Iranian state-sponsored hackers, tracked by Mandiant as APT42, are employing sophisticated social engineering tactics to infiltrate victim cloud environments by impersonating journalists and event organizers. Their targets include Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists. The group also uses credential-harvesting techniques involving trust-building correspondence to bypass multi-factor authentication
In addition to cloud campaigns, they operate custom backdoors like NICECURL and TAMECAT. Their tactics involve tricking victims into clicking on links related to foreign affairs, redirecting them to fake websites, and ultimately harvesting credentials on fake login pages. The threat actor deploys defense evasion techniques, as well as spear-phishing campaigns for dropping malware like the TAMECAT and NICECURL backdoors. To enhance campaign credibility, they use decoy material and host malicious content on attacker-controlled platforms. Mandiant identified and listed various indicators of compromise associated with the threat actor's activities. https://www.csoonline.com/article/2097509/iranian-hackers-harvest-credentials-through-advanced-social-engineering-campaigns.html