An Iranian state-sponsored threat actor, APT42, has been linked to over 30 confirmed cyberespionage attacks, targeting individuals and organizations with strategic importance to the country, since 2015. Among its targets are countries in Australia, Europe, the Middle East, and the U.S.
According to the researchers, the threat group operates as an intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC) and shares partial overlaps with APT35.

Targeted entities

The APT group has demonstrated a tendency for targeting non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals.

APT35's attack campaign details

The threat actor distributes malware by building fraudulent trust with former government officials, journalists, policymakers, and the Iranian diaspora abroad. The gang impersonates journalists and other professionals to engage with the victims for several days/weeks.
  • The attackers use spear-phishing messages and social engineering techniques to gain initial access to a targeted network. 
  • They aim to compromise the personal or official email addresses of the employees or, drop the malware on their mobile phones.
  • Hackers use stolen credentials to carry out follow-on compromises of networks to collect confidential data. Furthermore, they use the breached accounts to exploit additional victims.

Links with APT35

Both APT42 and APT35 have links to an uncategorized threat cluster tracked as UNC2448.
  • Microsoft (DEV-0270) and Secureworks (Cobalt Mirage) have disclosed the threat cluster as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker.
  • The tech giant adds that both DEV-0270 and UNC2448 are operated by a company that uses two public aliases—Secnerd and Lifeweb—which are connected to Najee Technology Hooshmand.
  • While APT35 targets different industry verticals in the U.S. and the Middle East, APT42 activities focus on entities for domestic politics, foreign policy, and regime stability purposes.


The most recent developments confirm that phishing attacks on Iranian entities have been going on for seven years and have a global reach. The APT42 group continues to be a major threat as it continues to expand with new goals. Organizations should stay abreast of all key developments in the threat landscape, and their security analysts should use operationalize threat intelligence to proactively identify and mitigate the risks.
Cyware Publisher