Introduction
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: “APT42” (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object. APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran’s government. The group’s operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display “substantial differences” in targeting patterns and TTPs.[Mandiant Crooked Charms August 12 2022]
Activities and Tactics
Country of Origin: 🇮🇷 Iran
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- SHIPSHAPE:
- Archelaus Beta:
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.