tldr - powered by Generative AI

• APT42 uses social engineering schemes to gain initial access to victim networks by posing as journalists and event organizers.
• The hackers harvest credentials and bypass multi-factor authentication to access cloud environments.
• APT42 relies on publicly available tools, exfiltrates data to a OneDrive account, and uses VPN and anonymized infrastructure to cover its tracks.
• Custom backdoors like NICECURL and TAMECAT are used as jumping points to deploy additional malware or execute commands.
• APT42 remains focused on intelligence collection despite other Iran-nexus actors adapting to disruptive activities.