>samit_hota
Back to adversary profiles
G1044HighActive

APT42: Iran's Premier Human-Targeting Cyber Espionage Unit

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Threat-based Surveillance, Suppressing Perceived Threats to the Iranian Regime, Intelligence Gathering
Aliases
None documented
Target Sectors
Government & Diplomacy, NGOs & Civil Society, Academia & Think Tanks, Journalists & Media, Healthcare, Legal Services, Iranian Dissidents & Diaspora, Manufacturing, Finance, Technology, Aerospace, Defense Contractors, National Military Organizations
Associated Malware
PINEFLOWER, TAMECAT, NICECURL, GHAMBAR, POWERPOST, VINETHORN, GCollection, LCollection, YCollection, MuddyLocker, Zerocleare
#threat-actor#g1044

Overview

APT42 (G1044), also known by aliases such as UNC788, CALANQUE, and Mint Sandstorm, is a sophisticated and persistent cyber espionage group sponsored by the Iranian state. They are confidently attributed to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and have been actively conducting operations since at least 2015, with a notable increase in activity post-2018. Unlike financially motivated threat actors, APT42’s primary mission revolves around intelligence gathering, surveillance, and suppressing perceived threats to the Iranian regime, aligning with Iran’s broader geopolitical and security objectives.

The group distinguishes itself through highly targeted, patient, and methodical social engineering, often cultivating trust with victims over weeks or months before attempting to compromise accounts or devices. Their focus is predominantly on human intelligence collection, identifying, monitoring, and compromising the personal accounts and devices of individuals perceived as threats to the Iranian government. This includes Iranian dissidents and diaspora abroad, journalists, academics, human rights activists, government officials from adversarial nations, and political campaign personnel. While their regional focus includes the Middle East, their operations extend globally to Europe, North America, and occasionally Africa, with significant recent targeting of entities in the U.S. and Israel.

Tactics & Techniques

APT42’s operational model heavily relies on sophisticated social engineering and spear-phishing campaigns. They excel at building trust with their targets by impersonating legitimate entities such as journalists, researchers, academics, think tank personnel, or NGO representatives. Initial contact often involves benign email conversations, event invitations, or requests for collaboration, followed by the delivery of malicious links designed to harvest credentials or deploy malware.

A primary access method involves credential harvesting, often bypassing multi-factor authentication (MFA). They frequently abuse legitimate cloud services like Google Sites, Google Drive, Microsoft 365, Dropbox, and OneDrive to host phishing pages or redirects. Typosquatting domains that closely mimic legitimate organizations are a common tactic. Once credentials are stolen, APT42 directly targets cloud identity and infrastructure to access email, documents, and cloud storage, allowing for long-term surveillance and data exfiltration without necessarily deploying endpoint malware.

For persistence, APT42 establishes multiple mechanisms, often leveraging legitimate cloud features to evade detection, as OAuth grants and access credentials can persist even after password changes. They also utilize PowerShell scripts (e.g., POWERPOST) for privilege escalation and accessing sensitive account information. Anti-forensic techniques, such as clearing logs and browser history, along with registry modifications and scheduled tasks, are employed to maintain stealth. In mobile targeting, they often use Android spyware that exploits Accessibility Services for comprehensive surveillance, including location tracking and communication monitoring.

Notable Campaigns

APT42 has demonstrated adaptability, shifting its operational focus in response to evolving Iranian priorities.

  • 2017–2019: Targeted Western think tanks and academics researching Middle East policy.
  • 2020–2021: Leveraged the COVID-19 pandemic to target liberal arts institutions, healthcare organizations, and pharmaceutical research for vaccine data.
  • 2022: Showed an increase in harassment campaigns targeting journalists and dissidents, alongside heavy use of Android malware for personal surveillance.
  • 2023: Conducted spear-phishing campaigns against government agencies in the Middle East and Europe. Mandiant also observed a campaign targeting media and non-profit sectors with shortened URLs redirecting to fake Google Drive credential harvesting pages.
  • 2024: Continued intense targeting of Israel and the U.S., including Israeli defense/diplomatic personnel and individuals affiliated with U.S. presidential campaigns. Google Threat Analysis Group (TAG) reported dismantling APT42-created Google Sites phishing pages masquerading as petitions. A campaign in July 2024, dubbed “BlackSmith,” used fake podcast and webinar invitations to deliver malware.
  • 2025: Engaged in “benign” email conversations while impersonating think tank personnel, leading to credential harvesting pages and subsequent deployment of commercial remote management tools for persistence.
  • 2026: Following US-Israeli airstrikes on Iran (Operation Epic Fury), APT42 operations reportedly entered an elevated tempo, with active campaigns targeting the GCC region, specifically UAE-based media outlets and policy researchers.

Associated Malware & Tools

APT42 employs a mix of custom-developed malware, legitimate cloud services, and open-source tools to achieve its objectives.

  • PINEFLOWER: A notable Android malware used for mobile surveillance, enabling location tracking, communication monitoring, and data exfiltration from compromised devices.
  • TAMECAT: A PowerShell toehold backdoor delivered via malicious macro documents, capable of executing arbitrary PowerShell or C# content and communicating with its C2 over HTTP, with Base64 encoded data. Mandiant observed its use in a large-scale spear-phishing campaign against NGOs, government, and intergovernmental organizations.
  • NICECURL: A VBScript backdoor that communicates over HTTPS, designed to download additional modules for data mining and arbitrary command execution. It includes commands to remove artifacts and set new configurations.
  • GHAMBAR and POWERPOST: Malware families used for collecting system and network information, and taking screenshots. POWERPOST also functions as a PowerShell script for privilege escalation.
  • VINETHORN: An Android payload observed masquerading as a VPN application, used for C2.
  • Credential Harvesting Kits: The group utilizes sophisticated phishing kits like GCollection, LCollection, and YCollection, specifically designed to target Google, Hotmail, and Yahoo credentials. They also use the DWP browser-in-the-browser kit.
  • Other Tools: They rely on native features of operating systems and cloud environments, open-source tools, and legitimate remote management tools for persistence and exfiltration. The group has also been known to use Mimikatz for credential theft and HyperShell.

Current Status

APT42 remains an active and highly adaptive threat actor. Intelligence indicates they are continuously upgrading their operational technologies, incorporating enhanced credential phishing, mobile exploitation, surveillance malware, and cloud exploitation to maintain effectiveness against global defensive upgrades. Recent developments include increased use of Android malware for mobile-first surveillance, deployment of reverse tunnels for persistence, and leveraging cloud-based services for exfiltration and command-and-control to complicate detection. There is also evidence of cooperation with other Iranian units, such as MuddyWater and Lyceum (sub-groups of OilRig), in joint efforts against targets in Israel and Central Asia.

The group’s operational tempo has been elevated, particularly in early 2026, following geopolitical events like the US-Israeli airstrikes on Iran, suggesting a responsive and strategically driven posture. They continue to pose a significant and long-standing threat, demanding vigilance and intelligence-based defenses, especially for individuals and organizations identified as targets of Iranian intelligence. Organizations in the targeted sectors and regions, particularly those with personnel conducting research or advocacy related to Iran or the Middle East, should maintain robust identity security, phishing-resistant MFA, and comprehensive security awareness training.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call