G1044: APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
Analyst context for executives and security teams
APT42 matters because ATT&CK describes it as an Iranian-sponsored espionage and surveillance group that begins operations through spearphishing emails and/or PINEFLOWER Android malware, then monitors, collects, and exfiltrates information using native features and open-source tools. For leaders, the decision value is not a single malware name; it is whether the organization can detect and investigate phishing-led compromise, credential and MFA interception, endpoint persistence, cloud/SaaS data access, mailbox artifact removal, and web-based command-and-control before sensitive information leaves the environment.
Executive priority
Prioritize this as an intelligence-led readiness scenario for organizations with exposure to Middle East-related operations, sensitive personal or political information, cloud document repositories, executive communications, or high-value identities. Ask whether security programs can produce evidence for: phishing investigation, identity compromise response, MFA/session cookie abuse, endpoint execution using PowerShell/VBScript/WMI/scheduled tasks, and cloud or mailbox data access. This object supports budget and control discussions around managed detection, incident response playbooks, identity and access management, cloud/SaaS logging, and compliance evidence for data access and exfiltration review.
Technical view
ATT&CK provides no standalone detection guidance for APT42, so defenders should validate coverage through the related software and techniques. NICECURL is described as a VBScript-based backdoor used to download additional modules, and TAMECAT is described as malware used to execute PowerShell or C# content. The relationship set points SOC teams toward Windows execution and persistence behaviors such as PowerShell, Visual Basic, WMI, scheduled tasks, registry modification, and boot/logon autostart, plus discovery of system, network, local account, and security software information. It also points to collection and credential-access behaviors including keylogging, screen capture, MFA interception, session cookie theft, cloud storage access, mailbox data clearing, and web-protocol or web-service C2 using standard encoding.
Likely telemetry
- Email security and mailbox audit logs for spearphishing investigation and mailbox data deletion or export activity
- Endpoint process, command-line, script, and PowerShell telemetry, especially for VBScript, PowerShell, C# execution patterns, WMI, scheduled tasks, and registry changes
- Windows event logs and EDR records covering persistence, execution, discovery commands, and security software discovery
- Identity provider and MFA logs for unusual authentication flows, MFA interception indicators, session reuse, and anomalous access
- Browser, SaaS, and Office Suite logs for session cookie-related access patterns and cloud storage data access
Detection direction
- Because ATT&CK does not provide official detection text for this group, build detections from the related techniques rather than from the group name alone.
- Tune for suspicious combinations: phishing or mailbox activity followed by script execution, discovery commands, persistence creation, credential/MFA anomalies, cloud storage access, and web-based outbound traffic.
- Validate Windows coverage for PowerShell, VBScript, WMI, scheduled tasks, registry modification, and boot/logon autostart because the related software NICECURL and TAMECAT are Windows-associated.
- Review cloud and SaaS visibility for Data from Cloud Storage and Steal Web Session Cookie scenarios; endpoint-only monitoring will miss important parts of the described behavior.
- Include false-positive handling for legitimate administration tools and web services. WMI, scheduled tasks, PowerShell, registry changes, and common web protocols are normal in many environments, so detections should use context such as user role, host baseline, parent process, timing, and follow-on activity.
Mitigation priorities
- Start with identity and email controls: phishing-resistant processes where feasible, strong MFA governance, conditional access, rapid account revocation workflows, and alertable mailbox audit coverage.
- Harden and monitor script and administrative execution paths, including PowerShell, VBScript, WMI, scheduled tasks, registry persistence, and boot/logon autostart locations.
- Ensure cloud and SaaS repositories have auditable access, download, sharing, and export controls, with retention sufficient for incident response and compliance evidence.
- Prepare IR playbooks for suspected espionage-style intrusions: preserve endpoint, mailbox, identity, SaaS, and network evidence before artifacts can be removed or mailbox data cleared.
- Reduce impact of credential and session theft through session management, device trust policies, least privilege, and review of high-value account access to cloud storage and sensitive communications.
Analyst notes and limits
The most useful defensive framing is a cross-domain intrusion scenario: phishing-led access, endpoint script execution, persistence and discovery, credential/session/MFA targeting, collection from endpoints and cloud storage, and exfiltration through native features or open-source tooling. The relationship context is richer than the group object itself and should drive validation priorities for SOC, IR, IAM, and cloud security teams.
The supplied ATT&CK group object has no platforms, tactics, labels, or official detection text. Platform and tactic guidance here is derived only from the listed related techniques and software. Local exposure, targeting relevance, active activity, and detection coverage cannot be inferred from this object alone and require organization-specific telemetry and threat intelligence validation.
APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1070 | Indicator Removal | |
| Enterprise | T1056 | Input Capture | |
| Enterprise | T1583.001 | Domains Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1530 | Data from Cloud Storage | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1684.001 | Impersonation Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1585.002 | Email Accounts Sub-technique | APT42 has created email accounts to use in spearphishing operations.CitationTAG APT42 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1682 | Query Public AI Services | APT42 has leveraged LLMs to search for official emails to build target lists, and conduct reconnaissance on potential business partners.CitationGTIG AI Threat Tracker |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1102 | Web Service | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1539 | Steal Web Session Cookie | |
| Enterprise | T1608.001 | Upload Malware Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1111 | Multi-Factor Authentication Interception | |
| Enterprise | T1547 | Boot or Logon Autostart Execution | |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique |
Groups, software, and campaigns
S1192: NICECURL
S1193: TAMECAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8a29531317f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT42-charms
Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
Open source URL -
[2]
Mandiant APT42-untangling
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
Open source URL -
[3]
mitre-attack G1044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.