Executive Summary
APT42 is one of the most operationally sophisticated espionage actors currently active. Unlike most Chinese or Russian APT groups, which rely primarily on software exploitation, APT42 achieves initial access almost exclusively through human manipulation: targeted social engineering campaigns against individuals whose access to sensitive information makes them worthwhile investments even when intrusion requires weeks of relationship building.
The group operates on behalf of the Iranian Islamic Revolutionary Guard Corps Intelligence Organisation (IRGC-IO), targeting foreign policy officials, journalists covering Iran and the Middle East, nuclear and national security researchers, defence sector personnel, and increasingly, personnel at technology companies with significant government contracts. The 2024 breach and data theft operation targeting the Trump presidential campaign — verified by US intelligence agencies — demonstrated the group’s willingness to conduct politically consequential operations and the operational capability to execute them.
With the NCSC’s current elevated threat advisory citing Iranian state-affiliated actors as an active risk to UK organisations, understanding APT42’s tradecraft in detail is a practical necessity for security teams protecting high-value individuals.
Threat Actor Profile
Attribution: APT42 is assessed with high confidence by Google Threat Intelligence, Mandiant, and Microsoft as operating under the authority of the IRGC-IO, a directorate of the Islamic Revolutionary Guard Corps responsible for intelligence gathering and counterintelligence functions. The group is distinct from MuddyWater (MOIS, Ministry of Intelligence) and from IRGC-sponsored destructive actors like Sandstorm/APT33.
Aliases: Charming Kitten (ClearSky), Phosphorus (Microsoft, prior to adoption of MSTIC naming convention), Mint Sandstorm (current Microsoft name), TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), UNC788 (Mandiant early-stage tracking).
Operational tempo: APT42 runs a high volume of concurrent operations. Unlike typical APT groups that run a small number of targeted campaigns, APT42 maintains dozens of simultaneous targeting efforts, each tailored to a specific individual with bespoke social engineering content. Google Threat Intelligence notes that APT42 has sent over 250 phishing emails to 35+ identified targets within a two-week campaign window.
Strategic objective: Intelligence collection focused on the foreign policy priorities of the IRGC-IO: Western government positions on Iran sanctions and the nuclear programme, Israeli intelligence and military activities, internal discussions among Iranian diaspora community and opposition groups, and the views of academic and policy figures who influence Western policy toward Iran.
Tactics, Techniques, and Procedures
Initial Contact and Relationship Building
APT42’s most distinctive characteristic is patience. The group routinely invests weeks or months building a credible relationship with a target before attempting credential theft. Initial contact is typically made via a persona designed to appeal to the target’s professional identity: a journalist seeking comment for an article, a think tank researcher inviting the target to participate in a conference, a fellow academic interested in collaborative publication.
Contact methods include:
- Gmail and Outlook for initial email engagement, using domains that impersonate legitimate publications, research institutions, or international organisations
- WhatsApp and Signal for relationship development, creating the impression of a personal rather than professional contact
- LinkedIn for professional persona establishment and target identification
- Phone and video calls in more advanced operations, where voice or video contact is used to overcome skepticism about email-only contacts
The “Conference Call Lure” pattern is one of APT42’s most documented techniques. The actor sends a targeted individual an invitation to participate in a panel or expert roundtable, attaches a conference agenda (PDF) containing malicious links or a credential-harvesting document, and schedules a follow-up video call. The video call may involve multiple APT42 operators maintaining different personas.
Credential Harvesting Infrastructure
The primary initial access objective in most APT42 operations is credential theft rather than malware deployment. The group operates an extensive network of fake login pages impersonating Google, Microsoft, Yahoo, ProtonMail, and organisation-specific webmail portals.
Credential harvesting domains are registered with significant attention to plausibility: using legitimate domain registrars, valid TLS certificates, and domains that are visually similar to the impersonated service (e.g., accounts-google-confirm[.]com, microsoft-account-verify[.]net). Infrastructure is typically short-lived and rotated frequently to evade blocklists.
When a target enters credentials on a harvesting page, the group checks whether the account has MFA enabled. For accounts protected by SMS-based OTP, APT42 operates real-time phishing frameworks (functionally similar to Evilginx2) that proxy the authentication flow and capture session tokens as they’re issued, allowing MFA to be bypassed.
Malware Deployment
For targets where persistent access is required beyond credential theft, APT42 deploys a limited toolset of custom implants:
TAMECAT: A PowerShell-based backdoor that provides a full command-execution capability on Windows systems. TAMECAT is delivered via malicious documents or via legitimate cloud storage services (Google Drive, OneDrive) as second-stage payloads after initial access is established. It communicates over HTTPS using mimicked legitimate traffic patterns.
NICECURL: A VBScript-based backdoor discovered by Mandiant and assessed as a lighter-weight alternative to TAMECAT for initial persistence. Executed via wscript.exe and uses a simple task-based command execution model.
GADGETEER: A document weaponisation utility observed in operations targeting Iranian diaspora and opposition groups. Generates weaponised Office documents that execute shellcode or deploy other implants when macros are enabled or a document vulnerability is triggered.
POWERSTARR: A PowerShell-based credential-scraping implant that harvests credentials from browser stores, Windows Credential Manager, and email clients before exfiltrating them to attacker-controlled infrastructure.
