APT42 SpearSpecter espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The APT42 SpearSpecter campaign is ongoing, and it is targeting senior defense and government officials with personalized social engineering that also reaches family members. The operation uses WhatsApp lures, malicious links, and a WebDAV-hosted LNK file disguised as a PDF to start the attack chain. If the payload lands, TAMECAT can enable persistent access, credential theft, and data exfiltration.
Related Happenings
AgingFly malware attacks local governments and hospitals in Ukraine
Malware Activity
First: 16.04.2026 00:57
Last: 16.04.2026 00:57
Sources 1
About this happening:
The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware ActivityAbout this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware Activity
First: 24.03.2026 11:30
Last: 24.03.2026 11:30
Sources 1
About this happening:
The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware ActivityAbout this happening: The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Transparent Tribe AI-assisted implant campaign targeting India
Campaign
First: 06.03.2026 17:11
Last: 06.03.2026 17:11
Sources 1
About this happening:
**Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
Transparent Tribe AI-assisted implant campaign targeting India
CampaignAbout this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
RedAlert app impersonation mobile surveillance malware delivery
Malware Activity
First: 04.03.2026 19:21
Last: 04.03.2026 19:21
Sources 1
About this happening:
An **active SMS phishing** operation is using a **rogue RedAlert app** to distribute **mobile surveillance** and **data-exfiltrating malware**, putting conflict-time mobile users...
RedAlert app impersonation mobile surveillance malware delivery
Malware ActivityAbout this happening: An **active SMS phishing** operation is using a **rogue RedAlert app** to distribute **mobile surveillance** and **data-exfiltrating malware**, putting conflict-time mobile users...
RedAlert SMS phishing espionage campaign
Campaign
First: 03.03.2026 18:15
Last: 03.03.2026 18:15
Sources 1
About this happening:
A **RedAlert** mobile espionage campaign is using **SMS phishing** and a trojanized emergency app to target **civilians** during the **ongoing Israel-Iran conflict**. The operatio...
RedAlert SMS phishing espionage campaign
CampaignAbout this happening: A **RedAlert** mobile espionage campaign is using **SMS phishing** and a trojanized emergency app to target **civilians** during the **ongoing Israel-Iran conflict**. The operatio...
Timeline
-
14.11.2025 16:40 2 articles · 6mo ago
INDA discloses APT42 SpearSpecter espionage campaign
Initial DisclosureIsrael National Digital Agency (INDA) disclosed SpearSpecter as an ongoing APT42 espionage campaign targeting high-value senior defense and government officials, as well as other individuals and organizations of interest to the IRGC. The operation uses personalized social engineering through trusted WhatsApp contacts, meeting and conference lures, a malicious link chain, a WebDAV-hosted LNK disguised as a PDF, and a batch-script loader that can deploy TAMECAT for persistent access, credential capture, reconnaissance, and data exfiltration. TAMECAT can use HTTPS, Discord, and Telegram for command-and-control and can steal data from Google Chrome, Microsoft Edge, and Outlook while operating mostly in memory.
Show sources
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40