Analysis Summary

A highly sophisticated espionage operation known as SpearSpecter is actively targeting senior government and defense officials worldwide. The campaign, attributed to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) also known as APT42, Mint Sandstorm, Educated Manticore, and CharmingCypress relies heavily on deception and social engineering. Attackers patiently build trust over weeks, often initiating contact through WhatsApp or fake conference invitations to appear credible. Their primary goal is to steal sensitive information from individuals with access to government secrets, and they further increase their reach by targeting family members of officials as additional entry vectors.

The infection chain begins with a malicious link disguised as an urgent meeting document. Once clicked, victims are redirected to a file hosted on OneDrive, where attackers exploit the Windows search-ms protocol to present a popup prompting users to open Windows Explorer. Accepting this redirects the system to the attacker-controlled WebDAV server, which displays a fake PDF file that is actually a malicious LNK shortcut. When opened, this shortcut silently executes commands that download a disguised batch script through Cloudflare Workers, enabling the attackers to bypass traditional detection mechanisms.

This batch script deploys TAMECAT, a highly advanced PowerShell-based backdoor that runs entirely in-memory, avoiding disk-based detection. TAMECAT uses AES‑256 encryption and communicates with multiple command-and-control channels including web traffic, Telegram, and Discord, increasing resilience. The malware features extensive espionage capabilities, such as collecting browser passwords by abusing Edge debugging and killing Chrome processes, capturing screenshots every 15 seconds, and searching for sensitive documents. All exfiltrated data is split into 5 MB chunks before being uploaded to evade suspicion.

To maintain persistence, TAMECAT creates registry entries that execute batch files at login and uses trusted Windows binaries to reduce detection chances. The researcher identified both the malware and the full scope of the operation, confirming that the campaign has been ongoing for months with no signs of slowing. The use of Cloudflare Workers, WebDAV abuse, memory-resident malware, and adaptive social engineering shows a highly capable APT focused on long-term intelligence gathering, making SpearSpecter a serious threat to global governmental and defense sectors.

Impact

• Sensitive Data Theft
• Security Bypass
• Gain Access

Remediation

• Verify all meeting requests and links from unknown or unexpected sources before clicking.
• Disable or restrict the Windows search-ms protocol if not required, to prevent automatic execution prompts.
• Avoid opening files from untrusted WebDAV servers or unexpected OneDrive links.
• Deploy endpoint protection capable of detecting in-memory malware and PowerShell-based attacks.
• Monitor browser debugging and unusual process activity, particularly Edge and Chrome processes.
• Enable multi-factor authentication (MFA) on all accounts to reduce the impact of credential theft.
• Regularly update operating systems and applications to patch vulnerabilities exploited by attackers.
• Monitor network traffic for unusual encrypted communications, including connections to Telegram, Discord, or Cloudflare Workers.
• Implement strict data access controls to minimize exposure of sensitive documents.
• Conduct periodic threat-hunting exercises to detect persistent malware or backdoor activity.
• Back up important files securely to reduce risk from potential data theft or manipulation.