APT42 has also been observed deploying commercial surveillance software against mobile device targets, particularly when the intelligence value of a target justifies the operational cost.
Living Off the Cloud
A consistent feature of APT42 operations is the use of legitimate cloud services to blend in with normal traffic and complicate detection:
- Google Drive and OneDrive are used as C2 channels and exfiltration staging areas, making outbound traffic to these services appear legitimate
- Google Sites has been used to host credential-harvesting pages that pass URL reputation checks
- Google Forms has been deployed as an exfiltration mechanism for harvested credentials
- Telegram has been observed as a C2 notification channel for simpler implants
Targeting and Victim Sectors
Western Government and Foreign Policy
APT42’s most consistent targeting is directed at individuals involved in foreign policy toward Iran and the Middle East. This includes government officials at State Department, FCO/FCDO, and equivalent foreign ministries; think tank researchers publishing on Iran sanctions, nuclear policy, and regional stability; former government officials who retain access to sensitive networks; and diplomats and envoys involved in nuclear negotiations.
Academic and Research Sector
Nuclear policy researchers, conflict studies academics, and journalists covering Iran are persistent targets. The group has been documented targeting faculty at leading US and European research universities, analysts at policy institutes including the Brookings Institution, Carnegie Endowment, and European equivalents, and journalists at major international publications with Iran desks.
Defence Sector
Personnel at defence contractors, particularly those working on missile defence, unmanned systems, or Middle East-region operations, are targeted for the technical and strategic intelligence value of their access and communications.
Diaspora Communities and Civil Society
APT42 maintains a consistent focus on Iranian diaspora communities, opposition groups, human rights organisations, and activists. These targets serve the IRGC-IO’s domestic intelligence function of monitoring and potentially suppressing opposition activity outside Iranian borders.
Technology and AI Research
More recent APT42 targeting has extended to technology companies and AI research organisations, reflecting the IRGC-IO’s interest in understanding Western AI capabilities and development trajectories.
Historical Operations
2020 US Presidential Election Targeting: APT42 conducted credential harvesting operations against staff associated with both the Trump and Biden presidential campaigns. The operations were disclosed by US intelligence services and confirmed by Google Project Zero and Microsoft MSTIC.
2024 US Presidential Election: The most significant APT42 operation in recent years. US intelligence agencies confirmed that APT42 successfully breached the Trump campaign and obtained campaign-related documents, which were then passed to media outlets. The operation combined credential theft against campaign staff with data exfiltration of internal campaign strategy documents. Multiple campaign officials received social engineering attempts via WhatsApp.
Operation GhostWriter / Targeted Researcher Operations: APT42 conducted a multi-year campaign targeting nuclear policy researchers, using fake conference invitations to establish contact with academics at US and European research institutions. The operation collected communications about Western positions on the JCPOA and Iranian nuclear programme.
Israeli Sector Operations: Following October 2023, APT42 significantly increased targeting of Israeli and Israel-adjacent organisations, including individuals in the US and UK with Israeli business or personal connections, Jewish community organisations, and personnel at organisations with Israeli partnerships. This included targeting of Israeli defence sector personnel and news media.
Think Tank and NGO Operations: APT42 has run persistent operations against major US and European think tanks, including obtaining access to internal communications and draft publications on Iran policy.
Defensive Implications
FIDO2 hardware keys are the only MFA that defeats APT42’s real-time phishing capability. SMS OTP and authenticator app TOTP are both susceptible to the adversary-in-the-middle techniques the group deploys. For individuals at elevated risk, account protection must be treated as equivalent to physical access control. Physical FIDO2 tokens should be considered mandatory for government officials, journalists in sensitive beats, and researchers working on Iran-adjacent policy topics.
Verify conference and meeting invitations through independent channels. APT42’s conference lure works because targets don’t verify that the inviting organisation sent the invitation. A brief check via the organisation’s official website or a known email address for that organisation defeats most initial contact attempts. Any invitation that creates time pressure (register by tomorrow, confirm attendance this week) should be treated with additional skepticism.
Treat WhatsApp and Signal contacts from unknown numbers with the same caution as email from unknown senders. APT42 uses messaging platforms specifically because targets apply less scrutiny there than to professional email. Receiving a WhatsApp message from someone claiming to be a journalist or researcher is not inherently more trustworthy than an unsolicited email.
Audit cloud service usage. For organisations where APT42 intrusion would be a material risk, unusual use of Google Drive or OneDrive as exfiltration channels should be included in DLP monitoring scope. Unusual volume of documents accessed or downloaded through cloud storage interfaces is a detection opportunity.
Security training for targeted populations requires a different approach. Generic phishing awareness training is largely ineffective against APT42 because the attacks don’t look like generic phishing. Targeted individuals need scenario-specific training that reproduces the authentic-looking nature of APT42 approaches: plausible personas, relevant topics, professional-quality communication, and multi-channel engagement.
Google’s published APT42 report contains Indicators of Compromise for TAMECAT, NICECURL, and associated infrastructure. Threat intelligence teams should ingest these against mailbox gateway, endpoint, and cloud access logs, with particular attention to any APT42 domain patterns in DNS query logs for users in high-risk roles.