APT42
APT42 is an Iranian state-sponsored cyber espionage group active since at least 2015, known for targeting individuals and organizations worldwide through spearphishing, mobile surveillance, and credential theft.
The origin of APT42
APT42 is an Iranian state-sponsored cyber espionage group that has been active since at least 2015. It is primarily tasked with conducting intelligence-gathering operations on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), focusing on surveillance of individuals and entities of strategic interest. While APT42’s operations have been associated by some vendors with “Magic Hound,” the two groups are considered distinct based on behavioral and software differences. APT42 is known for its use of tailored spearphishing campaigns, mobile surveillance malware, and credential harvesting infrastructure to support long-term espionage efforts.
Countries targeted by APT42
APT42’s operations extend beyond the Middle East, with notable targeting of entities in the United States, United Kingdom, Israel, Iraq, Saudi Arabia, Germany, Australia, Albania, and Iran itself. The group’s activities reflect a strategic focus on both foreign adversaries and internal dissident populations.
Industries targeted by APT42
APT42 targets a broad spectrum of sectors including academic institutions, oil and gas, defense contractors, national military organizations, NGOs, think tanks, financial services, government agencies, the technology sector, media, aerospace, healthcare, energy, and pharmaceutical industries. Their focus is generally aligned with Iran’s geopolitical and domestic intelligence priorities.
APT42's victims
Victim profiles frequently include government officials, journalists, human rights activists, academics, and political dissidents. APT42 often crafts tailored lures impersonating journalists or legitimate institutions in phishing emails. Operations have included credential theft from Microsoft 365 environments and mobile device surveillance using Android malware like PINEFLOWER.
APT42's attack method
APT42 begins attacks with spearphishing emails containing malicious links, or delivers Android malware such as PINEFLOWER to mobile targets. These emails often impersonate known contacts or reputable institutions.
APT42 uses PowerShell scripts (e.g., POWERPOST) to escalate privileges and access sensitive account information.
They utilize registry modifications, anti-forensic techniques such as clearing logs and browser history, and masquerade payloads (like VINETHORN as VPN software) to avoid detection.
APT42 steals credentials through web browser extraction, keylogging, and by intercepting multi-factor authentication (MFA) tokens using fake login pages.
The group uses Windows Management Instrumentation (WMI) and malware tools (GHAMBAR, POWERPOST) to survey security software, system configurations, and network settings.
While lateral movement specifics are less detailed, infrastructure acquisition and command-and-control setup imply efforts to pivot within networks once access is gained.
APT42 collects system screenshots, browser session cookies, Microsoft 365 documents, and keylogs, focusing on politically or strategically sensitive material.
The group executes scripts and malware using PowerShell, VBScript, scheduled tasks, and malicious web links.
Data exfiltration is performed over encrypted HTTPS channels using tools like NICECURL. They also use Base64 encoding and anonymized infrastructure to conceal traffic.
APT42’s operations are focused on long-term intelligence collection rather than disruption or sabotage. Their impact lies in surveillance, data theft, and geopolitical intelligence gathering.
APT42 begins attacks with spearphishing emails containing malicious links, or delivers Android malware such as PINEFLOWER to mobile targets. These emails often impersonate known contacts or reputable institutions.
APT42 uses PowerShell scripts (e.g., POWERPOST) to escalate privileges and access sensitive account information.
They utilize registry modifications, anti-forensic techniques such as clearing logs and browser history, and masquerade payloads (like VINETHORN as VPN software) to avoid detection.
APT42 steals credentials through web browser extraction, keylogging, and by intercepting multi-factor authentication (MFA) tokens using fake login pages.
The group uses Windows Management Instrumentation (WMI) and malware tools (GHAMBAR, POWERPOST) to survey security software, system configurations, and network settings.
While lateral movement specifics are less detailed, infrastructure acquisition and command-and-control setup imply efforts to pivot within networks once access is gained.
APT42 collects system screenshots, browser session cookies, Microsoft 365 documents, and keylogs, focusing on politically or strategically sensitive material.
The group executes scripts and malware using PowerShell, VBScript, scheduled tasks, and malicious web links.
Data exfiltration is performed over encrypted HTTPS channels using tools like NICECURL. They also use Base64 encoding and anonymized infrastructure to conceal traffic.
APT42’s operations are focused on long-term intelligence collection rather than disruption or sabotage. Their impact lies in surveillance, data theft, and geopolitical intelligence gathering.
TTPs used by APT42
How to detect APT42 with Vectra AI
FAQs
Who sponsors APT42?
APT42 is believed to be sponsored by the Iranian government, specifically the Islamic Revolutionary Guard Corps (IRGC).
What makes APT42 different from Magic Hound?
Although there are overlaps in malware and behavior, they are tracked separately based on differences in targeting, tools, and techniques.
How does APT42 gain initial access?
They rely on spearphishing emails containing malicious links or Android malware to compromise devices and steal credentials.
What malware does APT42 use?
Common malware includes PINEFLOWER (Android), POWERPOST, GHAMBAR, and VINETHORN (disguised as VPN apps).
How do they maintain persistence on infected systems?
APT42 uses registry changes, scheduled tasks, and malware autostart techniques.
Do they use stolen credentials for cloud platforms?
Yes, APT42 specifically targets Microsoft 365 environments, collecting documents and session tokens.
How do they avoid detection?
They use encrypted HTTPS traffic (NICECURL), masquerade their tools, and clear forensic traces like browser history.
What detection techniques are effective against APT42?
Behavioral monitoring (e.g., script execution via PowerShell/VBScript), DNS and TLS traffic inspection, and MFA token analysis can help detect APT42 activity.
Is APT42 destructive?
No, APT42 primarily focuses on espionage, information gathering, and surveillance. It does not typically deploy ransomware or wipers.
How can organizations defend against APT42?
Implement phishing-resistant MFA, monitor for abnormal Microsoft 365 activity, restrict PowerShell use, and deploy NDR solutions that can detect script-based attacks and keylogging activity.