APT42 Escalation: ‘SpearSpecter’ Targets Officials and Relatives with Custom Malware
In several countries, recent months have brought a new wave of covert surveillance operations targeting defense institutions and high-level government structures. According to the Israel National Digital Agency (INDA), the activity represents a prolonged campaign conducted by APT42, a group linked to the Islamic Revolutionary Guard Corps. The scope of the operation extends far beyond the group’s typical patterns: the attackers are attempting to reach not only officials and agency personnel, but also their relatives, applying additional psychological pressure to the primary targets.
The September incidents have been designated SpearSpecter. Analysts note that the operators deliberately cultivate trust, gradually shifting conversations into a more personal, informal style. Their repertoire includes invitations to fictitious conferences, proposals for in-person meetings, and correspondence sent under the guise of acquaintances. Identity impersonation can continue for weeks until a convenient moment arises to deliver a malicious link.
APT42 has been known since 2022, when Mandiant documented its overlap with units tracked as APT35, Charming Kitten, TA453, and Mint Sandstorm. The group has long relied on sophisticated social-engineering techniques, and the latest cases only reinforce that reputation.
In the summer of 2025, Check Point specialists recorded a separate wave of outreach attempts to employees of Israeli technology firms, where attackers posed as company executives or researchers. According to INDA, that cluster and SpearSpecter were conducted by different internal teams within APT42.
The SpearSpecter campaign adapts fluidly to each individual target. In some cases, victims are redirected to counterfeit websites designed to harvest credentials. In others, the attacks result in the deployment of TAMECAT, a long-used PowerShell-based malware engineered for prolonged stealth. Its delivery relies on fraudulent WhatsApp messages: the victim receives a link to what appears to be a necessary document, after which a chain of redirects begins.
Ultimately, the victim’s device retrieves a WebDAV-hosted LNK shortcut disguised as a PDF and executed via the search-ms protocol handler. This file connects to a Cloudflare Workers subdomain, receives a batch script, and downloads TAMECAT.
The malware employs multiple command-and-control channels, including HTTPS, Telegram, and Discord. Telegram-based control uses an operator-managed bot that delivers commands fetched from various Cloudflare Workers subdomains. On Discord, webhook URLs transmit system information and receive tasking instructions for the infected host. Analysis of accounts on the Discord server shows that command logic is driven by messages from a specific user, enabling the operators to issue unique instructions to each compromised device while maintaining a unified workspace.
TAMECAT’s capabilities include system reconnaissance, exfiltration of files based on extension lists, theft of data from Google Chrome and Microsoft Edge, extraction of Outlook mailboxes, and automatic screenshots every fifteen seconds. Exfiltration occurs over HTTPS or FTP. Its stealth is supported by encrypted metadata, code obfuscation, the use of native Windows tooling, and predominantly in-memory execution.
According to INDA’s assessment, the SpearSpecter infrastructure blends components of well-known cloud platforms with custom operator-controlled resources. This architecture allows the attackers to easily tailor the initial infection stages, maintain persistent control, and discreetly transmit collected intelligence — making the campaign particularly dangerous for high-level government entities.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
