apt42

APT42 / Charming Kitten

also known as: Charming Kitten Mint Sandstorm (Microsoft) TA453 (Proofpoint) CALANQUE (Google TAG) Damselfly (Mandiant internal) UNC788 (Mandiant pre-attribution) Yellow Garuda (PwC) ITG18 (IBM X-Force) Educated Manticore (Check Point)

APT42 is an Iranian state-sponsored cyber espionage group assessed with moderate confidence to operate on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Unlike destructive threat actors that encrypt or wipe systems, APT42's mission is surveillance — identifying, monitoring, and locating individuals the Iranian regime views as threats. It invests weeks or months cultivating trust with targets through believable personas before attempting credential theft, and its operations have intensified significantly following the February 2026 US-Israeli airstrikes on Iran.

attributed origin Iran — assessed moderate confidence (Mandiant/Google); corroborated by Microsoft, Proofpoint, and Check Point

suspected sponsor Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO)

first observed At least 2015; formally documented by Mandiant September 2022

primary motivation Surveillance — locating dissidents, collecting political intelligence, monitoring perceived threats to the Iranian regime

primary targets Journalists, dissidents, NGOs, government officials, academics, political campaigns, ISPs, telecoms

known campaigns 30+ confirmed operations across 15+ countries (2015–2026)

mitre att&ck group G1044

target regions Middle East, United States, Israel, United Kingdom, Europe, Gulf states

threat level CRITICAL — elevated tempo since Feb 28, 2026

Overview

APT42 has been active since at least 2015, though it was not formally documented as a distinct threat cluster until Mandiant published a comprehensive report in September 2022. The group's assessed affiliation with the IRGC-IO — the intelligence arm of Iran's most powerful military-political institution — shapes every aspect of its targeting. The IRGC-IO's mandate is to monitor and suppress foreign threats to the Islamic Republic and domestic dissent. APT42's victim list reads like a directory of that mandate: Iranian exiles, human rights lawyers, foreign journalists covering Iranian affairs, nuclear policy researchers, defense officials in adversarial nations, and individuals with access to sensitive government communications.

What distinguishes APT42 from many nation-state actors is its deliberate avoidance of technical exploitation as a primary access method. Rather than hunting zero-days or attacking perimeter infrastructure, APT42 operators invest in people — researching targets thoroughly, constructing credible fake personas, and building genuine trust through sustained correspondence before any malicious link is sent. A target may receive weeks of benign, professionally relevant emails from what appears to be a journalist, conference organizer, or NGO researcher before being directed to a credential-harvesting page. This patience makes APT42 extraordinarily difficult to detect through traditional indicators.

The group operates in documented sub-clusters with distinct operational focuses. Cluster B is primarily credential-focused, using phishing infrastructure to harvest account credentials and access cloud-hosted email and documents. Cluster D focuses on malware-based operations, deploying custom backdoors such as NICECURL and TAMECAT for persistent access and deeper surveillance. The two clusters operate against overlapping but distinct target sets, and both have been active in 2025 and into 2026.

Following the February 28, 2026 US-Israeli airstrikes on Iranian military sites (Operation Epic Fury), APT42 operations entered what researchers describe as elevated operational tempo. The SpearSpecter campaign — active since at least September 2025 and attributed to Cluster D — expanded to targeting family members of primary targets, creating a broader attack surface and applying additional pressure on senior defense and government officials in the Gulf region. AI-assisted phishing lure generation has been documented in recent campaigns, increasing the believability and production speed of social engineering materials.

APT42's relationship to the overlapping APT35 / Magic Hound cluster is a persistent source of confusion in vendor reporting. Microsoft's Mint Sandstorm designation historically encompassed both groups. Mandiant and Google TAG track them as distinct entities based on differences in targeting patterns and tooling, and this profile follows that convention. APT42 focuses on surveillance of specific high-value individuals; APT35 has a broader network intrusion and data theft mandate.

Target Profile

APT42 targets individuals and institutions the Iranian government perceives as threats — a definition that has expanded considerably as Iran's geopolitical confrontations have intensified. Targeting is narrowly scoped and highly personalized; this is not mass-scale phishing but precision surveillance.

