APT42: Iranian Cyber Espionage Campaign Targets Global NGO and Media Sectors
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Compromised Credentials,Backdoor,Downloader,Dropper,Malicious Macro,Pretexting,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Human Rights | Verified |
| Sector | Professional Service | Verified |
| Sector | Education | Verified |
| Sector | Media | Verified |
| Sector | Researchers | Verified |
| Region | Azerbaijan | High |
| Region | Israel | Verified |
| Region | United Arab Emirates | High |
| Region | United Kingdom | High |
| Region | United States | Verified |
| Region | Middle East Countries | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- acconut-signin[.]com
- account-signin[.]com
- accounts-mails[.]com
- accredit-validity[.]online
- activity-permission[.]online
- admin-stable-right[.]top
- admiscion[.]online
- admit-roar-frame[.]top
- advission[.]online
- affect-fist-ton[.]online
- aspenlnstitute[.]org
- avid-striking-eagerness[.]online
- azadlliq[.]info
- beaviews[.]online
- besvision[.]top
- bitly.org[.]il
- bloom-flatter-affably[.]top
- book-download[.]shop
- bq-ledmagic[.]online
- briview[.]online
- businesslnsider[.]org
- chat-services[.]online
- check-online-panel[.]live
- check-pabnel-status[.]live
- check-panel-status[.]live
- check-short-panel[.]live
- confirmation-process[.]top
- connection-view[.]online
- continue-meeting[.]site
- continue-recognized[.]online
- coordinate[.]icu
- cvisiion[.]online
- d75[.]site
- daemon-mailer[.]co
- daemon-mailer[.]info
- dloffice[.]buzz
- dloffice[.]top
- drive-access[.]site
- drive-file-share[.]site
- ecomonist[.]org
- email-daemon[.]biz
- email-daemon[.]online
- email-daemon[.]site
- endorsement-services[.]online
- eocnomist[.]com
- foreiqnaffairs[.]com
- foreiqnaffairs[.]org
- forieqnaffairs[.]com
- fortune-retire-home[.]top
- geaviews[.]site
- glory-uplift-vouch[.]online
- go-conversation[.]lol
- go-forward[.]quest
- g-online[.]org
- gview[.]site
- home-continue[.]online
- home-proceed[.]online
- identifier-direction[.]site
- indication-service[.]online
- israelhayum[.]com
- join-paneling[.]online
- jpost[.]press
- jpostpress[.]com
- khaleejtimes[.]org
- khalejtimes[.]org
- ksview[.]top
- last-check-leave[.]buzz
- litby[.]us
- live-project-online[.]live
- live-projects-online[.]top
- loriginal[.]online
- m85[.]online
- maariv[.]net
- mailer-daemon[.]info
- mailerdaemon[.]online
- mailer-daemon[.]us
- mail-roundcube[.]site
- mccainlnstitute[.]org
- meeting-online[.]site
- mterview[.]site
- myaccount-signin[.]com
- nterview[.]site
- online-access[.]live
- online-processing[.]online
- online-video-services[.]site
- ovcloud[.]online
- panelchecking[.]live
- panel-check-short[.]live
- paneling-viewing[.]live
- panel-live-check[.]online
- panel-short-check[.]live
- panels-views-ckeck[.]live
- panel-view[.]live
- panel-view[.]online
- panel-views-cheking[.]live
- panel-view-short[.]online
- pannel-get-data[.]us
- quomodocunquize[.]site
- recognize-validation[.]online
- reconsider[.]site
- revive-project-live[.]online
- s20[.]site
- s51[.]online
- s59[.]site
- shortenurl[.]online
- shorting-ce[.]live
- shortingurling[.]live
- shortlinkview[.]live
- shortulonline[.]live
- short-url[.]live
- short-view[.]online
- shoting-urls[.]live
- signin-acconut[.]com
- signin-accounts[.]com
- signin-mail[.]com
- signin-mails[.]com
- signin-myaccounts[.]com
- simple-process-static[.]top
- status-short[.]live
- stellar-roar-right[.]buzz
- support-account[.]xyz
- sweet-pinnacle-readily[.]online
- tcvision[.]online
- themedealine[.]org
- timesfisrael[.]com
- title-flow-store[.]online
- twision[.]top
- ushrt[.]us
- vanityfaire[.]org
- verify-person-entry[.]top
- view-cope-flow[.]online
- view-panel[.]live
- view-pool-cope[.]online
- viewstand[.]online
- viewtop[.]online
- view-total-step[.]online
- virtue-regular-ready[.]online
- washingtonlnstitute[.]org
- washinqtonpost[.]press
- we-transfer[.]shop
- ynetnews[.]press
- youronlineregister[.]com
- youtransfer[.]live
- email-daemon.biz.tinurls[.]com
- email-daemon.online.tinurls[.]com
- prism-west-candy.glitch[.]me
- review.modification-check[.]online
- 081419a484bbf99f278ce636d445b9d8
- 13aa118181ac6a202f0a64c0c7a61ce7
- 2f6bf8586ed0a87ef3d156124de32757
- 347b273df245f5e1fcbef32f5b836f1d
- 853687659483d215309941dae391a68f
- c23663ebdfbc340457201dbec7469386
- c3b9191f3a3c139ae886c0840709865e
- d5a05212f5931d50bb024567a2873642
- d7bf138d1aa2b70d6204a2f3c3bc72a7
- dd2653a2543fa44eaeeff3ca82fe3513
Tip: 157 related IOCs (0 IP, 147 domain, 0 URL, 0 email, 10 file hash) to this threat have been found.
FAQs
Understanding APT42’s Cyber Espionage Campaign
A cyber espionage group linked to the Iranian government, known as APT42, has been targeting civil society organizations, academics, journalists, and activists by stealing credentials and infiltrating their cloud accounts and devices.
The group responsible is APT42, which is believed to be working on behalf of Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), a major intelligence agency in the country.
APT42 aims to gather sensitive information relevant to Iran’s strategic interests, including foreign policy, human rights advocacy, and internal dissent monitoring.
Targets include NGOs, journalists, legal professionals, researchers, and activists, primarily in the U.S., Europe, Israel, and Middle Eastern countries.
APT42 tricked individuals into sharing their login details through fake emails and websites that looked like legitimate services (like Google or Microsoft). In some cases, they installed custom malware via email attachments to gain deeper access.
They often work on issues related to Iran, such as human rights, academic research, or international policy—making them of interest to Iranian intelligence services.
Use strong authentication methods (such as hardware keys), stay cautious of unexpected emails or links, and regularly monitor login activity and permissions in cloud platforms.
While the campaign is targeted, it spans across several countries and sectors, indicating a broad and persistent effort by APT42 to infiltrate high-value individuals and organizations.