APT42

Overview

APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. Finally, APT42 exfiltrates data using native features and open-source tools. APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.

Targets

Civil society · Defense · Education · Energy · Finance · Government · Healthcare · Legal · Manufacturing · Media · Military · NGOs · Pharmaceuticals

Regions

Australia · Europe · Israel · Middle East · United States

TTPs — 32 techniques across 11 tactics

Tools & malware (2)

NICECURL · TAMECAT

Reporting (1)

• Uncharmed: Untangling Iran's APT42 Operations — Rozmann, O., et al