APT42 was first formally documented by Mandiant (now part of Google Cloud) in September 2022, though the group's operations trace back to at least 2015 under the same institutional umbrella. It is assessed to operate on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), specifically its counterintelligence division. Its formal designation within Iran's intelligence apparatus, revealed by internal documents leaked in 2025, is Department 40 of Unit 1500 — a structured cyber espionage unit with a defined hierarchy, specialized teams, operational codenames, and a chain of command that reports directly to IRGC-IO Division 1500 leadership.
The group operates under an extensive alias ecosystem. In public threat intelligence, it is tracked as APT42, Charming Kitten, Mint Sandstorm (Microsoft), TA453 (Proofpoint), Educated Manticore (CrowdStrike and Check Point), Yellow Garuda (PwC), ITG18 (IBM X-Force), CALANQUE (Google TAG), CharmingCypress, GreenCharlie, and Cobalt Illusion. It overlaps significantly with APT35, which is often treated as a sibling unit within the same IRGC-IO apparatus focusing on more malware-intensive, longer-dwell operations, while APT42 specializes in the social engineering and credential harvesting that creates the initial access APT35 may then exploit further.
Department 40: What the KittenBusters Leak Exposed
In September and October 2025, an anonymous collective calling itself KittenBusters began publishing internal documents from APT42's operations to GitHub in serialized episodes. The leak was described by British-Iranian activist Nariman Gharib, who analyzed and amplified the materials, as exposing a system designed to locate and ultimately facilitate the targeted killing of individuals deemed threats to Iran — going well beyond espionage into a chain that feeds lethal intelligence to IRGC physical operations.
The materials included attack reports, daily operational logs, internal communications, malware samples — including the source code of BellaCiao — photographs of personnel, and an infrastructure management spreadsheet documenting every server the group used. The documents confirmed the identity of Department 40's operational leader: Abbas Rahrovi, known internally by the codename ACS and operating externally under aliases including Abbas Hosseini and Mekhaeel Hosseini, with a separately registered national ID for each alias. His wife, Niloofar Bagheri, leads the group's women's division — a twenty-person team codenamed Aqiq, responsible for translation, social engineering, and psychological warfare operations.
The leaked documents include "email compromise reports" — internal records documenting successful account takeovers and the intelligence extracted from victims' communications. Among the documented targets is Olli Heinonen, the former IAEA Deputy Director-General who oversaw inspections of Iran's nuclear program. Department 40 maintains files not just on organizations but on specific individuals, with intelligence products documenting what was exfiltrated from compromised accounts and its assessed value to IRGC counterintelligence objectives.
The organizational structure revealed by KittenBusters is that of a formal intelligence unit, not a hacker collective. Rahrovi commands over sixty operatives working across five facilities in Iran. Below him, the structure divides into specialized hacking teams and operational support bases, each with designated leaders, codenames, and defined responsibilities. A leaked salary request document places the unit's active operational history back to at least 2017. The financial records published in later KittenBusters episodes documented a 19-month operational ledger from April 2023 through November 2024, recording approximately 50 to 60 Bitcoin transactions for infrastructure procurement — domain registrations through Namecheap and Namesilo using ProtonMail-registered accounts, European VPS hosting, and cryptocurrency payments routed through Bitcoin wallets and Cryptomus. Infrastructure ledgers named two personnel responsible for maintaining the server spreadsheets: Mohammad Najafloo (since departed) and Mohammad Erfan Hamidi Aref, who took over management.
Crucially, the infrastructure spreadsheet confirmed direct overlap with the Moses Staff operation — a group that had sometimes been treated as a distinct entity from Charming Kitten. The leaked data formally connected what had been analyzed as separate personas into a single, coordinated state-directed effort managed under the same administrative and technical infrastructure. The KittenBusters leak also exposed the front company structure used to provide operational cover: Zharf Andishaan Tafakkor Sefid (Deep White Thinking Institute) as the primary registered entity, with board members using aliases and dual national ID numbers mirroring the practice used by the leadership.
The Targeting Doctrine: Human Intelligence Through Cyber Means
APT42's targeting logic is unlike most APT groups and reflects its institutional mandate. The group selects targets not primarily for what organizations they belong to but for who they are, what they know, and who they communicate with. This human intelligence framing produces a target list that is simultaneously more diverse and more precisely curated than typical espionage operations: journalists and editors covering Iran, the Middle East, nuclear issues, or human rights; academic researchers and think tank analysts focused on Iran policy or nuclear non-proliferation; NGO personnel working on issues related to Iran; government officials in the United States, Israel, Gulf states, and Europe; legal professionals representing Iranian dissidents or individuals in conflict with the regime; and Iranian diaspora community members and activists who the regime classifies as regime opponents.
