> threat_actor APT42 —— origin: Iran (IRGC-IO) —— method: social engineering —— objective: surveillance of individuals<span class="cursor-blink">_</span>_
APT42 — also tracked as Charming Kitten, Mint Sandstorm, TA453, Yellow Garuda, ITG18, and Educated Manticore — is an Iranian state-sponsored cyber espionage group that has been conducting operations since at least 2015. Mandiant assesses with moderate confidence that the group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), the branch of Iran's intelligence apparatus responsible for monitoring and preventing foreign threats to the Islamic Republic and suppressing domestic unrest.
What makes APT42 distinct from every other Iranian threat group — and from most nation-state actors globally — is their target selection and methodology. Where APT33 targets aerospace companies for intellectual property and APT39 targets telecoms for surveillance data, APT42 targets people. Specifically: journalists, academics, think tank researchers, human rights activists, political campaign staff, diplomats, former government officials, members of the Iranian diaspora, and anyone deemed an opponent or critic of the Iranian regime. Their weapon is not malware — it is trust.
APT42's operators are among the most skilled social engineers in the state-sponsored threat landscape. They build relationships over weeks — sometimes months — before ever sending a malicious link. They impersonate journalists, fellow academics, conference organisers, and recruiters. They communicate via email, WhatsApp, and Telegram. They research their targets extensively and craft approaches so convincing that even security-aware individuals have been compromised. In 2024, they successfully hacked the Trump presidential campaign, stole internal documents including a 271-page vice-presidential vetting dossier, and leaked the material to journalists — demonstrating capabilities that echo Russia's 2016 election interference playbook.
| Attribute | Detail |
|---|---|
| Tracked Names | APT42 (Mandiant/Google), Charming Kitten (ClearSky/CERTFA), Mint Sandstorm (Microsoft, current), Phosphorus (Microsoft, legacy), TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force), Educated Manticore (Check Point), CALANQUE (Google TAG) |
| State Sponsor | Islamic Republic of Iran — Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). The IRGC-IO's mandate includes monitoring foreign threats to the regime and domestic unrest. This directly explains APT42's targeting of dissidents, journalists, and political opponents of the Iranian government. |
| Active Since | At least 2015, with over 30 confirmed espionage operations documented by Mandiant. Continuous activity through 2024, including the US presidential campaign hack. |
| Primary Objective | Surveillance and intelligence collection against individuals — their personal communications, political activities, travel plans, contacts, and associations. Supports the IRGC-IO's mission to monitor threats to the regime, track dissidents, and collect intelligence on foreign policy decision-makers. |
| Relationship to APT35 | Historically overlapping with APT35 (Cobalt Illusion), but Mandiant separated them as distinct groups in 2022. APT35 focuses on long-term, resource-intensive operations against military, diplomatic, and government targets. APT42 focuses on individuals and operates with different TTPs and infrastructure. Both are assessed as IRGC-affiliated but serve different operational mandates. |
| Legal Actions | In September 2024, the US Department of Justice indicted three IRGC-linked individuals for the Trump campaign hack. Microsoft, Google, and Meta have all publicly attributed operations to the group and taken action to disrupt their infrastructure — Microsoft seized 99 domains in 2019, Meta blocked WhatsApp accounts in August 2024, and Google secured compromised accounts and referred activity to law enforcement. |
APT42's target selection maps directly to the IRGC-IO's intelligence requirements. Their targets are not chosen for the organisations they work for, but for who they are, what they know, and who they communicate with. This makes APT42 fundamentally different from most state-sponsored groups — they conduct human intelligence collection through cyber means.
