New APT42 cyberespionage campaign sets sights on defense, government officials

High-profile defense and government organizations and officials, as well as their family members, were noted by the Israel National Digital Agency to have been targeted by the Iranian state-backed threat operation APT42, also known as Charming Kitten and Educated Manticore, as part of the SpearSpecter campaign, according to The Hacker News.

Intrusions under SpearSpecter could be modified based on APT42's intent, with credential theft operations involving redirections to fake meeting pages and long-term persistence involving the delivery of the PowerShell-based TAMECAT backdoor, noted INDA.

Aside from being able to listen for commands allowing further PowerShell code execution, TAMECAT also permits reconnaissance, file harvesting, and browser data exfiltration activities. Such attacks were regarded by INDA researcher Yaniv Goldman to be different from a June campaign observed by Check Point, which was performed by two APT42 subgroups.

"The SpearSpecter campaign's infrastructure reflects a sophisticated blend of agility, stealth, and operational security designed to sustain prolonged espionage against high-value targets," said INDA.