The 2024 Mandiant report assessed that roughly 60% of APT42's known geographic targeting in the six months prior to publication fell on the United States and Israel combined — a ratio that reflects both the group's political mandate and the concentration of Iran-related policy expertise in those two countries. Gulf state targets have grown significantly more prominent since the Abraham Accords, with APT42 documented impersonating UAE media outlets including Khaleej Times to target regional policy experts and government officials whose correspondence has intelligence value regarding Abraham Accords-adjacent decision-making.
What makes the targeting doctrine distinctive is the deliberate elevation of access through human proximity. APT42 does not just target principals — it targets people adjacent to principals, family members of primary targets, administrative staff with shared drive access, and colleagues whose email accounts contain forwarded communications from the actual target. This network-effect targeting maximizes the intelligence yield of each successful compromise while making the ultimate intelligence objective less visible at the access point.
The Social Engineering Methodology
APT42's social engineering is its most consistently documented and most consequential capability. The group invests time and operational resource in pre-targeting research and persona construction that most threat actors would not sustain. Documented campaigns show operators spending weeks or months in correspondence with a target before attempting any technical action — building credibility through multiple exchanges, demonstrating domain knowledge relevant to the target's field, and creating the kind of relationship familiarity that causes security instincts to relax.
Personas are constructed to be credible within the target's professional world. Documented impersonation targets include journalists at major publications, senior fellows at named think tanks, conference organizers for events the target would plausibly want to attend, and even known professional contacts whose identities are spoofed through typo-squatted domains. The choice of impersonation is never random — it is designed to be someone the target has reason to trust and engage with, using knowledge gathered from the target's public professional profile and, in many cases, from prior intelligence on the target's network.
APT42 routinely uses messaging platforms — WhatsApp, Signal, Telegram — as outreach channels rather than email alone. This approach bypasses many corporate email security controls and creates a more personal, less formal interaction dynamic that reduces a target's guard. Spear-phishing via WhatsApp from what appears to be a professional contact is significantly harder for an individual to identify as malicious than a suspicious email. The SpearSpecter campaign in September 2025 used WhatsApp as the primary initial contact channel for high-value government and defense officials.
The attack chain typically unfolds across three phases. In the first, the persona engages the target in substantive, professionally relevant conversation — asking for expert opinions, sharing papers or articles of interest, inviting the target to review a document or participate in a project. In the second, a link or attachment is introduced in the context of the established conversation — a document for review, a meeting invitation, a conference registration link, a Google Drive share. The target clicks because they are in the middle of what feels like a professional interaction. In the third phase, the link resolves to a credential harvesting page or the attachment executes a malware payload, depending on the target's assessed value and the operation's objectives.
For credential harvesting, APT42 operates multiple infrastructure clusters running different phishing kits. Documented configurations include fake Google login pages hosted on malicious domains, Google Sites pages with embedded credential harvesting (exploiting Google's reputation to bypass link filtering), and fake meeting pages — Google Meet lookalikes — that capture credentials as part of an apparent video meeting setup. After credentials are captured, APT42 uses them to access cloud environments directly: Microsoft 365, Google Workspace, and associated cloud storage services are primary targets, with operators searching for documents, emails, and contacts that extend the intelligence value beyond the initial compromise. MFA bypass through push notification fatigue — the same technique documented in Scattered Spider operations — has been observed when push-based MFA is in use on target accounts.
The Two-Cluster Structure: Credential Harvesting vs. Malware Operations
Mandiant's 2024 analysis, confirmed and extended by Israel's National Digital Agency (INDA) in their November 2025 SpearSpecter campaign report, identified at least two distinct operational clusters within APT42 with different specializations and different operational footprints.
Cluster B focuses on credential harvesting. This cluster operates the sophisticated phishing infrastructure — the fake login pages, the Google Sites credential capturing, the persona-based social engineering campaigns — and prioritizes cloud account access over persistent device compromise. The campaign that Check Point documented in June 2025 targeting Israeli cybersecurity and technology professionals via WhatsApp and email was attributed to Cluster B.
