APT42

๐Ÿ”ด High
Also known as: APT42, CALANQUE, UNC788

APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. Mandiant APT42-charms The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. Mandiant APT42-charms APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. Mandiant APT42-charms Finally, APT42 exfiltrates data using native features and open-source tools. Mandiant APT42-untangling

APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.

๐ŸŒ Country Iran
โšก Risk Level High
๐ŸŽฏ Incident Type Espionage
๐Ÿงญ ATT&CK G1044
Education Government Military Defense Energy Finance Healthcare Pharmaceuticals Civil Society Legal Manufacturing Media NGOs

Targeted Victims

Australia Europe Israel Middle East United States

Introduction

APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. Mandiant APT42-charms The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. Mandiant APT42-charms APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. Mandiant APT42-charms Finally, APT42 exfiltrates data using native features and open-source tools. Mandiant APT42-untangling APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.

Activities and Tactics

Targeted Sectors: Education, Government, Military, Defense, Energy, Finance, Healthcare, Pharmaceuticals, Civil Society, Legal, Manufacturing, Media, NGOs

Country of Origin: ๐Ÿ‡ฎ๐Ÿ‡ท Iran

Risk Level: High

Incident Type: Espionage

Suspected Victims: Australia, Europe, Israel, Middle East, United States

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CyberGate
  • Cyber Eye RAT

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] Mandiant APT42-charms Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. [3] Mandiant APT42-untangling Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iranโ€™s APT42 Operations. Retrieved October 9, 2024. [4] mitre-attack [5] Meta Adversarial Threat Report 2022 Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.