state-backed cyber apparatus.
The flexibility of the SpearSpecter campaign allows the adversary to tailor its approach based on the specific value and objectives associated with each target. In some cases, the attack chain is designed for immediate credential harvesting, redirecting victims to bogus meeting pages built solely to capture their login information. Other, higher-value targets see attacks that prioritize persistent long-term access, leading instead to the deployment of a known PowerShell backdoor called TAMECAT, which has been consistently utilized by the group in recent years.
Experts have identified a distinction between the current SpearSpecter operation and a separate attack wave detailed by Check Point in June 2025, where the threat actors impersonated technology executives to approach Israeli cyber security professionals via email and WhatsApp. According to INDA researchers, both campaigns fall under the APT42 umbrella but are executed by different internal sub-groups or clusters. Specifically, the SpearSpecter campaign is attributed to Cluster D of APT42, which generally focuses on malware-based operations, whereas the June 2025 campaign was carried out by Cluster B, whose focus is primarily on credential harvesting.
This campaign underscores the persistent and evolving nature of state-sponsored Iranian cyber espionage, demonstrating APT42’s advanced capability to conduct sophisticated, multi-phased attacks. By leveraging personalized trust-building alongside technical malice—and crucially, expanding the target profile to include family members—the group maximizes its chances of compromising sensitive accounts and networks. The INDA’s tracking of SpearSpecter provides critical insight into the current methods and operational flexibility of the IRGC-backed threat actor.
Reference:
