Threat Actor Profile: APT42 (MITRE G1044)

1) Executive overview

APT42 is an Iran-aligned cyber espionage and surveillance actor assessed by multiple vendors as state-sponsored. Mandiant assesses with high confidence that APT42 conducts information collection and surveillance aligned to Iranian strategic priorities, and estimates with moderate confidence that the group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organisation (IRGC-IO).
Across reporting, APT42 is most closely associated with highly targeted social engineering, credential harvesting, and follow-on access to email and cloud environments, with periodic use of custom malware for host access and Android surveillance. (Google Cloud)

2) Attribution and confidence

• Sponsor: Iran (state-sponsored / government-backed). (MITRE ATT&CK)
• Assessed tasking relationship:
  • IRGC-IO: Mandiant estimates moderate confidence that APT42 operates on behalf of the IRGC-IO, based on targeting patterns and alignment to IRGC-IO mandates.
• Confidence statement:
  • Confirmed: Iran-sponsored espionage and surveillance (MITRE and Mandiant). (MITRE ATT&CK)
  • Likely: Operating on behalf of IRGC-IO (Mandiant moderate confidence).

3) Tracking, aliases, and naming notes

APT42 sits in a crowded Iran actor ecosystem where vendors use overlapping cluster names. Public reporting commonly links or overlaps APT42 with the following identifiers (relationships vary by vendor):

• APT42 (Mandiant; also appears in MITRE as G1044) (MITRE ATT&CK)
• UNC788 (Mandiant previous tracking)
• TA453 (Proofpoint)
• Mint Sandstorm / PHOSPHORUS (Microsoft). Microsoft explicitly states that Mandiant refers to “modern day” Mint Sandstorm as APT42, while also listing broader Mint Sandstorm associations such as Charming Kitten and APT35. Treat this as a vendor-specific mapping rather than a universal equivalence. (Microsoft)
• CALANQUE (Google TAG naming referenced by Mandiant) (Google Cloud)
• Yellow Garuda (PwC) and ITG18 (IBM X-Force), as overlaps referenced by Mandiant (Google Cloud)

MITRE notes that some vendors have linked APT42 activity to “Magic Hound”, but also highlights that these appear to be distinct entities from MITRE’s perspective. (MITRE ATT&CK)

4) Targeting profile

4.1 Priority victim sets

Across Mandiant, Google, UK NCSC and Microsoft reporting, APT42 (and closely overlapping clusters) prioritise individuals and organisations tied to Iran-related policy, regional security, domestic dissent, and diaspora activity, including:

• Government and diplomatic stakeholders, current and former officials, and policy communities
• NGOs, activists, and diaspora or opposition-linked individuals (Google Cloud)
• Media and journalism (including impersonation of journalists and news outlets as a tradecraft theme) (Google Cloud)
• Academia and subject matter experts on Iran and the Middle East (Google Cloud)
• Legal services and related civil society ecosystems (Google Cloud)

4.2 Geographic focus

• Primary focus: Middle East region, with broader global targeting observed since at least 2015. (MITRE ATT&CK)
• Recent examples: Google TAG publicly discussed APT42 phishing against Israel and Israeli targets, and also confirmed reporting around targeting accounts associated with the US presidential election. (blog.google)

5) Operational playbook and tradecraft

5.1 Initial access: patient, persona-driven spear phishing

APT42 is characterised by high-touch social engineering that often involves:

• Researching targets and establishing believable personas (often journalists, researchers, event organisers) before delivering a malicious link or attachment. (Google Cloud)
• Preference for approaching personal email addresses to bypass enterprise controls, as highlighted in UK NCSC guidance on TA453 spear phishing tradecraft that overlaps with this cluster.
• Use of cloud and consumer services for delivery and staging (examples in public reporting include Google Drive and Dropbox-delivered lures).

5.2 Credential theft and MFA bypass

Mandiant and Google describe APT42 credential harvesting as a core competency:

• Use of cloned login pages to harvest credentials for major providers (Microsoft, Google, Yahoo are explicitly referenced by Google). (Google Cloud)
• Attempts to capture MFA information. Mandiant describes credential harvesting operations that include components designed to steal MFA codes.
• Post-compromise persistence in identity systems. Mandiant reports that after successfully authenticating to a victim’s email account, APT42 registers its own Microsoft Authenticator application as a new MFA method.

