Iranian hacking group APT42 is actively targeting senior defense and government officials as part of a sophisticated espionage campaign. Reports from the Israel National Digital Agency (INDA) reveal that the group employs social engineering tactics, not only to compromise primary targets but also to pressure them through their family members. APT42, linked to the Islamic Revolutionary Guard Corps, uses various aliases including Calanque and Mint Sandstorm. The malware used in these attacks operates stealthily by functioning as an in-memory loader, utilizing signed Windows binaries and common user tools to blend in with regular activity. It employs obfuscation techniques and an in-memory encryption mechanism to protect its operations. The malware, referred to as TameCat, leverages Telegram for loading payloads and executes commands via PowerShell when messages lack specific parameters. This method allows attackers to maintain robust remote code execution capabilities even if some defenses, like Cloudflare, block their infrastructure. APT42’s infrastructure is remarkably agile and stealthy, combining legitimate cloud services with compromised resources for initial access and covert data exfiltration. The backdoor utilized by the group includes modules to gather sensitive information such as browser histories and screenshots, transmitting this data through encrypted channels. This ongoing campaign exemplifies the lengths to which state-sponsored actors will go to maintain prolonged surveillance on high-value targets.