Iranian dissidents and diaspora: The group's original and most consistent target set. Activists, human rights defenders, journalists covering Iranian domestic affairs, reformist political figures, and members of the Iranian diaspora who maintain public profiles criticizing the regime are persistently targeted. Android spyware (PINEFLOWER) has been deployed against individuals inside Iran itself — collecting calls, SMS messages, audio recordings, and location data.
Journalists and media organizations: APT42 impersonates journalists to target journalists — a deliberate double-layered approach. Researchers at major Western publications receive fake interview requests from convincing personas, while the group simultaneously uses journalist identities (Washington Post, The Economist, Jerusalem Post, Khaleej Times) to approach government officials and policy experts. In June 2025, the group targeted Israeli cybersecurity professionals via email and WhatsApp, posing as technology executives and researchers.
Government officials and political figures: Google TAG confirmed APT42 targeted email accounts affiliated with both the Biden administration and the Trump presidential campaign during the 2024 US election cycle — one of the few documented cases of APT42 directly targeting a sitting US president's inner circle and a major party campaign. The SpearSpecter campaign (September 2025 onward) systematically targets senior defense and government officials across Gulf Cooperation Council states.
Think tanks, NGOs, and academia: Policy researchers, nuclear analysts, Middle East scholars, and NGO leadership are consistently targeted. APT42 has impersonated conference organizers and academic institutions — including the Harvard T.H. Chan School of Public Health in one documented NICECURL delivery — to create realistic pretexts for initial engagement.
ISPs, telecoms, and medical systems (population-scale): A documented 2025–2026 escalation in APT42's mission involves targeting entities that hold large individual-level datasets. ISPs, telecommunications providers, and medical record systems are assessed to be targeted with the intent of obtaining data that enables the IRGC-IO to locate, identify, and track specific individuals — including dissidents who may be using pseudonyms or attempting to conceal their location from Iranian intelligence.

physical safety implication

APT42's population-scale data collection from ISPs, telecoms, and medical systems is assessed to serve a physical surveillance mission — not purely cyber-espionage. Credential theft from these organizations gives IRGC-IO analysts access to data that can be used to identify, locate, and potentially detain Iranian dissidents, dual nationals, and individuals of intelligence interest. The downstream consequence of an APT42 compromise of a telecom is not data loss — it is the potential physical endangerment of the individuals whose data is held.

Tactics, Techniques & Procedures

APT42's TTPs are defined by patience, personalization, and a preference for legitimate infrastructure. The group avoids leaving malware on disk wherever possible, preferring to access cloud-hosted data with legitimately obtained credentials. MITRE ATT&CK Group G1044.

mitre id	technique	description
T1598.003	Phishing for Information: Spearphishing Link	Primary initial access method. After building rapport through days or weeks of benign correspondence, operators introduce a malicious link disguised as a document share, conference registration, or meeting invitation. Links redirect to fake Google, Microsoft, or Yahoo login pages hosted on typosquatted domains (e.g., washinqtonpost[.]press). AI-assisted lure generation documented in 2025–2026 campaigns increases throughput and believability.
T1566.001	Spearphishing Attachment	Malicious macro-enabled documents used to deploy NICECURL and TAMECAT backdoors. Trust built through prior correspondence causes targets to bypass macro security warnings. LNK files masquerading as interview feedback forms or legitimate documents (e.g., Harvard T.H. Chan School of Public Health decoy) used to download NICECURL from attacker-controlled infrastructure.
T1078.004	Valid Accounts: Cloud Accounts	Harvested credentials used to authenticate directly to Microsoft 365, Google Workspace, and cloud provider consoles. This provides access to years of email, attached documents, contact lists, calendar data, and shared drives without deploying any endpoint malware. Follows up with mailbox forwarding rule creation to maintain persistent access even after password resets.
T1539	Steal Web Session Cookie	Adversary-in-the-middle phishing infrastructure (EvilGinx-style proxy pages) captures both credentials and session cookies in real time during the authentication flow. This bypasses TOTP-based MFA — the cookie is valid regardless of whether MFA was completed by the user.
T1114.002	Email Collection: Remote Email Collection	After gaining cloud account access, operators silently collect email, attachments, and contacts. Mailbox forwarding rules are created to automatically forward future messages to attacker-controlled addresses, maintaining access even after the compromised session expires.
T1059.001	Command and Scripting: PowerShell	TAMECAT is a PowerShell-based backdoor capable of executing arbitrary PowerShell or C# content. Deployed via macro-enabled documents. Communicates with C2 via HTTP with Base64-encoded data exchange. Assesses the target environment for security tools before full execution, adapting deployment approach to avoid detection.
T1059.005	Command and Scripting: Visual Basic	NICECURL is a VBScript-based backdoor providing command execution, module download-and-execute capability (including a datamining module), and data exfiltration over HTTPS. Delivered via LNK files that download the payload from attacker-controlled servers alongside a decoy document.
T1036	Masquerading	Operators construct elaborate fake personas with active social media presence, academic profiles, and professional history before initiating contact. Spoofed domains impersonate major news outlets and institutions. Payloads masquerade as legitimate documents — interview forms, conference invitations, PDF attachments from known organizations — to bypass user suspicion.
T1547.001	Boot or Logon Autostart: Registry Run Keys	Persistence maintained via Windows registry run keys for malware-based operations. Combined with anti-forensic techniques including log clearing and browser history deletion to reduce forensic footprint between operations.
T1421	System Network Connections Discovery (Mobile)	PINEFLOWER Android spyware deployed against mobile targets — primarily individuals inside or connected to Iran. Capabilities include call recording, SMS collection, audio capture, photo exfiltration, keylogging, and real-time location tracking. Distributed disguised as legitimate applications, including VPN clients (VINETHORN).
T1102	Web Service	Legitimate cloud platforms — Cloudflare Workers, Firebase, OneDrive, Google Sites — used as C2 infrastructure and payload delivery hosts to blend malicious traffic with normal web activity. Attacker-controlled pages hosted on Google Sites have been documented presenting fake Google Meet credential harvesting pages, exploiting user trust in Google domains.
T1070	Indicator Removal	Anti-forensic behavior documented including clearing Windows event logs and browser history post-access. NICECURL accepts a "kill" command that removes artifacts and ends execution on demand, enabling operators to clean traces from compromised systems remotely.

