Search Again
APT42
Summary of Actor:APT42 is an Iranian cyber espionage group known for its advanced persistent threat (APT) activities, targeting organizations primarily in the Middle East and beyond. The group is known for conducting cyber-espionage campaigns that focus on gathering intelligence and sensitive information.
General Features:APT42 is notable for its sophisticated spear-phishing tactics and use of bespoke malware. The group's operations are closely linked to the interests of the Iranian government, and they often target entities that pose a strategic interest to Iran.
Related Other Groups: APT34,OilRig,Charming Kitten
Indicators of Attack (IoA):
- Spear-phishing emails
- Use of custom malware such as MALLARD and SHAPESHIFT
- C2 communication with domains masquerading as legitimate services
Recent Activities and Trends:
- Latest Campaigns : In recent years, APT42 has launched numerous spear-phishing campaigns, leveraging pandemic-related lures to compromise targets. Additionally, they have been linked with attempts to infiltrate Middle Eastern nation's critical infrastructure.
- Emerging Trends : APT42 has been increasingly observed using multi-stage attacks, employing initial compromise with spear-phishing followed by sophisticated lateral movement techniques. There is also an uptick in targeting educational institutions to gather cutting-edge research data.
APT 42
GreenBravo
Target Countries
Norway
Italy
Malaysia
USA
Australia
+5
Target Sectors
Manufacturing
Educational Services
HealthCare & Social Assistance
Public Administration
Chemical&Pharmaceutical Manufacturing
️Related CVEs
ATT&CK IDs:
T1530
T1078
T1543
T1068
T1218
+74
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Software |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1568 | Dynamic Resolution |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1009 | Binary Padding |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1610 | Deploy Container |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1610 | Deploy Container |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1086 | PowerShell |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1495 | Firmware Corruption |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1598 | Phishing for Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1591 | Gather Victim Org Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1586 | Compromise Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1608 | Stage Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1585 | Establish Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1584 | Compromise Infrastructure |
Sub Techniques |
Detections |
Mitigations |
Total Count : 5
https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df
https://www.mandiant.com/media/17826
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