5.3 Cloud and email-centric collection

Mandiant’s 2024 reporting emphasises APT42 access to victim cloud environments after credential theft, followed by discreet exfiltration:

• Credential-driven access into cloud environments. (Google Cloud)
• Reliance on built-in features and open-source tooling to reduce detection footprint during collection and exfiltration. (Google Cloud)

5.4 Surveillance operations: Android malware and monitoring

A distinct pillar of APT42 activity is mobile surveillance:

• Mandiant assesses that APT42 uses Android malware to track locations, monitor communications, and exfiltrate content such as SMS inboxes and recordings.
• Mandiant reports use of earlier versions of PINEFLOWER as early as 2015, and notes other Android-related activity such as infrastructure serving as C2 for a payload masquerading as a VPN app.

5.5 Malware use: selective and mission-driven

While APT42 often prioritises credential harvesting over endpoint malware, both Mandiant and downstream government advisories document custom implants used when needed:

• Google (Mandiant) describes malware-based operations using custom backdoors NICECURL and TAMECAT delivered via spear phishing. (Google Cloud)
• IMDA summarises NICECURL as a VBScript backdoor over HTTPS and TAMECAT as a PowerShell foothold capable of executing PowerShell or C# content.

6) Tooling and malware catalogue (publicly documented)

6.1 Notable families referenced by Mandiant

Mandiant’s APT42 reporting lists multiple families used across credential theft support, host tooling, and mobile surveillance, including:
BROKEYOLK, CHAIRSMACK, DOSTEALER, GHAMBAR, MAGICDROP, PINEFLOWER, POWERPOST (and additional families in Mandiant’s annexes).

6.2 NICECURL and TAMECAT

• NICECURL: documented as a custom backdoor delivered via spear phishing, with IMDA describing command support for module download and execution, plus artefact removal behaviour.
• TAMECAT: documented as a PowerShell toehold, with IMDA noting macro-delivered deployment patterns and HTTP-based C2 expectations.
• Defensive note: Google’s May 2024 reporting includes defensive content such as YARA references for NICECURL within the blog’s technical sections. (Google Cloud)

7) Notable activity and timeline (selected)

• Since at least 2015: sustained operations combining spear phishing and mobile surveillance, with Android tooling observed from early in the group’s lifecycle.
• 2020 to 2022: Mandiant describes multiple targeted credential harvesting operations, including long rapport-building engagement before link delivery, and themed impersonation activity.
• 2024: Google (Mandiant) reports enhanced social engineering to access victim networks including cloud environments, plus NICECURL and TAMECAT malware operations. (Google Cloud)
• Mid 2024: Google TAG publicly discussed APT42 phishing against Israeli targets and confirmed reporting regarding targeting accounts associated with the US presidential election. (blog.google)

8) Indicators of Compromise (selected, publicly released)

The following IOCs are sourced from government advisory and vendor reporting. They are not exhaustive and should be used alongside the full source documents.

8.1 Malware hashes (examples)

8.2 Domains (examples, defanged)

9) Detection and response considerations

9.1 High-signal detections for APT42 tradecraft

Prioritise detections that reflect APT42’s identity-first posture:

• New MFA methods on user accounts, especially unexpected Microsoft Authenticator registrations following anomalous sign-ins.
• Mailbox rule manipulation and suspicious forwarding, particularly after successful credential capture. UK NCSC notes mail-forwarding rules as a known follow-on behaviour in overlapping spear phishing activity (TA453). (NCSC)
• Lookalike domains and newly registered infrastructure used for credential harvesting and impersonation.
• Unusual cloud data access patterns, bulk downloads, and access from atypical geolocations or hosting providers consistent with credential replay. (Google Cloud)

9.2 Practical hardening steps aligned to public reporting

• Enforce phishing-resistant MFA where feasible, and restrict addition of new MFA methods through conditional access and identity governance controls.
• Implement strict external sender and link controls for personal webmail and enterprise mail, recognising APT42’s tendency to target personal email.
• Monitor and alert on OAuth app consent, new authenticator registrations, and sign-in risk events in identity providers.
• Maintain domain monitoring for typosquats of your brand and key media or partner entities used as lures.

10) MITRE ATT&CK mapping (publicly observed)

The following mapping is based on Mandiant’s published ATT&CK appendix for APT42 and related government guidance. Each technique ID links to MITRE ATT&CK.

11) Further reading (primary sources)

• Google Cloud Mandiant: Uncharmed, Untangling Iran’s APT42 Operations (Google Cloud)
• Mandiant report: APT42, Crooked Charms, Cons and Compromises
• Google TAG: Iranian-backed group steps up phishing campaigns against Israel and the US (blog.google)
• MITRE ATT&CK group page: APT42 (G1044) (MITRE ATT&CK)
• Microsoft Security Insider: Mint Sandstorm (Microsoft)
• UK NCSC advisory: SEABORGIUM and TA453 spear phishing (NCSC)
• IMDA advisory: APT42’s recent activity