| Target Category | Why They Are Targeted | Observed Campaigns |
|---|---|---|
| Journalists and Media | Journalists covering Iran, Middle Eastern politics, and nuclear policy shape public narrative and may have confidential sources within Iran. Compromising their accounts reveals sources, unpublished reporting, and contacts with dissidents. | Impersonation of journalists from Wall Street Journal, CNN, Deutsche Welle, and other outlets to build trust with targets. Fake interview requests used to harvest credentials. Ongoing campaigns against journalists covering Israeli-Iranian tensions. |
| Academics and Think Tanks | Researchers in Middle Eastern affairs, nuclear security, and foreign policy directly influence Western government decision-making. Their analysis, contacts, and unpublished research are intelligence gold. | Impersonation of fellow academics and think tank researchers. Fake conference invitations. Typosquatted domains mimicking the Brookings Institution, Washington Institute for Near East Policy, and other policy organisations. Targeted Israeli cybersecurity academics in 2025. |
| Political Campaigns and Government Officials | Access to campaign communications reveals political strategy, policy positions, and vulnerability assessments. Government officials hold classified or sensitive policy information. | 2024 US presidential election: targeted approximately 12 individuals associated with both Trump and Biden/Harris campaigns. Successfully compromised Trump campaign adviser Roger Stone's accounts. Stole and leaked internal campaign documents including JD Vance vetting dossier. |
| Iranian Diaspora and Dissidents | Exiled opposition figures, activists, and former government officials who criticise the regime are primary surveillance targets for the IRGC-IO. Monitoring their communications, contacts, and activities supports both intelligence and potential physical operations. | Targeted members of Iranian opposition groups in Europe and North America. Credential harvesting against diaspora activists. Mobile surveillance malware deployed against individuals inside Iran. Germany's domestic intelligence agency (BfV) issued public warnings in 2023. |
| Human Rights and NGOs | Human rights organisations documenting Iranian government abuses, advocacy groups, and legal services working on Iran-related cases. Compromising their communications reveals witness identities, case strategies, and evidence. | Targeted Western and Middle Eastern NGOs. Credential harvesting against legal services firms working on Iran-related matters. Cloud-based exfiltration of documents from US and UK organisations. |
| Adaptive Targeting | APT42 shifts targets based on evolving Iranian priorities. COVID-19 triggered targeting of pharmaceutical researchers. Israeli-Iranian tensions triggered targeting of Israeli military and defence sector personnel. Proofpoint observed new targeting of aerospace engineers, medical researchers, and travel agencies — suggesting new IRGC intelligence requirements. | Pharmaceutical sector targeting from March 2020 (COVID onset). Intensified Israeli targeting from April 2024. New sectors suggest possible collaboration with other IRGC branches including Quds Force. |
APT42's defining capability is social engineering. Their operators do not simply send phishing emails — they conduct sustained, personalised manipulation campaigns that exploit human trust. The approach is methodical: identify the target, research their work and contacts, create a credible persona, initiate contact through a plausible pretext, build rapport over days to weeks, and only then deliver the credential harvesting link or malicious payload.
A critical detail: APT42's phishing kits are sophisticated enough to capture MFA tokens in real-time. When the victim enters their password and MFA code on the cloned login page, APT42's infrastructure immediately relays those credentials to the real service, establishing a session before the MFA token expires. This defeats standard time-based OTP (TOTP) and SMS-based MFA — only phishing-resistant MFA methods (FIDO2 security keys, passkeys) are immune to this technique.
In May and June 2024, APT42 targeted approximately twelve individuals associated with both the Trump and Biden/Harris presidential campaigns, including current and former government officials, political consultants, and campaign workers. Google's Threat Analysis Group (TAG) detected and publicly attributed the activity to APT42 in August 2024.