detection gap

Traditional IOC-based detection is poorly suited to APT42. When the group accesses cloud accounts with legitimately harvested credentials, there is no malware, no unusual process, and no anomalous binary on disk. The only signals are behavioral — anomalous login geolocation, unexpected mailbox forwarding rule creation, access from new devices or IP ranges, and unusual bulk mail access patterns. Cloud identity and access management (IAM) anomaly detection is essential; endpoint detection alone will miss the majority of APT42 operations.

Known Campaigns

Selected confirmed and highly attributed operations. APT42's campaigns are frequently not publicly attributed in real time — many are only disclosed months or years after the fact through vendor retrospective analysis or accidental exposure.

SpearSpecter — Gulf Defense Officials September 2025 — ongoing

Documented by the Israel National Digital Agency (INDA) and attributed to APT42 Cluster D. The campaign systematically targeted senior defense and government officials across the Gulf Cooperation Council using highly personalized social engineering — including fake invitations to prestigious conferences and offers of high-level meetings. A notable escalation was the deliberate extension of targeting to family members of primary targets, widening the attack surface and applying personal pressure beyond the professional sphere. Victims were redirected to credential-harvesting pages mimicking conference registration, or — when the operational objective required persistent access — infected with the TAMECAT PowerShell backdoor. The campaign intensified following the February 28, 2026 US-Israeli airstrikes on Iran.

US Presidential Campaign Targeting 2024

Google TAG confirmed APT42 attempted to access personal email accounts of approximately a dozen individuals affiliated with both the Biden administration and the Trump presidential campaign. The activity was described as attempted phishing and social engineering against campaign staff and close associates. Google blocked the attempts and shared information with the FBI. This made APT42 the first Iranian threat actor publicly confirmed to have directly targeted a US presidential campaign's inner circle. No campaign systems were confirmed breached, though the breadth of targeting indicated both campaigns were simultaneously in scope.

Israeli Cybersecurity Professional Campaign June 2025

Documented by Check Point Research and attributed to APT42 Cluster B. Operators approached prominent Israeli academics and experts in cybersecurity and computer science via email and WhatsApp, posing as technology executives or researchers from credible firms. Initial messages contained no malicious content — purely relationship-building outreach. After establishing engagement, victims were directed to phishing kits harvesting Google credentials and two-factor authentication codes. AI-assisted generation of phishing lures was observed, producing highly convincing and grammatically polished messages. The campaign ran concurrently with SpearSpecter but was conducted by a distinct sub-cluster with different tooling.

UNK_SmudgedSerpent — US Iran Policy Academics June–August 2025

A campaign targeting US-based academics and policy experts specializing in Iran. Operators initiated benign email conversations impersonating think tank personnel, then directed targets to credential-harvesting pages spoofing legitimate productivity platforms. Successful credential theft was followed by deployment of commercial remote management tools for persistent access. The group's TTPs overlap with Charming Kitten and MuddyWater, suggesting shared infrastructure or technique-borrowing across the Iranian cyber ecosystem.

