Israel’s National Digital Agency has attributed a new espionage campaign to the Iranian state-linked threat actor APT42, saying the operation was detected in early September 2025 and remains active. The agency has codenamed the activity SpearSpecter and said it focuses on individuals and organisations of interest to the Islamic Revolutionary Guard Corps.
Researchers at the agency, identified as Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David and Yaniv Goldman, said the campaign uses personalised social engineering to target high-value senior defence and government officials and, notably, their family members to expand the attack surface.
The investigators said SpearSpecter uses long-running trust-building techniques, at times impersonating known contacts or posing as organisers of prestigious conferences and meetings. Analysts noted the group can vary its approach based on a target’s value and operational objectives.
When the objective is credential harvesting, victims are redirected to counterfeit meeting pages designed to capture logins. For persistent access, the attacks can deploy a PowerShell backdoor known as TAMECAT after delivering a WebDAV-hosted Windows shortcut (LNK) that abuses the “search-ms:” protocol handler and retrieves a batch loader from a Cloudflare Workers endpoint, researchers said.
INDA’s analysis concluded TAMECAT uses multiple command-and-control channels, including HTTPS, Discord and Telegram, with Telegram bots and Discord webhooks used to deliver per-host commands. The backdoor is reported to support reconnaissance, targeted file collection, browser and Outlook data theft, frequent screenshots, and exfiltration over HTTPS or FTP, while employing encryption, obfuscation, living-off-the-land binaries and in-memory operation to evade detection.
The report describes the SpearSpecter infrastructure as a mix of legitimate cloud services and attacker-controlled resources.