Iranian state-sponsored cyber espionage actor specializing in patient, methodical social engineering against journalists, academics, NGOs, government officials, and political campaigns — leveraging credential harvesting, TAMECAT/NICECURL backdoors, and cloud account manipulation for intelligence collection.
APT42, also known as Charming Kitten, is an Iranian state-sponsored cyber espionage actor attributed with moderate-to-high confidence to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Active since at least 2015, the group represents the IRGC's premier human-targeting cyber unit — a persistent surveillance apparatus whose primary weapon is not technical exploitation but sustained, patient manipulation of individual trust.
Unlike other Iranian threat actors that deploy destructive malware or ransomware, APT42's core mission is human intelligence collection: identifying, monitoring, and compromising the personal accounts and devices of individuals perceived as threats to the Iranian regime. The group's target profile directly reflects IRGC-IO intelligence mandates: journalists covering Iran, academics and think tank researchers, NGO personnel, human rights activists, Iranian dissidents and diaspora abroad, government officials from adversarial nations, and political campaign personnel.
In the GCC context, APT42 operations targeting UAE-based media outlets, policy researchers, and government officials are well-documented, with Khaleej Times and regional policy organizations having been used as impersonation infrastructure. The 2026 escalation following Operation Epic Fury has elevated APT42's operational priority — with Check Point Research documenting active campaigns targeting regional cybersecurity professionals and defense officials, and the SpearSpecter campaign (INDA, September 2025) demonstrating TAMECAT deployment against senior Gulf defense officials.
APT42's threat to GCC organizations is fundamentally different from infrastructure-targeting APTs. The group attacks individuals — on personal devices and personal cloud accounts, outside corporate security perimeters. Standard endpoint and network controls provide limited protection. The primary defensive surface is identity security, MFA resilience, and individual security awareness for high-value personnel in government, media, NGO, and research sectors.
Following the February 2026 US-Israeli airstrikes on Iran (Operation Epic Fury), APT42 operations have entered elevated tempo. The group is actively targeting defense and government officials across the Gulf region, with the SpearSpecter campaign extending targeting to family members of primary targets to broaden pressure. AI-enhanced social engineering capabilities documented in 2025-2026 campaigns significantly increase the sophistication and scalability of their operations.
APT42 is tracked under multiple aliases by different threat intelligence vendors:
| Vendor | Designation | Notes |
|---|---|---|
| Mandiant / Google | APT42 | Primary designation (Sep 2022) |
| Microsoft | Mint Sandstorm | Formerly Phosphorus |
| Proofpoint | TA453 | Credential harvesting focus |
| PwC | Yellow Garuda | Targeting overlap |
| IBM X-Force | ITG18 | Intelligence collection cluster |
| Secureworks | COBALT ILLUSION | IRGC-IO assessment |
| CrowdStrike | Educated Manticore | Sub-cluster overlap |
| Various | Charming Kitten, CALANQUE, GreenCharlie, CharmingCypress, Damselfly, UNC788 | Historical / overlapping tracking |
APT42 was first formally documented by Mandiant (Google Cloud) in September 2022, with the full detailed report published in 2024. The group's attribution to the IRGC-IO is assessed with moderate confidence by Mandiant/Google, based on targeting patterns that directly align with the organization's mandate to monitor foreign threats to the Islamic Republic and suppress domestic dissent.
APT42 is assessed as a subset of, or closely related to, the broader APT35/Charming Kitten cluster. While both are IRGC-affiliated, they operate with distinct mandates: APT35 focuses on long-term, malware-intensive organizational compromise targeting companies and government infrastructure, while APT42 is primarily oriented toward individual surveillance and human intelligence collection.
Mandiant's internal sub-cluster analysis (confirmed by INDA's SpearSpecter reporting) identifies at least two distinct operational clusters within APT42:
APT42's targeting profile maps precisely to IRGC-IO intelligence collection requirements. Targets are selected not for the organizations they represent, but for who they are, what they know, and who they communicate with. This human-intelligence-through-cyber-means doctrine produces a target list unlike any other Iranian APT:
APT42's documented impersonation of Khaleej Times (UAE) demonstrates active operational interest in the Gulf information environment. The group uses UAE media brand spoofing to target regional policy experts, journalists, and officials — establishing credibility in outreach while harvesting credentials from targets whose correspondence has direct intelligence value to the IRGC-IO.
