APT42: Iranian Cyber Espionage Campaign Targets Global NGO and Media Sectors
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Compromised Credentials,Backdoor,Downloader,Dropper,Malicious Macro,Pretexting,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Human Rights | Verified |
| Sector | Professional Service | Verified |
| Sector | Education | Verified |
| Sector | Media | Verified |
| Sector | Researchers | Verified |
| Region | Azerbaijan | High |
| Region | Israel | Verified |
| Region | United Arab Emirates | High |
| Region | United Kingdom | High |
| Region | United States | Verified |
| Region | Middle East Countries | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- acconut-signin[.]com
- account-signin[.]com
- accounts-mails[.]com
- accredit-validity[.]online
- activity-permission[.]online
- admin-stable-right[.]top
- admiscion[.]online
- admit-roar-frame[.]top
- advission[.]online
- affect-fist-ton[.]online
- aspenlnstitute[.]org
- avid-striking-eagerness[.]online
- azadlliq[.]info
- beaviews[.]online
- besvision[.]top
- bitly.org[.]il
- bloom-flatter-affably[.]top
- book-download[.]shop
- bq-ledmagic[.]online
- briview[.]online
- businesslnsider[.]org
- chat-services[.]online
- check-online-panel[.]live
- check-pabnel-status[.]live
- check-panel-status[.]live
- check-short-panel[.]live
- confirmation-process[.]top
- connection-view[.]online
- continue-meeting[.]site
- continue-recognized[.]online
- coordinate[.]icu
- cvisiion[.]online
- d75[.]site
- daemon-mailer[.]co
- daemon-mailer[.]info
- dloffice[.]buzz
- dloffice[.]top
- drive-access[.]site
- drive-file-share[.]site
- ecomonist[.]org
- email-daemon[.]biz
- email-daemon[.]online
- email-daemon[.]site
- endorsement-services[.]online
- eocnomist[.]com
- foreiqnaffairs[.]com
- foreiqnaffairs[.]org
- forieqnaffairs[.]com
- fortune-retire-home[.]top
- geaviews[.]site
- glory-uplift-vouch[.]online
- go-conversation[.]lol
- go-forward[.]quest
- g-online[.]org
- gview[.]site
- home-continue[.]online
- home-proceed[.]online
- identifier-direction[.]site
- indication-service[.]online
- israelhayum[.]com
- join-paneling[.]online
- jpost[.]press
- jpostpress[.]com
- khaleejtimes[.]org
- khalejtimes[.]org
- ksview[.]top
- last-check-leave[.]buzz
- litby[.]us
- live-project-online[.]live
- live-projects-online[.]top
- loriginal[.]online
- m85[.]online
- maariv[.]net
- mailer-daemon[.]info
- mailerdaemon[.]online
- mailer-daemon[.]us
- mail-roundcube[.]site
- mccainlnstitute[.]org
- meeting-online[.]site
- mterview[.]site
- myaccount-signin[.]com
- nterview[.]site
- online-access[.]live
- online-processing[.]online
- online-video-services[.]site
- ovcloud[.]online
- panelchecking[.]live
- panel-check-short[.]live
- paneling-viewing[.]live
- panel-live-check[.]online
- panel-short-check[.]live
- panels-views-ckeck[.]live
- panel-view[.]live
- panel-view[.]online
- panel-views-cheking[.]live
- panel-view-short[.]online
- pannel-get-data[.]us
- quomodocunquize[.]site
- recognize-validation[.]online
- reconsider[.]site
- revive-project-live[.]online
- s20[.]site
- s51[.]online
- s59[.]site
- shortenurl[.]online
- shorting-ce[.]live
- shortingurling[.]live
- shortlinkview[.]live
- shortulonline[.]live
- short-url[.]live
- short-view[.]online
- shoting-urls[.]live
- signin-acconut[.]com
- signin-accounts[.]com
- signin-mail[.]com
- signin-mails[.]com
- signin-myaccounts[.]com
- simple-process-static[.]top
- status-short[.]live
- stellar-roar-right[.]buzz
- support-account[.]xyz
- sweet-pinnacle-readily[.]online
