Iranian Hackers Launch ‘spearspecter’ Spy Operation On Defense &...

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign.

The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed SpearSpecter by the Israel National Digital Agency (INDA).

"The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics," INDA researchers Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman said. "These include inviting targets to prestigious conferences or arranging significant meetings."

What's notable about the effort is that it also extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets.

APT42 was first publicly documented in late 2022 by Google Mandiant, detailing its overlaps with another IRGC threat cluster tracked as APT35, CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, Educated Manticore, GreenCharlie, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.

One of the group's hallmarks is its ability to mount convincing social engineering campaigns that can run for days or weeks in an effort build trust with the targets, in some cases masquerading as known contacts to create an illusion of authenticity, before sending a malicious payload or tricking them into clicking on booby-trapped links.

As recently as June 2025, Check Point detailed an attack wave in which the threat actors approached Israeli technology and cyber security professionals by posing as technology executives or researchers in emails and WhatsApp messages.

Goldman told The Hacker News that SpearSpecter and the June 2025 campaign are distinct and have been undertaken by two different sub-groups within APT42.

"While our campaign was carried out by cluster D of APT42 (which focuses more on malware-based operations), the campaign detailed by Check Point was carried out by cluster B of the same group (which focuses more on credential harvesting)," Goldman added.

INDA said SpearSpecter is flexible in that the adversary tweaks its approach based on the value of the target and operational objectives. In one set of attacks, victims are redirected to bogus meeting pages that are designed to capture their credentials. On the other hand, if the end goal is persisten

Source: The Hacker News