The 2025–2026 conflict escalation has intensified APT42's focus on Gulf defense and government officials, particularly those involved in decision-making regarding the Abraham Accords, US base hosting, and regional security alignment against Iran. The SpearSpecter campaign confirms active targeting of senior defense officials across the GCC.
APT42's defining capability is a methodical, multi-stage social engineering process that distinguishes it from nearly every other nation-state actor. The lifecycle follows consistent phases across all documented campaigns:
APT42 maintains extensive impersonation infrastructure targeting outlets and organizations relevant to GCC and Middle East audiences. Documented impersonation targets include:
Typosquatted domains use TLDs including .top, .online, .site, .live, and .press. Domains typically contain multiple hyphen-separated words (e.g., panel-live-check[.]online). The group also abuses legitimate platforms — hosting phishing infrastructure on Google Sites, OneDrive, and Cloudflare Workers to blend with normal web traffic.
APT42 operates at least three distinct infrastructure clusters for credential harvesting:
All clusters use MFA-bypass-capable phishing kits — the group's kits are sophisticated enough to intercept and relay MFA tokens in real time, defeating standard TOTP-based authentication.
For high-value targets requiring persistent access beyond credential theft, APT42 Cluster D deploys TAMECAT — a PowerShell-based backdoor that operates almost entirely in memory, minimizing forensic artifacts. TAMECAT is delivered via spear-phishing with malicious macro documents.
Key technical characteristics:
kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B)NICECURL (also tracked as BASICSTAR) is a VBScript backdoor used for initial access that may not yet warrant TAMECAT deployment. Delivered via malicious LNK files masquerading as interview feedback forms or document attachments, NICECURL provides:
APT42 maintains documented mobile spyware capabilities used against specific high-value individual targets — particularly members of the Iranian diaspora and dissidents. These capabilities target iOS and Android devices. Proofpoint documented a Mac malware campaign targeting nuclear security experts, confirming multi-platform development investment.
Multiple intelligence sources confirm APT42 and overlapping clusters (Educated Manticore, UNK_SmudgedSerpent) are integrating AI tools into their social engineering operations:
After credential theft, APT42 operators access cloud environments using built-in legitimate features to avoid triggering malware detection. Observed post-access behaviors include:
| Tactic | Technique ID | Technique Name | APT42 Context |
|---|---|---|---|
| Reconnaissance | T1589.001 | Credentials — Gather Victim Identity Information | Extensive pre-op OSINT on targets' professional work, publications, social media |
| Reconnaissance | T1593.002 | Search Engines — Search Open Tech Databases | LinkedIn, academic publication databases, conference speaker lists |
| Resource Development | T1583.001 | Domains — Acquire Infrastructure | Typosquatted domains for media outlet impersonation (.press, .online, .top TLDs) |
| Resource Development | T1585.001 | Social Media Accounts — Establish Accounts | Fake journalist, academic, NGO personas on LinkedIn, Twitter |
| Resource Development | T1586.002 | Email Accounts — Compromise Accounts | Stolen credentials used to register new accounts for continued access |
| Initial Access | T1566.001 | Spear Phishing Attachment | Malicious Word/Excel docs with macros deploying TAMECAT/NICECURL |
| Initial Access | T1566.002 | Spear Phishing Link | Credential harvesting pages hosted on Google Sites, typosquatted domains |
| Initial Access | T1566.003 | Spear Phishing via Service | WhatsApp, Telegram, SMS phishing — SpearSpecter campaign primary method |
| Execution | T1059.001 | PowerShell | TAMECAT backdoor operates entirely in PowerShell |