Cluster D deploys malware when persistent device access is the goal — when credential theft alone is insufficient for the required intelligence collection, or when the target warrants the operational investment of a full implant. Cluster D operates the TAMECAT and NICECURL backdoor families and delivers them through social engineering lures that mirror Cluster B's persona approach but lead to malware execution rather than credential harvesting pages. The SpearSpecter campaign disclosed by INDA in November 2025 — targeting senior Gulf defense and government officials — was attributed to Cluster D.
The two-cluster structure explains an otherwise puzzling pattern in APT42 reporting: how the same threat actor can simultaneously run campaigns that look like pure phishing operations and campaigns that deploy sophisticated PowerShell backdoors. They are separate, parallel capabilities within the same organization, applied based on target value and intelligence objective rather than operator preference.
The Malware Arsenal: NICECURL, TAMECAT, and the Evolving Toolkit
Mandiant's May 2024 report documented two custom backdoors as APT42's primary malware deployments at that time — NICECURL and TAMECAT. Both are designed for initial access and flexible post-exploitation rather than heavy-footprint persistence, consistent with APT42's preference for targeted, deniable operations.
NICECURL is a backdoor written in VBScript, communicating over HTTPS. It accepts commands including arbitrary command execution, module download and execution (including a dedicated data mining module), configuration updates via the SetNewConfig command, and artifact removal via a kill command. The delivery mechanism documented in 2024 involved LNK files downloading the VBScript payload from attacker-controlled infrastructure, with decoy documents — conference materials, academic papers, forms from legitimate organizations — displayed to the user to support the social engineering pretext. NICECURL was first publicly analyzed by Volexity in February 2024 under the alternate designation BASICSTAR, linked to campaigns against Middle East policy experts in late 2023.
TAMECAT is a PowerShell backdoor capable of executing arbitrary PowerShell or C# content, providing a flexible execution interface for operators who want to run commands manually or deploy additional payloads on demand. TAMECAT communicates with its C2 via HTTP, with data AES-encrypted using a hardcoded key. Its execution chain begins with a VBScript downloader that uses Windows Management Instrumentation (WMI) to check whether Windows Defender is running, then selects download and execution paths accordingly — using conhost.exe and Wget if Defender is active, or Cmd.exe and Curl otherwise. The SpearSpecter campaign updated TAMECAT's C2 infrastructure to include Discord and Telegram API endpoints alongside HTTP, and introduced Cloudflare Workers as a serverless C2 edge — making TAMECAT's traffic significantly harder to distinguish from legitimate cloud service communications.
The SpearSpecter variant of TAMECAT documented in November 2025 also expanded post-compromise capabilities. Operators used PsSuspend to temporarily suspend browser processes, enabling unimpeded access to credential stores otherwise protected by running browser processes. Screenshots were captured at short intervals and exfiltrated in AES-encrypted chunks. Browser credential extraction targeted both Chrome and Edge. Full mailbox contents were prioritized for collection. A search-ms URI handler exploit delivered an LNK file from a WebDAV server to execute the payload fileless in memory, reducing on-disk artifacts.
APT35 — the sibling unit sharing institutional roots with APT42 — separately developed BellaCPP in late 2024, a C++ reimplementation of the .NET-based BellaCiao implant previously associated with the cluster. The KittenBusters leak included BellaCiao source code, confirming infrastructure overlap between the two units and demonstrating deliberate tooling evolution toward more performant, harder-to-detect languages. Both BellaCiao and its C++ successor use webshell-tunneling hybrid approaches and Plink-based reverse proxies for C2 communications.
High-Profile Operations: Elections, Officials, and the 2024–2025 Campaign Record
2024 US Presidential Election
In August 2024, Google Threat Analysis Group (TAG) disclosed that APT42 had compromised the email accounts of campaign advisers associated with both the Biden campaign and the Trump campaign. The group accessed internal documents and communications, and leaked some of what it obtained to media outlets — making this the most consequential APT42 operation on public record in terms of direct political impact. The FBI, CISA, and ODNI issued a joint advisory confirming Iranian state interference in the election cycle. The U.S. Department of Justice subsequently indicted Iranian nationals linked to the operations.
