Iranian “SpearSpecter” Op. Showcases Advanced Intel. Capabilities Targeting “Israeli” Military Circles
By Staff, Agencies
The “Israeli” entity’s so-called “National Digital Agency” has acknowledged the detection of a highly sophisticated Iranian cyber-intelligence campaign, dubbed “SpearSpecter,” attributed to the intelligence wing of the Islamic Revolutionary Guard Corps [IRG-IO].
The admission reflects growing concern within “Israeli” security institutions over Iran’s expanding cyber capabilities and its shift toward precision, intelligence-driven operations.
The campaign—associated with the threat actor known as APT42 or CharmingCypress— illustrates Iran’s move away from broad cyber activities toward targeted operations focusing on high-ranking “Israeli” military and governmental figures, including their close associates.
Cyber researcher Shimi Cohen and Nir Bar Yosef, head of the agency’s cyber unit, described the operation as a “significant evolution,” noting that Iran’s cyber strategy now prioritizes long-term penetration and intelligence collection rather than simple credential theft.
At the heart of SpearSpecter is a deep-level social engineering structure, where Iranian operators invest days or even weeks developing believable personal or professional interactions. These efforts often take the form of invitations to high-profile conferences or requests for sensitive meetings. WhatsApp, widely used in the occupied territories, serves as the primary communication platform due to its credibility and ease of trust-building.
According to Cohen, the operation begins with careful intelligence gathering, followed by the impersonation of trusted individuals to initiate WhatsApp contact. When trust is secured, targets are sent a tailored malicious link that activates the attack chain.
For low-priority targets, fake meeting pages are deployed to harvest login information in real time. For high-value individuals, however, the objective is to implant TAMECAT, a stealthy malware backdoor identified by Google. Built around PowerShell and native Windows tools, the malware makes detection difficult for typical defense systems.
The SpearSpecter operation further employs the WebDAV protocol to stage its payloads and runs a multi-layered command-and-control network routed through legitimate platforms such as Telegram and Discord. This strategy allows Iranian operators to blend intelligence-related data transfers with normal communications traffic, complicating detection.
Cohen emphasized that the principal innovation is Iran’s ability to “mask data flow” by embedding its communications within mainstream applications—an approach that reflects a high degree of operational maturity.
Bar Yosef admitted that the changing threat landscape leaves “Israeli” officials with a single reliable guideline: “Verify, verify and verify again.”
