APT42

APT42 is an Iran-nexus threat actor suspected to operate on behalf of Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Known aliases in the provided content include Educated Manticore, Charming Kitten, and Microsoft’s Mint Sandstorm. The content describes APT42 as one of the primary Iranian espionage actors, historically focused on intelligence collection and surveillance operations against individuals and organizations of interest to the Iranian government. Reported targeting in the provided content includes journalists, researchers, dissidents, political consultants, civil society and non-profit organizations, government entities throughout Europe, both U.S. presidential campaigns in 2024, and Israeli military, government, diplomatic, journalist, and academic targets. The content also states that APT42 has targeted both Democratic and Republican campaign personnel and previously targeted both sides in U.S. elections for intelligence collection. APT42 is described as relying heavily on social engineering, impersonation, and credential harvesting. The content states that it has impersonated legitimate people in phishing emails to gain credentials and commonly begins with legitimate contact over email, WhatsApp, or Telegram, builds trust over time, and then sends phishing links. Reported lures and impersonation themes include media and think tanks, as well as services such as Dropbox, Google Meet, YouTube, WhatsApp, Microsoft Teams, and Google Meet. The content specifically describes adversary-in-the-middle phishing for MFA interception, capture of usernames, passwords, TOTP codes, and session cookies, and in some cases a shift to MFA push bombing when token interception failed. Post-compromise, the content states that APT42 has used built-in Microsoft 365 and cloud features and publicly available tools to avoid detection, including registering its own MFA authenticator, reading Outlook mail, and downloading files from OneDrive and SharePoint. The content also notes that APT42 leaves minimal endpoint artifacts and is often more visible in cloud and proxy logs. Additional TTPs directly mentioned in the content include PowerShell execution, Base64-encoded C2 traffic, NICECURL command-and-control over HTTPS, use of anonymized infrastructure and VPSs, scheduled tasks for persistence, registry modification for persistence, malware such as GHAMBAR and POWERPOST to collect system information, and masquerading the VINETHORN payload as a VPN application. The content also notes a weak overlap between APT42 and a separate Iran-linked counterintelligence campaign, while stating no observed relationship between that activity and previously reported U.S. election-related targeting.