Iranian Hackers Launch Spy Operation

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation (APT42)

Iran-linked APT42 is running “SpearSpecter,” a spear-phishing and social-engineering campaign against high-value defence and government officials, sometimes extending to family members. Lures include conference invites and meeting requests. The operation uses personalised pretexts and custom tooling (e.g., TAMECAT) to gather credentials and maintain access. The Israel National Digital Agency says activity began in early September 2025 and continues.

The playbook
1. Hand-crafted messages with accurate biographical details.
2. Links to “registration” or “itinerary” portals that collect credentials.
3. Follow-on tooling to persist, observe and exfiltrate.

Why it works
The invites look legitimate, time-boxed and flattering. Senior targets are busy; assistants and relatives sometimes click first. Once a single account is in hand, lateral movement to mail and cloud files follows.

Practical mitigations
• Enforce phishing-resistant MFA for senior staff and family-linked accounts.
• Pre-approve conference domains; validate invites out-of-band.
• Log and alert on suspicious OAuth consents and inbox rule changes.
• Train EAs and chiefs of staff — they’re the first line.
Diplomacy may require RSVP; security should require verification.