| Date | Event |
|---|---|
| May–June 2024 | APT42 sends spear-phishing emails to ~12 individuals associated with both campaigns. Targets include current and former government officials and campaign workers. The personal Gmail account of a high-profile political consultant is compromised. |
| June 2024 | APT42 compromises the email account of Trump campaign adviser Roger Stone. Microsoft alerts Stone that his Hotmail account was breached, attributed to Iranian actors. The FBI subsequently alerts Stone that his Gmail was also compromised. |
| July 2024 | Using the pseudonym 'Robert', the hackers begin contacting journalists at Politico, Washington Post, and New York Times with stolen Trump campaign documents — including a 271-page vetting dossier on JD Vance and another on Marco Rubio. |
| 10 August 2024 | Politico publicly reports receiving the leaked documents. The Trump campaign confirms it was hacked, attributing the breach to Iran. The Biden/Harris campaign acknowledges being targeted but states the phishing attempt was unsuccessful. |
| 14 August 2024 | Google TAG publishes detailed attribution to APT42. Reports a 'small but steady cadence' of ongoing phishing attempts. Google secures compromised accounts and refers activity to law enforcement. |
| 19 August 2024 | FBI, ODNI, and CISA issue joint statement: Iran seeks to 'stoke discord and undermine confidence in democratic institutions.' Intelligence agencies confirm Iran was behind the hack. |
| 23 August 2024 | Meta blocks WhatsApp accounts linked to APT42 used to contact US political and diplomatic officials. |
| 27 September 2024 | US Department of Justice unseals indictment charging three IRGC-linked individuals with conspiracy, computer intrusion, and aggravated identity theft for hacking the Trump campaign. |
The operation drew immediate comparisons to Russia's 2016 hack of the Democratic National Committee and the Clinton campaign. The methodology was different — APT42 used social engineering and credential harvesting rather than malware-based exploitation — but the strategic objective was analogous: steal sensitive campaign materials and leak them to influence the election. US intelligence agencies assessed that Iran's efforts were motivated in part by the desire to retaliate for the January 2020 assassination of IRGC General Qasem Soleimani.
APT42's primary tool is not malware — it is the phishing kit. Their credential harvesting infrastructure is purpose-built, regularly updated, and sophisticated enough to bypass MFA. However, the group also maintains malware capabilities for deeper operations when credential access alone is insufficient.
| Capability | Implementation | Target |
|---|---|---|
| Credential Harvesting Kits | Custom phishing pages mimicking Google, Microsoft, and Yahoo login portals. Pages pre-fill the victim's email address. Kits capture password and MFA token simultaneously and relay them in real-time to authenticate to the real service. Hosted on typosquatted domains and cloud infrastructure. Multiple infrastructure clusters maintained for different target sectors. | All target categories. Credential access to personal email is the primary objective in the majority of APT42 operations. |
| GhostEcho / CharmPower | PowerShell-based backdoor used to deliver follow-on espionage capabilities after initial access. Provides persistent command execution, file exfiltration, and the ability to deploy additional tooling on compromised systems. | Targets where persistent system access is required beyond email compromise. Observed in more aggressive campaigns that Proofpoint assesses may represent collaboration with other IRGC branches. |
| NICECURL / TAMECAT | Custom backdoors observed in recent campaigns. NICECURL is a VBScript-based backdoor; TAMECAT is a PowerShell-based implant. Both provide command execution, reconnaissance, and data exfiltration capabilities. | Post-compromise operations against high-value targets where email access alone is insufficient. |
| Mobile Surveillance (Android) | Android malware including VINETHORN and PINEFLOWER distributed via SMS. Capabilities include: audio and call recording, multimedia extraction, SMS interception, and GPS geolocation tracking. One observed payload masqueraded as SaferVPN, a legitimate VPN application. | Iranian diaspora, dissidents, and activists — particularly those inside Iran. Mobile surveillance supports the IRGC-IO's domestic security and counter-dissident mandate. |
| Cloud Exploitation | Post-credential-harvest, APT42 accesses victims' cloud environments (Google Workspace, Microsoft 365, OneDrive, SharePoint). Uses built-in features — mail forwarding rules, OAuth app permissions, delegated access — to maintain persistence and exfiltrate data without deploying malware. Avoids detection by using legitimate cloud platform functionality. | Western NGOs, legal services, academic researchers. Cloud-native operations observed exfiltrating documents from US and UK organisations. |
Defending against APT42 is fundamentally different from defending against infrastructure-targeting groups. APT42 attacks individuals — often on their personal devices and accounts, outside the protective boundary of corporate security controls. The defences must therefore be individual-centric: hardening personal accounts, building awareness of social engineering, and providing institutional support for high-risk individuals.