NGO and Think Tank Targeting (2023–2024)
From late 2023 through mid-2024, APT42 ran sustained campaigns against NGOs, think tanks, legal services, and media organizations in the United States and United Kingdom. Documented impersonations included a senior fellow at the Harvard T.H. Chan School of Public Health (used to deliver a NICECURL payload via a fake Interview Feedback Form decoy), staff at a Middle East-focused U.S. think tank, and organizers of events related to Iranian and Middle Eastern policy. A campaign specifically targeting women's rights activists used a fake login page mimicking Gmail, delivered via a domain designed to resemble a women's rights organization — with a persona spoofing a known Iranian activist filmmaker.
Targeting Israeli Cybersecurity Professionals (June 2025)
Following Israel's Operation Rising Lion in June 2025, Cluster B of APT42 (operating as Educated Manticore) launched a campaign targeting Israeli cybersecurity professionals, academics, and technology sector employees. Operators posed as technology executives or researchers and contacted targets through WhatsApp and email, directing them to phishing pages mimicking Google Login and Google Meet. The pages were meticulously constructed and in many cases hosted on legitimate Google Sites infrastructure to leverage Google's reputation. Check Point Research attributed this campaign to APT42 Cluster B based on consistent infrastructure patterns and domain registration techniques.
SpearSpecter (September 2025–ongoing)
The campaign designated SpearSpecter by Israel's National Digital Agency was detected beginning in early September 2025 and assessed as ongoing at the time of disclosure in November 2025. Attributed to APT42 Cluster D, the operation targeted high-value senior defense and government officials in the Gulf region and beyond, with a notable extension to the family members of primary targets — a deliberate expansion of the attack surface that applies psychological pressure through proximity rather than direct compromise.
Operators posed as organizers of exclusive professional conferences and high-level meetings, contacting targets initially via WhatsApp before transitioning to other channels. For targets where the objective was credential harvesting, victims were redirected to fake meeting pages designed to capture Google or Microsoft credentials. For targets requiring persistent long-term access — those whose intelligence value justified the operational investment — the attack chain led to TAMECAT deployment through the fileless LNK-over-WebDAV technique. The infrastructure supporting SpearSpecter combined legitimate cloud services (Cloudflare Workers, Discord API, Telegram API) with attacker-controlled domains, creating a C2 architecture that generated minimal distinctive network signatures.
How APT42 Differs From Other Iranian APT Groups
A comparison with other Iranian APT groups clarifies APT42's distinct strategic role. While OilRig (APT34) conducts espionage against organizations — energy companies, governments, financial institutions — APT42 primarily targets individuals who happen to work at or around those organizations. The access APT42 seeks is personal: email accounts, cloud storage, communication histories, contact lists. An OilRig operation against an energy company is trying to map the network and exfiltrate operational data. An APT42 operation against an energy sector analyst is trying to read their emails and understand who they talk to about what.
Crucially, while other Iranian APT groups adapted to increasingly conduct destructive, disruptive, and hack-and-leak operations alongside their espionage mandates — particularly during the periods of kinetic escalation in 2025 — APT42 remained focused on intelligence collection throughout. Mandiant's May 2024 report specifically noted that APT42 had maintained its victimology and mission focus despite the Israel-Hamas war driving other Iran-linked actors toward disruptive operations. This discipline reflects an institutional mandate that has not changed: APT42 collects intelligence on individuals of interest to the IRGC's counterintelligence function, and it does so continuously regardless of geopolitical context.
The connection between APT42's intelligence collection and physical harm is the most alarming dimension of the group's activity. The KittenBusters leak analysis by Nariman Gharib documented how compromised email accounts and identity information feed into a system that the IRGC uses to locate, monitor, and in some cases arrange physical action against individuals the regime classifies as threats. This transforms what would otherwise be classified as a cyber espionage operation into something with potential physical consequences for targets — a dimension that rarely applies to most APT group activity and fundamentally changes the risk calculus for the individuals APT42 is targeting.
Defensive Guidance for At-Risk Individuals and Organizations
APT42 presents a fundamentally different defensive challenge from infrastructure-targeting APTs. The group attacks individuals on personal devices and personal cloud accounts, outside corporate security perimeters, through social engineering that unfolds over days or weeks. Standard endpoint and network security controls provide limited protection against an attack that begins with a WhatsApp conversation from a plausible professional contact and ends with a credential-harvesting click on what appears to be a Google login page.
