APT42 SpearSpecter espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The APT42 SpearSpecter campaign is ongoing, and it is targeting senior defense and government officials with personalized social engineering that also reaches family members. The operation uses WhatsApp lures, malicious links, and a WebDAV-hosted LNK file disguised as a PDF to start the attack chain. If the payload lands, TAMECAT can enable persistent access, credential theft, and data exfiltration.
Related Happenings
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
Campaign
H score33
First: 04.06.2026 14:19
Last: 04.06.2026 14:19
Sources 1
About this happening:
A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
CampaignAbout this happening: A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware Activity
H score28
First: 16.04.2026 00:57
Last: 16.04.2026 00:57
Sources 1
About this happening:
The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware ActivityAbout this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware Activity
H score22
First: 24.03.2026 11:30
Last: 24.03.2026 11:30
Sources 1
About this happening:
The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware ActivityAbout this happening: The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Timeline
-
14.11.2025 16:40 2 articles · 7mo ago
INDA discloses APT42 SpearSpecter espionage campaign
Initial DisclosureIsrael National Digital Agency (INDA) disclosed SpearSpecter as an ongoing APT42 espionage campaign targeting high-value senior defense and government officials, as well as other individuals and organizations of interest to the IRGC. The operation uses personalized social engineering through trusted WhatsApp contacts, meeting and conference lures, a malicious link chain, a WebDAV-hosted LNK disguised as a PDF, and a batch-script loader that can deploy TAMECAT for persistent access, credential capture, reconnaissance, and data exfiltration. TAMECAT can use HTTPS, Discord, and Telegram for command-and-control and can steal data from Google Chrome, Microsoft Edge, and Outlook while operating mostly in memory.
Show sources
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40