APT42
APT42 is known to be linked to the IRGC
APT42 is a highly targeted and sophisticated advanced persistent threat (APT) group that has been active since at least 2015. Believed to be linked to the Iranian government, APT42 is primarily engaged in cyber espionage operations aimed at acquiring sensitive information on individuals and organizations of strategic interest to Iran. Unlike many other state-backed APT groups that target critical infrastructure or conduct destructive attacks, APT42 focuses on surveillance, data theft, and access operations, often aimed at dissidents, academics, journalists, and NGOs.
APT42 is frequently associated with Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).
Key Characteristics
Targeting Profile
APT42 operations are highly personalized and target:
Iranian dissidents abroad
Academics and think tanks
Human rights activists
Journalists
Medical and healthcare professionals
Western foreign policy institutions
Targets are selected based on geopolitical objectives, including surveillance of perceived enemies of the regime and intelligence gathering on regional adversaries.
Tactics, Techniques, and Procedures (TTPs)
APT42 is known for its resourceful and deceptive tradecraft, including:
Social engineering: APT42 operators frequently impersonate journalists, researchers, or human rights activists via email and social media to initiate contact.
Credential harvesting: Often achieved via fake login pages (phishing), malicious links, and login prompt overlays.
Mobile surveillance: Unique among many APTs, APT42 has shown capability in compromising Android devices, likely via sideloaded apps or zero-click spyware, to monitor communications and location data.
Custom malware: Occasionally used, but the group often relies on cloud-based infrastructure, Google Workspace abuse, or legitimate services to avoid detection.
Notable Campaigns
1. Phishing Against Academic Institutions (2020–2022)
APT42 spoofed real university domains and academics to lure targets into clicking phishing links for Office 365 and Gmail credential theft.
2. Healthcare Sector Intrusions
The group impersonated World Health Organization (WHO) personnel during the COVID-19 pandemic to target researchers and medical professionals—believed to be related to tracking Iranians abroad or exploiting geopolitical instability.
3. Mobile Targeting of Dissidents
APT42 has deployed Android surveillance tools, often distributed under the guise of secure communication apps or VPNs, to monitor Iranian opposition figures and journalists based overseas.
Tooling and Infrastructure
APT42 is notable for leveraging cloud services and open-source tools, including:
Google Firebase, Gmail, and Google Drive
Telegram APIs for exfiltration
Phishing frameworks like Modlishka
Custom credential capture websites mimicking Microsoft, Gmail, and VPN providers
Android APKs embedded with spyware
Attribution and Links to Other Groups
APT42 is considered to be a subset or operational branch of the broader Charming Kitten (TA453) cluster. While Charming Kitten includes multiple operators and units, APT42 appears to specialize in:
Credential harvesting
Human intelligence augmentation
Digital surveillance
Analysts believe APT42 is aligned with the IRGC Intelligence Organization and focuses on domestic and international operations where plausible deniability is crucial.
Threat Assessment
APT42 represents a significant threat to:
Iranian diaspora communities
Organizations supporting human rights or democracy movements
Academics and researchers involved in Middle Eastern policy
Health sector actors during times of geopolitical upheaval
Its low-sophistication but high-efficiency tactics make APT42 particularly dangerous, as its operations often evade traditional enterprise detection systems due to reliance on social engineering and legitimate services.
