SpearSpecter — a newly documented espionage campaign run by the Iranian-linked cluster APT42 has targeted senior defense and government officials, and their family members, using tailored WhatsApp lures and a modular PowerShell backdoor that researchers say is designed for long-term access.
The Israel National Digital Agency (INDA) published a technical analysis in November 2025 that maps the attack flow: targets receive curated messages inviting them to meetings or conferences; a supplied link redirects to a WebDAV-hosted Windows shortcut (.lnk) disguised as a document; the shortcut retrieves a batch loader from attacker-controlled Cloudflare Workers domains that stages a PowerShell framework known as TAMECAT (INDA report: https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/).
The TAMECAT framework is modular. The initial reconnaissance modules enumerate the host (OS, user, privileges, installed applications and running processes) and inventory likely targets for collection. A FileCrawler module builds staged queues under %LOCALAPPDATA%\Caches (files such as ALL.txt and FileCrawler.txt) containing Base64-encoded paths separated by triple-semicolons to mark items for exfiltration.
The malware prioritizes high-value file types — for example, Office documents, spreadsheets, PDFs, archive formats and media files — while explicitly excluding noisy or low-value locations (cloud sync folders, development tool folders, system directories) to reduce detection.
Command-and-control uses multiple channels for resilience: encrypted HTTPS with an IV embedded in headers or JSON fields, messages delivered through Discord webhooks (IV embedded in the webhook message), and a Telegram bot that can issue per-host commands and retrieve staged PowerShell modules from Cloudflare Workers.
Because the campaign commonly begins on WhatsApp, organizations should treat unsolicited meeting invitations and file links with heightened suspicion; we previously covered WhatsApp-based malspam and malicious apps that illustrate similar social-engineering risks (Maverick banking malware, fake WhatsApp/AI apps).
Detection and mitigation steps are straightforward and pragmatic: block unexpected search-ms: protocol usages where appropriate, monitor for downloads of .lnk files from WebDAV endpoints, observe unusual outbound connections to unknown Cloudflare Worker domains, detect Telegram and Discord webhook activity originating from endpoints, and hunt for the presence of ALL*.txt or FileCrawler.txt in %LOCALAPPDATA%\Caches.
The technical authorship of this analysis rests with INDA; coverage summarizing the findings is available from a reporting outlet. As one researcher observed, the campaign “reflects a sophisticated blend of agility, stealth, and operational security designed to sustain prolonged espionage against high-value targets.” (INDA report, Nov. 2025).