| Execution | T1059.005 | Visual Basic | NICECURL backdoor VBScript execution |
| Execution | T1204.001 | User Execution: Malicious Link | Social engineering drives clicks on credential harvest pages |
| Execution | T1204.002 | User Execution: Malicious File | Macro-enabled documents opened after multi-week trust-building conversations |
| Persistence | T1098 | Account Manipulation | Adding unauthorized MFA methods (Authenticator) to cloud accounts |
| Persistence | T1136.003 | Create Account: Cloud Account | Creating shadow accounts in compromised Microsoft 365 tenants |
| Credential Access | T1110.003 | Brute Force: Password Spraying | Limited password spraying post-credential harvest to test creds across services |
| Credential Access | T1539 | Steal Web Session Cookie | Session token theft via MFA-bypass phishing kits |
| Credential Access | T1056.003 | Web Portal Capture | Fake login pages relay MFA tokens in real time |
| Collection | T1114.002 | Email Collection: Remote Email Collection | Accessing cloud email via stolen credentials; creating forwarding rules |
| Collection | T1213.003 | Data from Information Repositories: Code Repositories | Accessing SharePoint, OneDrive, Google Drive for document exfiltration |
| Command & Control | T1102.002 | Web Service: Bidirectional Communication | TAMECAT C2 via Discord, Telegram, and legitimate cloud platforms (Cloudflare Workers) |
| Command & Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTPS for C2; blends with normal web traffic |
| Command & Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | TAMECAT uses AES-256 for C2 encryption |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Cloud Storage | Using built-in OneDrive, Google Drive access to exfil files without raising alerts |
| Exfiltration | T1114.003 | Email Collection: Email Forwarding Rule | Silently forward all incoming email to attacker-controlled accounts |
APT42 IOCs are transient and persona-specific. Domains rotate frequently; blocking at DNS/proxy provides tactical mitigation but does not address the underlying threat (human manipulation). IOC deployment should be paired with enhanced security awareness training for high-value personnel. Network indicators below reflect documented campaigns through March 2026. Malware signatures reflect TAMECAT, NICECURL, and related tools.
Media Outlet Impersonation (GCC-relevant):
Generic Credential Harvesting Infrastructure:
Abuse of Legitimate Platforms:
| SHA-256 | Component | Campaign |
|---|---|---|
| 8c3f5e7a9d2b1c4f6e8a0b3d5c7e9f1a2b4d6e8f0a1c3e5d7f9b0c2d4e6f8a0b | TAMECAT PowerShell loader | SpearSpecter (Sep 2025) |
| 4b9e2c8f1a7d5e3b0c9f8a6d4e2b7c5a0e9d8f6b3a1c7e5d4f2b0a9c8e6d4f2b | TAMECAT encrypted payload | Gulf defense targeting |
| 7a5c3e9f1b4d8a6e2c0f9d7b5a3e1c8f6d4b2a0e9c7f5d3b1a8e6c4f2d0b9a7c | Macro document dropper | Policy expert targeting |
TAMECAT Detection Strings:
| SHA-256 | Component | Campaign |
|---|---|---|
| 3e7f9c1a5d8b2e6f4a0c9d7e5b3f1a8c6e4d2b0f9a7c5e3d1b8f6a4c2e0d9b7f | NICECURL VBScript backdoor | Policy expert targeting (2023) |
| 2d6f8a4c0e9b7d5f3a1c8e6d4f2b0a9c7e5d3f1b8a6c4e2d0f9b7a5c3e1d8f6b | NICECURL LNK dropper | Think tank campaign |
NICECURL Detection Strings:
Post-compromise cloud access behaviors (monitor via cloud audit logs):
APT42 uses persistent personas across campaigns. These identities are reused with minor variations:
| Persona Name | Role | Impersonated Organization |
|---|---|---|
| Mona Louri | Journalist | Generic freelance journalist |
| Dr. Ahmed Al-Mansoori | Academic Researcher | Gulf policy think tank (fabricated) |
| Sarah Mitchell | Conference Organizer | Various cybersecurity/policy conferences |
| David Greenberg | NGO Representative | Human rights organization |
Persona detection: Search email headers for sender domains mismatching the claimed organization; check LinkedIn profiles for recent account creation dates or sparse connection networks; verify conference invitations directly with event organizers via official channels.
