G1044: APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
Analyst context for executives and security teams
APT42 matters because ATT&CK describes it as an Iranian-sponsored espionage and surveillance group that begins operations through spearphishing emails and/or PINEFLOWER Android malware, then monitors, collects, and exfiltrates information using native features and open-source tools. For leaders, the decision value is not a single malware name; it is whether the organization can detect and investigate phishing-led compromise, credential and MFA interception, endpoint persistence, cloud/SaaS data access, mailbox artifact removal, and web-based command-and-control before sensitive information leaves the environment.
Executive priority
Prioritize this as an intelligence-led readiness scenario for organizations with exposure to Middle East-related operations, sensitive personal or political information, cloud document repositories, executive communications, or high-value identities. Ask whether security programs can produce evidence for: phishing investigation, identity compromise response, MFA/session cookie abuse, endpoint execution using PowerShell/VBScript/WMI/scheduled tasks, and cloud or mailbox data access. This object supports budget and control discussions around managed detection, incident response playbooks, identity and access management, cloud/SaaS logging, and compliance evidence for data access and exfiltration review.
Technical view
ATT&CK provides no standalone detection guidance for APT42, so defenders should validate coverage through the related software and techniques. NICECURL is described as a VBScript-based backdoor used to download additional modules, and TAMECAT is described as malware used to execute PowerShell or C# content. The relationship set points SOC teams toward Windows execution and persistence behaviors such as PowerShell, Visual Basic, WMI, scheduled tasks, registry modification, and boot/logon autostart, plus discovery of system, network, local account, and security software information. It also points to collection and credential-access behaviors including keylogging, screen capture, MFA interception, session cookie theft, cloud storage access, mailbox data clearing, and web-protocol or web-service C2 using standard encoding.
Likely telemetry
- Email security and mailbox audit logs for spearphishing investigation and mailbox data deletion or export activity
- Endpoint process, command-line, script, and PowerShell telemetry, especially for VBScript, PowerShell, C# execution patterns, WMI, scheduled tasks, and registry changes
- Windows event logs and EDR records covering persistence, execution, discovery commands, and security software discovery
- Identity provider and MFA logs for unusual authentication flows, MFA interception indicators, session reuse, and anomalous access
- Browser, SaaS, and Office Suite logs for session cookie-related access patterns and cloud storage data access
Detection direction
- Because ATT&CK does not provide official detection text for this group, build detections from the related techniques rather than from the group name alone.
- Tune for suspicious combinations: phishing or mailbox activity followed by script execution, discovery commands, persistence creation, credential/MFA anomalies, cloud storage access, and web-based outbound traffic.
- Validate Windows coverage for PowerShell, VBScript, WMI, scheduled tasks, registry modification, and boot/logon autostart because the related software NICECURL and TAMECAT are Windows-associated.
- Review cloud and SaaS visibility for Data from Cloud Storage and Steal Web Session Cookie scenarios; endpoint-only monitoring will miss important parts of the described behavior.
- Include false-positive handling for legitimate administration tools and web services. WMI, scheduled tasks, PowerShell, registry changes, and common web protocols are normal in many environments, so detections should use context such as user role, host baseline, parent process, timing, and follow-on activity.
Mitigation priorities
- Start with identity and email controls: phishing-resistant processes where feasible, strong MFA governance, conditional access, rapid account revocation workflows, and alertable mailbox audit coverage.
- Harden and monitor script and administrative execution paths, including PowerShell, VBScript, WMI, scheduled tasks, registry persistence, and boot/logon autostart locations.
- Ensure cloud and SaaS repositories have auditable access, download, sharing, and export controls, with retention sufficient for incident response and compliance evidence.
- Prepare IR playbooks for suspected espionage-style intrusions: preserve endpoint, mailbox, identity, SaaS, and network evidence before artifacts can be removed or mailbox data cleared.
- Reduce impact of credential and session theft through session management, device trust policies, least privilege, and review of high-value account access to cloud storage and sensitive communications.
Analyst notes and limits
The most useful defensive framing is a cross-domain intrusion scenario: phishing-led access, endpoint script execution, persistence and discovery, credential/session/MFA targeting, collection from endpoints and cloud storage, and exfiltration through native features or open-source tooling. The relationship context is richer than the group object itself and should drive validation priorities for SOC, IR, IAM, and cloud security teams.
