Verticals Targeted: Government, Military, Education, Aerospace
Key Takeaways
The Campaign
APT42 has been targeting high-profile individuals in the US and Israel. Targeted entities include government officials, political campaigns, diplomats, think tanks, and NGOs. The group has also targeted academic institutions associated with foreign policy and individuals formerly affiliated with the Israeli military. Since April 2024, APT42 has stepped up its targeting of entities in Israel, focusing on individuals associated with the government, military, aerospace, and academics.
APT42 was observed attempting to interfere with the 2020 elections and has reportedly attempted to target accounts associated with both major candidates in the 2024 US Presidential election as well. In May and June 2024, individuals in both the Trump and Biden campaigns were targeted by APT42’s phishing, in an attempt to harvest login credentials. More recently, the group has continued to target individuals affiliated with the Trump and Harris campaigns.
In the campaign, APT42 has used a variety of tactics, including malware, phishing pages, and malicious redirects. They often abuse Google services, including Sites, Drive, and Gmail, as well as Dropbox and OneDrive. Google TAG noted the threat actors created multiple Google Sites pages masquerading as a petition from Jewish Agency for Israel in favor of a cease-fire. The threat actors have used social engineering, masquerading as a journalist to engage with potential targets via email. In June 2024, the threat actors used a PDF attachment with the subject “Project Aladdin” as a lure. The PDF contained a shortened URL that redirected victims to a phishing page, in an attempt to steal Google login credentials.
APT42 is known to use GCollection/LCollection/YCollection to harvest Google, Hotmail, and Yahoo credentials. The group first used this phishing toolkit in January 2023. They have also used DWP, a browser-in-the-browser phishing toolkit. Other tools recently used by APT42 include NewsTerminal, OfficeFuel, FuelDump, and Gorble.
Who is APT42?
Iran nexus threat actor group APT42, also known as CALANQUE and UNC788, has been linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 has been active since at least 2015 and is known to engage in spearphishing and surveillance operations, as well as credential harvesting. Their activities are in alignment with Iran’s intelligence collection requirements.
Verticals targeted by APT42 in the past included nonprofits, education, government, healthcare, pharmaceuticals, legal and professional services, and media and entertainment. Most of the group’s targets are located in the US, Australia, Europe, and the Middle East. APT42’s custom backdoors include NiceCurl and TameCat. Some of APT42’s activities overlap with another Iran nexus threat actor, Charming Kitten.
IOCs
PolySwarm has multiple samples associated with APT42 activity.
82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a
89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c
You can use the following CLI command to search for all APT42 samples in our portal:
$ polyswarm link list -t APT42
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.