- Treat unsolicited professional outreach via messaging platforms with heightened skepticism. APT42 uses WhatsApp, Telegram, and Signal as first-contact channels because they bypass corporate email security and create a more personal dynamic. An unexpected message from someone claiming professional affiliation — even via a platform where you know that person — should trigger verification through a separate, established channel before any link is clicked or attachment opened.
- Verify all conference invitations and document share requests out-of-band. APT42's most effective lures are conference invitations and document collaboration requests delivered in the context of an established professional relationship. Before clicking any link to register for an event, access a shared document, or join a meeting, verify the invitation directly with the purported sender through a previously established communication channel — not by replying to the current message.
- Use phishing-resistant MFA on all personal and professional cloud accounts. APT42 bypasses push notification-based MFA through fatigue attacks. FIDO2 hardware keys and passkeys are cryptographically bound to legitimate domains and cannot be relayed through phishing pages or AiTM proxies. For individuals who are high-value APT42 targets — journalists, policy researchers, NGO staff, government officials, diaspora activists — hardware key enrollment on Gmail and Microsoft accounts is the single most impactful individual action available.
- Enroll in advanced protection programs. Google's Advanced Protection Program and Microsoft's equivalent substantially harden account security for individuals at elevated risk of state-sponsored targeting. These programs impose stricter authentication requirements, limit third-party application access, and provide enhanced monitoring and recovery capabilities. They are specifically designed for journalists, activists, campaign personnel, and others at high risk of targeted account compromise.
- Monitor for anomalous cloud access indicators. APT42 commonly uses compromised credentials to access cloud environments from unexpected IP addresses and geographic locations. Reviewing account activity logs for unexpected sign-ins, checking for newly enrolled MFA devices the account owner did not add, and auditing OAuth application grants in Microsoft 365 and Google Workspace can surface post-compromise access that is otherwise invisible. Automatic email forwarding rules set to external addresses are a documented APT42 post-access persistence technique — auditing mail forwarding rules should be a regular practice for at-risk accounts.
- Treat family members of high-value targets as part of the attack surface. SpearSpecter explicitly extended targeting to the family members of primary targets. Individuals who are themselves low-profile but closely related to policy officials, defense personnel, or activists should apply the same protective measures and receive the same briefings on APT42 social engineering patterns.
Key Takeaways
- APT42 is Department 40 of IRGC-IO Unit 1500 — a formal structured intelligence unit, not a hacker collective. The KittenBusters leak confirmed what researchers had long assessed: the group operates with a defined hierarchy, specialized teams, performance metrics, and a chain of command reporting to IRGC-IO Division 1500. Its operations are institutionally directed espionage, not independent criminal activity.
- The group's primary weapon is trust, not malware. APT42 invests more in persona construction and relationship development than in technical exploit development. Many of its operations never deploy malware at all — credential harvesting through trusted-seeming links is sufficient to access cloud environments containing the intelligence the IRGC requires. Technical controls that do not account for social engineering are insufficient defenses against this threat.
- Two internal clusters handle different collection objectives. Cluster B harvests credentials through sophisticated phishing infrastructure. Cluster D deploys TAMECAT and NICECURL for persistent device access when credentials alone are insufficient. The same social engineering approach delivers both, but the payloads and objectives differ based on target value assessment.
- Intelligence collected by APT42 may feed physical threat operations against individuals. The KittenBusters leak documents the connection between Department 40's credential collection and the IRGC's use of that intelligence to locate and act against regime opponents. This dimension makes APT42 targeting categorically different from most corporate espionage — it carries direct physical risk implications for the individuals targeted.
- The group's focus on individuals rather than organizations means standard enterprise security controls provide limited protection. APT42 attacks people on their personal devices and personal accounts, outside corporate perimeters, through channels (WhatsApp, personal Gmail, personal cloud storage) that corporate endpoint security and network monitoring typically do not cover. Defensive guidance for APT42 must address individual behavior, personal account security, and out-of-band verification practices — not just enterprise security architecture.
APT42 has been conducting operations for over a decade, and the pace has increased rather than diminished as geopolitical tensions have escalated. The SpearSpecter campaign, the 2024 US election compromise, and the sustained targeting of NGOs and policy researchers all reflect a continuous intelligence collection mandate that operates regardless of ceasefire status, diplomatic negotiation, or public exposure. Individuals within the group's targeting envelope — which is defined by professional proximity to Iran-relevant policy, research, or civil society work — should treat APT42 as a persistent structural risk rather than an episodic threat.