- tcvision[.]online
- themedealine[.]org
- timesfisrael[.]com
- title-flow-store[.]online
- twision[.]top
- ushrt[.]us
- vanityfaire[.]org
- verify-person-entry[.]top
- view-cope-flow[.]online
- view-panel[.]live
- view-pool-cope[.]online
- viewstand[.]online
- viewtop[.]online
- view-total-step[.]online
- virtue-regular-ready[.]online
- washingtonlnstitute[.]org
- washinqtonpost[.]press
- we-transfer[.]shop
- ynetnews[.]press
- youronlineregister[.]com
- youtransfer[.]live
- email-daemon.biz.tinurls[.]com
- email-daemon.online.tinurls[.]com
- prism-west-candy.glitch[.]me
- review.modification-check[.]online
- 081419a484bbf99f278ce636d445b9d8
- 13aa118181ac6a202f0a64c0c7a61ce7
- 2f6bf8586ed0a87ef3d156124de32757
- 347b273df245f5e1fcbef32f5b836f1d
- 853687659483d215309941dae391a68f
- c23663ebdfbc340457201dbec7469386
- c3b9191f3a3c139ae886c0840709865e
- d5a05212f5931d50bb024567a2873642
- d7bf138d1aa2b70d6204a2f3c3bc72a7
- dd2653a2543fa44eaeeff3ca82fe3513
Tip: 157 related IOCs (0 IP, 147 domain, 0 URL, 0 email, 10 file hash) to this threat have been found.
Overlaps
Source: Pulsedive - January 2026
Detection (two cases): 081419a484bbf99f278ce636d445b9d8, d7bf138d1aa2b70d6204a2f3c3bc72a7
Source: Internet Crime Complaint Center - September 2024
Detection (six cases): bitly.org[.]il, email-daemon[.]site, litby[.]us, mailer-daemon[.]us, washingtonlnstitute[.]org, youtransfer[.]live
Source: Proofpoint - August 2024
Detection (one case): d75[.]site
Source: Google - August 2024
Detection (two cases): check-pabnel-status[.]live, panel-short-check[.]live
Source: Volexity - February 2024
Detection (two cases): 853687659483d215309941dae391a68f, prism-west-candy.glitch[.]me
Source: Germany Federal Office for the Protection of the Constitution - August 2023
Detection (one case): ksview[.]top
Source: Check Point - June 2022
Detection (one case): litby[.]us
Source: Hyas - July 2020
Detection (one case): signin-accounts[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding APT42’s Cyber Espionage Campaign
A cyber espionage group linked to the Iranian government, known as APT42, has been targeting civil society organizations, academics, journalists, and activists by stealing credentials and infiltrating their cloud accounts and devices.
The group responsible is APT42, which is believed to be working on behalf of Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), a major intelligence agency in the country.
APT42 aims to gather sensitive information relevant to Iran’s strategic interests, including foreign policy, human rights advocacy, and internal dissent monitoring.
Targets include NGOs, journalists, legal professionals, researchers, and activists, primarily in the U.S., Europe, Israel, and Middle Eastern countries.
APT42 tricked individuals into sharing their login details through fake emails and websites that looked like legitimate services (like Google or Microsoft). In some cases, they installed custom malware via email attachments to gain deeper access.
They often work on issues related to Iran, such as human rights, academic research, or international policy—making them of interest to Iranian intelligence services.
Use strong authentication methods (such as hardware keys), stay cautious of unexpected emails or links, and regularly monitor login activity and permissions in cloud platforms.
While the campaign is targeted, it spans across several countries and sectors, indicating a broad and persistent effort by APT42 to infiltrate high-value individuals and organizations.