THE article ties a sophisticated espionage campaign targeting senior defence and government officials to APT42, describing claims that the group is behind the operation. At its core is TAMECAT, a modular PowerShell backdoor designed to steal data while remaining in memory to evade detection.
According to Pulsedive Threat Research, the analysis reveals in-memory modules and a range of capabilities, including a Browser module to exfiltrate cookies and history, a Screen module for desktop captures, and a FileCrawler module to locate documents of interest.
The infection chain begins with a VBScript health check that detects antivirus presence and decides whether to launch PowerShell or Curl, while the loader, named nconf[.]txt and hosted on tebi[.]io, uses heavy obfuscation and a hardcoded 256-bit AES key (kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B) to secure its configuration and exfiltrated data.
TAMECAT also communicates via diverse channels to blend in with legitimate traffic, including Telegram, Cloudflare Workers, Discord, and WebDAV servers, with Telegram C2 keywords such as Invest, Scene, Look, and #Journey used to trigger actions. Defenders are urged to monitor PowerShell activity and scrutinise traffic to trusted services as the threat demonstrates a shift toward in-memory, modular malware that is harder to detect.