SpearSpecter - Unmasking Iran’s IRGC Cyber Operations Targeting High-Profile Individuals

Israel National Digital Agency researchers have uncovered an ongoing, sophisticated espionage campaign, which we track as SpearSpecter, conducted by Iranian threat actors aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) that operates under multiple aliases, including APT42, Mint Sandstorm, Educated Manticore, and CharmingCypress.
The group’s main objective is espionage against individuals or organizations of interest to the IRGC. Their attacks demonstrate the stealth and persistence of nation-state actors. They rapidly adapt their tactics, techniques, and procedures (TTPs).

The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics. These include inviting targets to prestigious conferences or arranging significant meetings. In addition, the campaign broadens its scope by also targeting family members, thereby widening the attack surface and increasing pressure on the primary targets.

This article highlights the threat actor’s recently observed TTPs. Specifically, it examines new TAMECAT modules, a multi-channel Command and Control infrastructure using Telegram and Discord, payload staging via WebDAV infrastructure, and creative exploitation of native Windows features.

These infrastructure components routinely enable payload delivery, C2 communication, and data exfiltration processes within APT42’s arsenal and campaign. This detailed analysis of tools, techniques, and network infrastructure provides strong corroborative evidence linking SpearSpecter’s operational footprint to APT42. It highlights the adversary’s sophisticated use of obfuscation, cloud platforms, and familiar modular implants for stealthy persistence and data theft in support of Iranian state-sponsored espionage.

To read the complete article see: SpearSpecter Article.