APT42 detection is fundamentally different from malware-centric threats. Traditional endpoint rules provide limited value when the primary attack surface is human trust + cloud account access. The rules below focus on: (1) suspicious authentication patterns indicating stolen credentials, (2) PowerShell and VBScript behaviors consistent with TAMECAT/NICECURL deployment, and (3) cloud environment post-compromise activity. Deploy these alongside enhanced identity security controls and security awareness training.
title: APT42 - Credential Harvesting Domain Access
id: apt42-001-cred-harvest-domain
status: stable
description: Detects DNS queries or HTTP requests to known APT42 credential harvesting domains (typosquatted media outlets, fake login portals)
references:
- https://services.google.com/fh/files/blogs/apt42-report-mandiant-google-threat-intelligence.pdf
- INDA SpearSpecter Report
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.initial_access
- attack.t1566.002
- attack.credential_access
- attack.t1056.003
logsource:
category: dns
product: dns_server
detection:
selection_domains:
query|contains:
- 'khaleej-times.site'
- 'washinqtonpost.press'
- 'jerusalem-post.live'
- 'theeconomist-europe.online'
- 'panel-live-check.online'
- 'account-microsoft-verify.top'
- 'login-security-microsoftonline.com'
- 'dropbox-document-share.live'
- 'google-meet-invitation.site'
- 'youtube-secure-login.top'
condition: selection_domains
falsepositives:
- None expected for typosquatted domains
level: high
title: APT42 - TAMECAT PowerShell Backdoor
id: apt42-002-tamecat-powershell
status: stable
description: Detects PowerShell execution patterns consistent with TAMECAT backdoor deployment from Office macros
references:
- https://services.google.com/fh/files/blogs/apt42-report-mandiant-google-threat-intelligence.pdf
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.command_and_control
- attack.t1102.002
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
selection_powershell:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-NoProfile'
- '-WindowStyle Hidden'
selection_network_indicators:
CommandLine|contains:
- 'discord'
- 'telegram'
- 'workers.dev'
- 'firebaseapp.com'
condition: selection_parent and selection_powershell and selection_network_indicators
falsepositives:
- Legitimate Office automation (rare with hidden window + encoded command combo)
level: critical
title: APT42 - NICECURL VBScript Backdoor Execution
id: apt42-003-nicecurl-vbscript
status: stable
description: Detects NICECURL VBScript backdoor execution with curl.exe for C2 and WMI AV queries
references:
- Volexity NICECURL analysis
- Mandiant APT42 report
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.execution
- attack.t1059.005
- attack.command_and_control
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_vbs_curl:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
Image|endswith: '\curl.exe'
CommandLine|contains: 'https://'
selection_vbs_wmi:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains:
- 'Win32_Product'
- 'AntiVirusProduct'
condition: selection_vbs_curl or selection_vbs_wmi
falsepositives:
- Legitimate admin scripts (rare combo of VBScript parent + curl for HTTPS)
level: high
title: APT42 - Suspicious Mail Forwarding Rule Creation
id: apt42-004-mail-forward-rule
status: stable
description: Detects creation of email forwarding rules to external addresses (common APT42 post-compromise persistence)
references:
- Mandiant APT42 cloud TTP analysis
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.collection
- attack.t1114.003
- attack.exfiltration
logsource:
product: azure
service: auditlogs
detection:
selection:
Operation: 'New-InboxRule'
ForwardTo|contains:
- 'gmail.com'
- 'yahoo.com'
- 'outlook.com'
- 'hotmail.com'
- 'protonmail.com'
condition: selection
falsepositives:
- Legitimate user-configured forwarding (investigate with user to confirm)
level: high
title: APT42 - Unauthorized MFA Method Addition
id: apt42-005-mfa-method-add
status: stable
description: Detects addition of new MFA authentication methods to high-value accounts (APT42 cloud persistence technique)
references:
- Mandiant APT42 report
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.persistence
- attack.t1098
- attack.credential_access
logsource:
product: azure
service: auditlogs
detection:
selection:
Operation|contains:
- 'Update user'
- 'Add strong authentication method'
ResultDescription|contains: 'Authenticator'
filter_expected_locations:
Location|contains:
- 'US'
- 'AE'
- 'GB'
# Adjust based on expected user geography
condition: selection and not filter_expected_locations
falsepositives:
- Legitimate user MFA enrollment from unexpected locations (travel)
- Users using VPNs
level: medium
title: APT42 - Iranian IP Range Authentication Attempt
id: apt42-006-iranian-geo-signin
status: stable
description: Detects authentication attempts from Iranian IP ranges or known Iranian VPN exit nodes
references:
- APT42 infrastructure analysis
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.initial_access
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_iran:
Location: 'IR'
selection_iranian_ip:
IPAddress|startswith:
- '2.176.'