APT42 operates alongside several other Iranian state-sponsored groups, each serving different strategic objectives. Understanding where APT42 fits helps organisations assess which Iranian threats are relevant to their specific risk profile.
| Group | Sponsor | Focus | Relationship to APT42 |
|---|---|---|---|
| APT42 | IRGC-IO | Surveillance of individuals: journalists, academics, dissidents, political figures. Social engineering and credential harvesting. | — |
| APT35 | IRGC | Military, diplomatic, and government targets. Long-term, resource-intensive operations. Defence industrial base and critical infrastructure. | Historically overlapping activity. Mandiant separated APT42 from APT35 in 2022. Different missions, TTPs, and operational mandates despite shared IRGC affiliation. |
| APT33 | IRGC | Aerospace, defence, and energy sector espionage. Intellectual property theft. Potential destructive capability. | Distinct group. APT33 targets organisations for IP; APT42 targets individuals for intelligence. Different tradecraft — APT33 uses password spraying and malware, APT42 uses social engineering. |
| APT39 | MOIS | Telecommunications and travel sector targeting for surveillance data (CDRs, PNRs). Tracking individuals through data held by third parties. | Complementary rather than overlapping. APT39 acquires surveillance data from telecoms; APT42 acquires it directly from the target's accounts. Different sponsors (MOIS vs IRGC-IO). |
| APT34 (OilRig) | MOIS | Government, financial, energy, and telecom sectors across the Middle East. Infrastructure-focused espionage. | Distinct group with different sponsor and targets. Some occasional infrastructure overlap, likely reflecting shared national resources. |
| MuddyWater | MOIS | Telecommunications, energy, government, and academia. Middle East and South Asia focus. Espionage and disruption. | Distinct group. Different sponsor, targeting, and TTPs. MuddyWater favours administrative tools and RATs; APT42 favours social engineering. |
APT42 is the IRGC Intelligence Organization's human-targeting specialist — a cyber espionage group whose primary weapon is not malware but trust. They invest weeks building relationships with targets, impersonate trusted contacts with remarkable skill, and deploy credential harvesting infrastructure sophisticated enough to bypass standard MFA. Their target list — journalists, academics, dissidents, political campaign staff, and human rights workers — reflects the IRGC-IO's mandate to monitor threats to the Iranian regime and collect intelligence on foreign policy decision-makers.
The 2024 US presidential election hack demonstrated APT42's capabilities at their most consequential. They compromised campaign advisers, stole internal documents, and leaked them to the media — an operation that drew direct comparisons to Russia's 2016 election interference. Three IRGC-linked individuals were indicted by the US Department of Justice. Despite the indictments, the group continues to operate.
For individuals in APT42's target categories, the defensive imperative is clear: deploy phishing-resistant MFA (security keys, not SMS codes), enrol in advanced protection programmes, verify all unsolicited professional contact through independent channels, and treat government-backed attacker warnings as genuine emergencies. APT42 does not target networks — they target the people whose accounts hold the intelligence the IRGC needs. If you work in Middle Eastern policy, nuclear security, journalism covering Iran, human rights advocacy, or political campaigns, you are a potential target, and your personal account security is a national security matter.
Our security awareness and phishing simulation services can be tailored to replicate APT42's specific tactics — multi-stage social engineering, trust-building approaches, and MFA-bypassing credential harvesting — to test whether your people and processes can identify and resist the most sophisticated social engineering threats in the state-sponsored landscape.