top of page

APT42: Crooked Charms, Cons and Compromises

Active since at least 2015, APT42 is characterized by highly targeted spear phishing and surveillance operations against individuals and organizations of strategic interest to Iran. The group’s operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran. After gaining access, the group has deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes.



MALWARE FAMILIES: VineThorn, Pineflower

ATT&CK IDS: T1003 - OS Credential Dumping, T1012 - Query Registry, T1016 - System Network Configuration Discovery, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1047 - Windows Management Instrumentation, T1055 - Process Injection, T1056 - Input Capture, T1056.001 - Keylogging, T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell, T1070 - Indicator Removal on Host, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1098 - Account Manipulation, T1111 - Two-Factor Authentication Interception, T1112 - Modify Registry, T1133 - External Remote Services, T1134 - Access Token Manipulation, T1140 - Deobfuscate/Decode Files or Information, T1193 - Spearphishing Attachment, T1204 - User Execution, T1221 - Template Injection, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1564 - Hide Artifacts, T1566 - Phishing, T1569 - System Services, T1583 - Acquire Infrastructure, T1584 - Compromise Infrastructure, T1587 - Develop Capabilities, T1587.001 - Malware, T1588 - Obtain Capabilities

Read More:

bottom of page