Iranian hackers pose as journalists to push backdoor malware

News
By published

Hackers impersonate Washington Post journalists, among others

Best identity theft protection
(Image credit: Pixabay)

APT42, an Iranian state-sponsored hacking group also known as Charming Kitten or Yellow Garuda has been spotted impersonating journalists from popular mainstream media titles in an attempt to deliver multi-purpose backdoors to their targets.

A report from Google cybersecurity researchers found the threat actors would first set up email addresses on typosquatted domains, impersonating journalists, NGO representatives, and event organizers. 

The impersonated organizations include the Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and others. 

Nicecurl and Tamecat

Then, they would reach out to their targets, mostly located in the Middle East, and West, and engage in conversation. After building some credibility, the attackers would share a link to a document relating to a conference, or a news article. The link would redirect the victims to a phishing page where, should they fall for the trap, they can share their login credentials, and even multi-factor authentication (MFA) tokens.

The final step is to use the obtained credentials to infiltrate their target’s corporate network and deploy two backdoors: "Nicecurl" and "Tamecat”.

Nicecurl seems to be the less capable one, allowing for command execution, deploying additional malware, and stealing sensitive data. Tamecat can execute arbitrary PowerShell code and is generally described as more flexible.

The researchers argue that APT42 is linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Over the years it has built a reputation of infamy, having been involved in dozens of high-profile attacks. The researchers first observed it back in 2015, and have apparently engaged in at least 30 different operations. 

While the targets may differ, the goal is always the same - to gather important intelligence, vital for the advancement of Iranian state agendas. In that respect, the targets are mostly located in Israel, the United States, and Europe.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Chinese hackers develop effective new hacking technique to go after business networks
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
China
Chinese hackers targeting Juniper Networks routers, so patch now
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
More about security
Sam Altman and OpenAI

OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Toni Collette in Hereditary

Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
See more latest
Most Popular
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools