What is APT42?
APT42 is an Iranian state-sponsored cyber espionage group attributed to the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. The IRGC is a major branch of Iran's military with its own Intelligence Organization (IRGC-IO), and APT42 is assessed by threat intelligence researchers to support cyber-enabled surveillance against perceived enemies of the Iranian government. This means APT42 operates with nation-state resources, objectives, and patience that set it apart from typical cybercriminal groups.
Tracking names and aliases: APT42 is the designation used by Mandiant and Google Threat Analysis Group. Microsoft tracks overlapping activity under the composite name Mint Sandstorm (formerly Phosphorus), which encompasses activity attributed by other researchers to both APT42 and the related but distinct APT35/Charming Kitten cluster.
APT42 conducts long-term surveillance and intelligence collection operations against individuals and organizations the Iranian government views as threats. Targets include Iranian dissidents, journalists covering Middle East policy, academics researching Iran, policy analysts at think tanks, and government officials from countries with adversarial relationships to Iran. The group's mission centers on gathering intelligence rather than causing immediate disruption or extracting ransom payments.
Unlike financially motivated threat actors who deploy ransomware or steal data for quick profit, APT42 operates as an advanced persistent threat prioritizing sustained access and long-term data collection. The group is willing to invest weeks or months cultivating relationships with targets before attempting to steal credentials. Operators build trust through impersonation, often posing as journalists seeking interviews or researchers requesting collaboration, before introducing malicious links designed to harvest login credentials.
How APT42 operates: attack lifecycle
APT42 campaigns follow a consistent pattern that emphasizes social engineering over technical exploitation. Rather than searching for software vulnerabilities to exploit, the group invests heavily in researching targets and crafting believable personas to trick individuals into surrendering their credentials. Understanding this lifecycle helps defenders anticipate where detection opportunities exist and where traditional security controls fall short.
Initial access through tailored spear phishing
APT42 operators invest significant effort researching targets before making initial contact. They study a target's professional background, publications, social media presence, and professional network to craft believable outreach. This research allows operators to impersonate credible personas such as journalists from well-known publications, organizers of academic conferences, researchers at respected institutions, or representatives from NGOs aligned with the target's interests.
Initial contact typically occurs through legitimate channels like email or LinkedIn. Operators engage targets in benign conversations that may continue for days or weeks, discussing topics relevant to the target's work without introducing anything malicious. This extended engagement builds familiarity and trust, making the target more likely to comply when the operator eventually makes a request.
Once trust is established, the operator introduces a credential harvesting link disguised as something the target would expect to receive. Common pretexts include sharing a document for review, scheduling an interview, or completing a conference registration form. The phishing infrastructure mimics legitimate services like Google, Microsoft, or Yahoo login pages, often using typosquatted domains that differ from real domains by only one or two characters. When the target enters credentials on these fake pages, APT42 captures them for immediate use.
Credential harvesting and cloud account access
Credential access provides APT42 with direct entry to cloud-hosted email, documents, and collaboration tools without requiring any malware deployment on the target's device. A single set of credentials can unlock years of communications, attachments, contact lists, and shared documents stored in cloud environments.
APT42 shows particular focus on Microsoft 365 and Google Workspace environments. These platforms centralize email, calendars, file storage, and collaboration tools behind a single authentication mechanism. Compromising one account often reveals communications with other individuals who may become secondary targets, expanding the scope of the operation.
Beyond email and productivity suites, APT42 operators have been reported leveraging compromised cloud provider credentials to access infrastructure directly. When targets have access to AWS, Azure, or GCP consoles, attackers can exfiltrate data from cloud storage, establish persistence by creating new access credentials (AWS access keys, Azure service principals, or GCP service account keys), and potentially reach production systems depending on the compromised identity's permissions and network paths. This direct access to cloud control planes represents a significant escalation beyond email compromise.
Persistence and long-term access
APT42 prioritizes maintaining access over extended periods, often establishing multiple persistence mechanisms to survive password changes or account security reviews. The group's persistence techniques leverage legitimate cloud features in ways that are difficult to distinguish from normal administrative activity.
Application consent abuse: Granting OAuth permissions to attacker-controlled applications that retain access even after password changes
Mailbox rules: Creating email forwarding rules that silently copy messages to external addresses
API key creation: Generating cloud provider credentials that persist independently of user passwords
Secondary account compromise: Moving laterally to additional accounts within the same organization
These techniques allow APT42 to maintain collection capabilities even when a target becomes suspicious and changes their password. OAuth grants and access credentials can persist independently of the primary authentication mechanism, so password changes alone may not revoke access. Defenders must explicitly revoke active sessions, review and remove OAuth application consents, and rotate access keys to fully remove attacker persistence. Detecting these persistence mechanisms requires visibility into cloud configuration changes and third-party application grants.