NGO and Government Credential Harvesting 2023–2024

Documented by Mandiant in the May 2024 "Crooked Charms" report. APT42 Cluster B ran credential-harvesting infrastructure against NGOs, government bodies, and intergovernmental organizations focused on Iran and the Middle East, using three documented infrastructure clusters with distinct targeting themes. One cluster impersonated major Western media outlets (Washington Post, The Economist) to target policy experts and government officials. Another targeted dissidents and activists with fake file hosting and YouTube pages. A third targeted policy and government sectors with fake Google Meet invitations and conference registration forms, some hosted on legitimate Google Sites domains to evade detection. Harvested credentials provided silent access to years of cloud-hosted email and documentation.

NICECURL / TAMECAT Backdoor Deployments 2024 — ongoing

APT42 Cluster D deployed custom backdoors NICECURL and TAMECAT against NGOs, government bodies, and intergovernmental organizations globally. NICECURL delivered via LNK files masquerading as Harvard T.H. Chan School of Public Health interview forms; TAMECAT delivered via macro-enabled Office documents. Both provide persistent access and command execution capability, serving as a platform for deploying additional surveillance tooling or manually extracting target data over extended dwell periods.

RedKitten — Human Rights NGO Targeting January 2026

An APT42-linked campaign documented in January 2026, concurrent with the Iranian government's violent suppression of mass protests that killed thousands of demonstrators. Operators targeted human rights NGOs and activists using macro-laced Office documents disguised as records of protesters killed during the January crackdown — exploiting the emotional urgency of the documentation to lower targets' guard. Malware C2 ran through GitHub, Google Drive, and Telegram bots, blending malicious traffic with legitimate platform use. The campaign's timing and targeting reflect APT42's pattern of intensifying operations against human rights networks during periods of domestic Iranian political crisis — when the IRGC-IO's need to monitor and suppress information about internal unrest increases.

Tools & Malware

NICECURL: VBScript-based backdoor. Accepts commands via HTTPS including "kill" (artifact removal and self-termination), "SetNewConfig" (update sleep interval), and "Module" (download and execute additional payloads, including a dedicated datamining module). Delivered via malicious LNK files. Documented in January 2024 delivery impersonating a Harvard institution feedback form.
TAMECAT: PowerShell-based backdoor capable of executing arbitrary PowerShell or C# content. Assesses the target environment for antivirus and security tooling before full execution, adapting its deployment method. Communicates with C2 over HTTP with Base64-encoded data. Dropped by macro-enabled Office documents. Documented in use against NGOs and government organizations through 2024–2025, and in the SpearSpecter campaign against Gulf defense officials.
PINEFLOWER: Android spyware deployed against mobile targets, primarily individuals inside Iran or within the Iranian diaspora. Capabilities include: intercepting and recording phone calls, collecting SMS messages, taking photos, capturing audio recordings, exfiltrating files and documents, keylogging, and transmitting real-time location data to APT42-controlled infrastructure. Disguised as legitimate applications.
VINETHORN: Masquerades as a VPN application to gain installation trust. Serves as a delivery vehicle for mobile surveillance capabilities. The choice of a VPN as a disguise is deliberate — targets who are privacy-conscious or seeking to evade surveillance are more likely to install a VPN, delivering exactly the surveillance capability APT42 requires.
POWERPOST: Custom PowerShell reconnaissance tool used to collect system information, enumerate local account names, and identify the environment before deploying heavier tooling.
GHAMBAR / BROKEYOLK / DOSTEALER / MAGICDROP: Additional malware families documented by Mandiant as part of the APT42 toolset. Capabilities span credential theft, data staging, and download-execute functionality across different infection chains.
Phishing infrastructure: Typosquatted domains mimicking major news outlets, government portals, and cloud services. Adversary-in-the-middle proxy pages (similar to EvilGinx) that capture credentials and session cookies simultaneously. Legitimate cloud services — Cloudflare Workers, Firebase, OneDrive, Google Sites — abused as C2 hosts and payload delivery points to blend with normal traffic.

