A sophisticated new PowerShell-based backdoor, dubbed TAMECAT, has been identified targeting login credentials stored within Microsoft Edge and Google Chrome browsers. This advanced malware is associated with espionage campaigns by APT42, an Iranian state-sponsored cyber-espionage group, which has been observed to be actively targeting high-value senior defense and government officials internationally. The emergence of TAMECAT highlights a significant advancement in cyber threats, demonstrating capable methods for credential theft, data exfiltration, and maintaining persistent access to compromised systems.
TAMECAT employs a multi-stage infection methodology that typically begins with social engineering tactics. Threat actors have been observed impersonating trusted WhatsApp contacts to deliver malicious links. These links exploit the Windows `search-ms` URI protocol handler to initiate the infection chain. Upon activation, the malware downloads a VBScript that first assesses the target system for the presence of antivirus software. This reconnaissance step allows TAMECAT to adapt its execution strategy based on the security posture of the compromised environment, ensuring a higher likelihood of successful deployment.
TAMECAT Malware’s Advanced Capabilities and Operational Infrastructure
Pulsedive Threat Research analysts have detailed TAMECAT’s complex operational framework, noting its reliance on multiple command-and-control (C2)