The supplied ATT&CK group object has no platforms, tactics, labels, or official detection text. Platform and tactic guidance here is derived only from the listed related techniques and software. Local exposure, targeting relevance, active activity, and detection coverage cannot be inferred from this object alone and require organization-specific telemetry and threat intelligence validation.
APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | APT42 has downloaded and executed PowerShell payloads.CitationMandiant APT42-charms |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | APT42 has used Windows Management Instrumentation (WMI) to check for anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT42 has masqueraded the VINETHORN payload as a VPN application.CitationMandiant APT42-charms |
| Enterprise | T1070 | Indicator Removal | APT42 has cleared Chrome browser history.CitationMandiant APT42-untangling |
| Enterprise | T1056 | Input Capture | APT42 has used credential harvesting websites.CitationMandiant APT42-untangling |
| Enterprise | T1583.001 | Domains Sub-technique | APT42 has registered domains, several of which masqueraded as news outlets and login services, for use in operations.CitationMandiant APT42-charmsCitationTAG APT42 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | APT42 has encoded C2 traffic with Base64.CitationMandiant APT42-untangling |
| Enterprise | T1530 | Data from Cloud Storage | APT42 has collected data from Microsoft 365 environments.CitationMandiant APT42-untanglingCitationMandiant APT42-charms |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT42 has used a VBScript to query anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1113 | Screen Capture | APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.CitationMandiant APT42-charms |
| Enterprise | T1684.001 | Impersonation Sub-technique | APT42 has impersonated legitimate people in phishing emails to gain credentials.CitationMandiant APT42-charmsCitationTAG APT42 |
| Enterprise | T1016 | System Network Configuration Discovery | APT42 has used malware, such as GHAMBAR and POWERPOST, to collect network information.CitationMandiant APT42-charms |
| Enterprise | T1087.001 | Local Account Sub-technique | APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.CitationMandiant APT42-charms |
| Enterprise | T1585.002 | Email Accounts Sub-technique | APT42 has created email accounts to use in spearphishing operations.CitationTAG APT42 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT42 has used scheduled tasks for persistence.CitationMandiant APT42-charms |
| Enterprise | T1682 | Query Public AI Services | APT42 has leveraged LLMs to search for official emails to build target lists, and conduct reconnaissance on potential business partners.CitationGTIG AI Threat Tracker |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | APT42 has deleted login notification emails and has cleared the Sent folder to cover their tracks.CitationMandiant APT42-charms |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT42 has used custom malware to log keystrokes.CitationMandiant APT42-charms |
| Enterprise | T1102 | Web Service | APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations.CitationMandiant APT42-untanglingCitationMandiant APT42-charmsCitationTAG APT42 |
| Enterprise | T1082 | System Information Discovery | APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information.CitationMandiant APT42-charms |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.CitationMandiant APT42-charmsCitationMandiant APT42-untangling |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1539 | Steal Web Session Cookie | APT42 has used custom malware to steal login and cookie data from common browsers.CitationMandiant APT42-charms |
| Enterprise | T1608.001 | Upload Malware Sub-technique | APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.CitationMandiant APT42-charms |
| Enterprise | T1588.002 | Tool Sub-technique | APT42 has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection.CitationMandiant APT42-untangling |
| Enterprise | T1111 | Multi-Factor Authentication Interception | |
| Enterprise | T1547 | Boot or Logon Autostart Execution | APT42 has modified the Registry to maintain persistence.CitationMandiant APT42-charms |
| Enterprise | T1112 | Modify Registry | APT42 has modified Registry keys to maintain persistence.CitationMandiant APT42-charms |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT42 has sent spearphishing emails containing malicious links.CitationMandiant APT42-charmsCitationMandiant APT42-untanglingCitationTAG APT42 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | APT42 has used custom malware to steal credentials.CitationMandiant APT42-charms |
Groups, software, and campaigns
S1192: NICECURL
S1193: TAMECAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8a29531317f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT42-charms
Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
Open source URL -
[2]
Mandiant APT42-untangling
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
Open source URL -
[3]
mitre-attack G1044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.