Indicators of Compromise

APT42 rotates infrastructure frequently and avoids leaving persistent IOCs. Domain and IP indicators published in vendor reports become stale within days. Behavioral detection is significantly more durable than IOC-based blocking for this actor.

warning

APT42 infrastructure is short-lived and deliberately hosted on legitimate cloud platforms to avoid blocklist detection. Current domain and IP IOCs are available in the Mandiant "Crooked Charms" report (May 2024), Google TAG advisories, the IMDA advisory, and the ThreatIntelReport.com APT42 profile (February 2026). YARA rules for NICECURL are referenced in the Google Cloud blog post. Cross-reference all network IOCs against live threat intel feeds before use as blocks.

indicators of compromise — APT42 (behavioral and structural)

domain pattern Typosquatted news/institution domains — single character substitutions (washinqtonpost[.]press, ksview[.]top); TLDs .top .online .site .live with hyphenated multi-word patterns (panel-live-check[.]online)

infra pattern Google Sites (sites.google.com) hosting credential-harvesting pages — exploits .google.com TLD trust to bypass URL filtering

file type Malicious LNK files masquerading as PDF documents (e.g., onedrive-form.pdf.lnk) hosted on attacker-controlled file-sharing domains

behavior Unexpected mailbox forwarding rule creation following new device sign-in — persistent access mechanism after successful credential theft

behavior New MFA device registration (Microsoft Authenticator) following anomalous sign-in — used to maintain persistent cloud account access

behavior Bulk mail access or email export via OWA or Graph API following first login from new geography or device

malware NICECURL — VBScript; TAMECAT — PowerShell; PINEFLOWER — Android APK. YARA rules for NICECURL available in Mandiant/Google Cloud "Crooked Charms" blog post (May 2024)

hash (md5) d5a05212f5931d50bb024567a2873642 — NICECURL LNK file (onedrive-form.pdf.lnk), documented January 2024 delivery

Mitigation & Defense

Because APT42 accesses systems through legitimately obtained credentials rather than exploits, technical perimeter controls provide minimal protection. The most effective defenses address identity, cloud account posture, and user awareness among high-risk individuals.

Deploy phishing-resistant MFA universally: TOTP-based MFA (Google Authenticator, SMS codes) is defeated by APT42's adversary-in-the-middle infrastructure, which captures both the password and the OTP in the same phishing session. Phishing-resistant MFA — FIDO2 hardware keys, passkeys bound to registered devices — cannot be relayed through a proxy page. This is the single highest-impact control against APT42's primary access technique.
Alert on anomalous cloud account behavior: Since APT42 accesses cloud accounts with valid credentials, endpoint detection produces no signal. SIEM rules must detect behavioral anomalies: new country or city login, new device registration, bulk email access via API, mailbox forwarding rule creation, and calendar data access from previously unseen applications. Cloud CASB or Microsoft Defender for Cloud Apps / Google Workspace alerting should be configured to notify security teams on these events within minutes.
Educate high-risk individuals specifically: Generic security awareness training is insufficient for journalists, policy researchers, government officials, academics studying Iran, and NGO staff — the primary APT42 target population. These individuals need scenario-specific training on APT42's rapport-building approach: that the attacker may have corresponded with them for weeks before delivering a malicious link, that a believable persona with a LinkedIn profile and publication history can still be a front, and that any credential prompt following an unexpected link — even from a trusted contact — should trigger verification through a separate channel.
Verify unexpected credential prompts out of band: When receiving any link requesting credentials — even from a known contact — verify the request is legitimate via phone or a separate messaging platform before entering any login information. APT42 specifically impersonates known contacts and builds credibility before introducing a phishing link.
Audit and restrict mailbox forwarding rules: Mailbox forwarding rules to external addresses are a documented APT42 persistence mechanism. Microsoft 365 and Google Workspace should block external forwarding by default, require admin approval for any forwarding rule creation, and alert on new rules immediately. Audit existing mailbox forwarding rules across all accounts quarterly.
Treat mobile devices as high-risk for targeted individuals: PINEFLOWER Android spyware requires installation. For individuals in high-risk categories — dissidents, journalists covering Iran, dual nationals, NGO workers operating in Iran — mobile device hygiene is critical: install applications only from official app stores, review permissions before installation, and treat unsolicited VPN app recommendations with extreme caution (VINETHORN is disguised as a VPN).
Monitor for ISP and telecom-level APT42 indicators: Organizations holding large individual-level datasets — particularly ISPs, telecommunications providers, and healthcare systems serving populations with Iranian diaspora members — should treat APT42 as an in-scope threat. Standard controls apply (MFA on all admin accounts, cloud account anomaly detection), but these organizations should also consider their data as a collection target for IRGC-IO intelligence operations, not merely a financial extortion target.

Sources & Further Reading

— end of profile — last updated 2026-03-26