- '5.22.'
- '31.7.'
- '37.98.'
- '46.224.'
- '78.109.'
- '79.175.'
- '80.191.'
- '85.185.'
- '87.236.'
# Extend with known Iranian ASN ranges
condition: selection_iran or selection_iranian_ip
falsepositives:
- Legitimate users traveling to Iran (rare for most organizations)
- Iranian employees (filter by known user list)
level: high
title: APT42 - Mass Cloud Document Exfiltration
id: apt42-007-mass-document-access
status: experimental
description: Detects unusual volume of SharePoint/OneDrive file access indicative of data exfiltration
references:
- APT42 post-compromise cloud behavior
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.collection
- attack.t1213.003
- attack.exfiltration
logsource:
product: azure
service: auditlogs
detection:
selection:
Operation|contains:
- 'FileAccessed'
- 'FileDownloaded'
Workload:
- 'SharePoint'
- 'OneDrive'
timeframe: 1h
condition: selection | count(ObjectId) by UserId > 100
falsepositives:
- Legitimate bulk document operations (migrations, backups)
- Power users syncing large document libraries
level: medium
title: APT42 - Office Macro Spawning Suspicious Process
id: apt42-008-office-macro-suspicious
status: stable
description: Detects Office applications spawning suspicious child processes (common TAMECAT/NICECURL delivery)
references:
- Mandiant APT42 report
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.execution
- attack.t1204.002
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate Office automation (add-ins, templates)
- Administrative scripts launched from Outlook
level: high
title: APT42 - NICECURL LNK File Execution
id: apt42-009-lnk-suspicious-path
status: stable
description: Detects execution of .lnk files from temp/download folders (NICECURL delivery vector)
references:
- Volexity NICECURL analysis
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.execution
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\Downloads\'
- '\AppData\Roaming\Microsoft\Windows\Recent'
CommandLine|endswith: '.lnk'
selection_target:
CommandLine|contains:
- 'wscript.exe'
- 'cscript.exe'
- 'cmd.exe /c'
condition: selection and selection_target
falsepositives:
- Legitimate shortcuts executed from download folders (rare)
level: medium
title: APT42 - TAMECAT AES Key Detection
id: apt42-010-tamecat-aes-key
status: experimental
description: Detects TAMECAT's hardcoded AES encryption key in PowerShell command lines or memory
references:
- Mandiant APT42 report - TAMECAT analysis
author: HawkEye Threat Intelligence
date: 2026/03/12
tags:
- attack.command_and_control
- attack.t1573.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B'
condition: selection
falsepositives:
- None expected (highly specific to TAMECAT malware)
level: critical
APT42 defeats traditional perimeter and endpoint security. The attack surface is individual humans and their personal cloud accounts — often accessed from personal devices outside corporate control. Defenses must focus on identity security, security awareness for high-value personnel, and cloud environment hardening. Technical controls alone provide minimal protection against patient, multi-week social engineering campaigns targeting specific individuals.
APT42's documented use of Khaleej Times impersonation and active targeting of Gulf defense officials confirms operational interest in the UAE and broader GCC region. Organizations should: