By rssfeeds-admin 
This threat group, tracked as APT42 (also known as Mint Sandstorm and CharmingCypress), is aligned with Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and has become notorious for its stealthy, persistent espionage against high-profile individuals and organizations of national interest.
Sophisticated Social Engineering Tactics
Unlike typical phishing campaigns that target many victims at once, SpearSpecter meticulously researches its targets and invests weeks in building trustful, tailored relationships.
Attackers often pose as organizers of exclusive conferences or high-level meetings, personally contacting their targets via platforms like WhatsApp, which adds a layer of credibility and familiarity.
In some cases, they even reach out to family members to broaden their influence and increase psychological pressure on the primary victims.
This patient’s intelligence-driven approach helps them bypass traditional email security and human suspicion. Only after trust is established do attackers deploy their technical traps, such as luring targets to malicious websites impersonating meeting pages.
These decoy sites are designed to trick users into entering their login credentials, which are captured in real time and used to support further espionage and data theft.
Behind the Scenes: TAMECAT and Stealthy Attacks
At the technical core of this campaign is a custom, advanced backdoor called TAMECAT. This modular malware is hidden within PowerShell scripts and is loaded directly into system memory, making detection especially challenging. Once installed, TAMECAT maintains continued access by registering itself in obscure system directories and registry keys.
TAMECAT’s modular design enables continuous updates and the addition of new capabilities without writing additional files to disk, a method known as “fileless” persistence.
Communication with attackers occurs across multiple, redundant channels, including HTTPS, Telegram, and Discord, all of which use strong AES-256 encryption. This flexible command-and-control mechanism not only improves resilience but also makes traffic analysis and blocking far more difficult.
Upon breach, TAMECAT can quietly harvest browser credentials, files, and even the full contents of the mailbox, prioritizing sensitive documents, emails, and data from both Edge and Chrome.
Special emphasis is placed on stealth: for instance, the attacker uses legitimate tools such as PsSuspend to temporarily suspend browser processes, enabling unimpeded access to locked data.
They also capture screenshots at short intervals and exfiltrate all findings in encrypted chunks, minimizing the risk of detection. The SpearSpecter campaign represents the evolving nature of state-sponsored cyber-espionage.
Their meticulous relationship-building, living-off-the-land attack techniques, and modular, fileless malware enable persistent, large-scale intelligence collection, particularly against those with access to sensitive national or organizational data.
To counter such threats, organizations must combine regular employee vigilance training, robust endpoint detection, and network controls with proactive monitoring for these novel tools and techniques.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Personalized Social-Engineering Strikes by Iranian SpearSpecter Threaten High-Profile Officials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.