Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT42

🌐APT42

🌐 APT42 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 32 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1044) ↗
14Use cases
0Articles
32Techniques
0IOCs

About this actor (MITRE)

[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) [APT42](https://attack.mitre.org/groups/G1044) starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally

Known aliases

APT42

Top techniques

T1016 · System Network Configuration DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1047 · Windows Management Instrumentation

All other tracked techniques

T1053.005 · Scheduled TaskT1056 · Input CaptureT1056.001 · KeyloggingT1059.001 · PowerShellT1059.005 · Visual BasicT1070 · Indicator RemovalT1070.008 · Clear Mailbox DataT1071.001 · Web ProtocolsT1082 · System Information DiscoveryT1087.001 · Local AccountT1102 · Web ServiceT1111 · Multi-Factor Authentication InterceptionT1112 · Modify RegistryT1113 · Screen CaptureT1132.001 · Standard EncodingT1518.001 · Security Software DiscoveryT1530 · Data from Cloud StorageT1539 · Steal Web Session CookieT1547 · Boot or Logon Autostart ExecutionT1555.003 · Credentials from Web BrowsersT1566.002 · Spearphishing LinkT1573.002 · Asymmetric CryptographyT1583.001 · DomainsT1583.003 · Virtual Private ServerT1585.002 · Email AccountsT1588.002 · ToolT1608.001 · Upload MalwareT1682 · Query Public AI ServicesT1684.001 · Impersonation

Detection use cases (14)

APT42 (Charming Kitten / Mint Sandstorm) credential-harvest click followed by token-replay sign-in to M365 AI · profile S APT42 NICECURL / TAMECAT VBS-to-PowerShell loader spawning from Office or wscript AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Supply-chain repo credential theft → outbound exfil to attacker infra MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match Beaconing — periodic outbound to small set of destinations MITRE match