Custom malware deployment
While APT42 prefers credential-based access that leaves minimal forensic artifacts, the group also deploys custom malware when the situation requires it. Malware becomes necessary when targets do not use cloud services, when air-gapped systems contain valuable data, or when operators need capabilities beyond what cloud access provides.
NICECURL: A backdoor written in VBScript that establishes command-and-control communication and supports arbitrary command execution
TAMECAT: A PowerShell-based backdoor used for reconnaissance and payload delivery
These tools are typically deployed after initial access is established through credential theft. Operators use them to maintain persistence on specific systems of interest or to exfiltrate data from environments that are not connected to cloud services. Because NICECURL and TAMECAT are less common, APT-specific tools not widely distributed in crimeware ecosystems, signature-based detection often depends on whether defenders and threat intelligence providers have obtained and analyzed samples from APT42 campaigns.
Defending against APT42
Reducing exposure to APT42-style attacks requires hardening identity controls and improving detection coverage. Prevention focuses on making credential theft harder and less valuable, while detection focuses on identifying compromise quickly enough to limit damage.
Identity hardening
The strategic objective is reducing blast radius: limiting what stolen credentials can access and what attackers can do with compromised identities. Treat every identity as a potential control plane entry point. When APT42 harvests credentials, the damage they can cause depends entirely on what those credentials can reach.
Identity hardening measures reduce the likelihood that APT42 can successfully harvest and use credentials:
Phishing-resistant MFA: Hardware security keys or passkeys resist credential harvesting far better than SMS or app-based OTPs
Conditional access policies: Restricting access based on device posture, location, and risk signals
OAuth application review: Auditing and limiting third-party applications with access to organizational data
Least privilege enforcement: Ensuring users and service accounts have only the permissions required for their roles
Detection and response readiness
Detection and response measures ensure that if APT42 does gain access, defenders identify the compromise and contain it before significant data loss occurs:
Cloud audit logging: Ensuring complete coverage of identity and control plane events across all cloud environments
MITRE ATT&CK mapping: Validating detection coverage against techniques associated with APT42 and similar actors
Identity-aware correlation: Connecting identity signals with cloud activity and runtime events to surface complete attack stories
Incident response playbooks: Preparing containment actions for credential compromise such as session revocation, password reset, and OAuth token review
Organizations should test their detection capabilities against known APT42 techniques before an incident occurs. Tabletop exercises that walk through realistic APT42 scenarios help identify gaps in visibility and response procedures.
How Wiz helps detect and respond to APT42-style threats
Defending against patient, identity-focused adversaries like APT42 requires connecting signals that span identity, cloud infrastructure, and runtime. Siloed tools that monitor only endpoints, only network traffic, or only cloud logs miss the cross-layer patterns that reveal sophisticated intrusions.
Wiz Defend helps teams correlate identity activity, cloud control plane signals, and runtime telemetry to surface patterns consistent with identity-focused adversary tradecraft. It combines Identity Threat Detection and Response (ITDR), Cloud Detection and Response (CDR), and Wiz Sensor runtime telemetry to improve coverage of APT42-style tradecraft, including credential abuse, OAuth persistence, and lateral movement across cloud environments.
Wiz's ITDR capabilities monitor for anomalous user behavior, unusual access patterns, and privilege escalation attempts across cloud identity providers. When an APT42 operator uses harvested credentials to access cloud resources, Wiz correlates identity activity with cloud resource context. Defenders can immediately see whether the compromised account has access to sensitive data or administrative permissions, allowing them to prioritize response based on actual impact rather than generic alert severity.
The Wiz Security Graph and Investigation Graph help visualize the blast radius of a potential compromise. Defenders can trace a path from suspicious identity activity to impacted resources and likely next steps, understanding which cloud assets, data stores, and lateral movement opportunities are at risk. Teams can then drive containment through existing workflows (ticketing systems, automation playbooks, or direct remediation) instead of manually pivoting between identity provider consoles, cloud provider logs, and endpoint tools to reconstruct what happened.
If you're prioritizing identity-aware detection and faster investigations in cloud environments, seeing how identity signals, cloud control plane activity, and runtime telemetry correlate end-to-end is the fastest way to evaluate fit. Get a demo to see how Wiz Defend helps security teams detect and respond to sophisticated threat actors like APT42 targeting cloud environments.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
