TAMECAT is a complicated PowerShell-based backdoor linked to APT42, an Iranian state-sponsored hacking group. <\/p>\n
It steals login credentials from Microsoft Edge <\/a>and Chrome browsers whereas evading detection. <\/p>\n Safety researchers from Israel\u2019s Nationwide Digital Company detailed its modular design in current SpearSpecter marketing campaign evaluation.\u200b<\/p>\n APT42 deploys TAMECAT in long-term espionage operations towards senior protection and authorities officers. <\/p>\n The group builds belief by social engineering earlier than compromising techniques. TAMECAT receives instructions by way of Telegram bots, downloading further scripts for duties like display screen captures and browser information theft, as reported <\/a>by Pulsedive.\u200b<\/p>\n The an infection chain begins with a VBScript downloader (SHA256: 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422). This script scans for antivirus merchandise utilizing WMI queries. <\/p>\n If \u201cHome windows\u201d seems within the AV listing, it launches PowerShell <\/a>by way of conhost with wget to fetch the loader from tebi[.]io. In any other case, it falls again to cmd.exe and curl for an alternate payload.\u200b<\/p>\n The loader, nconf.txt (SHA256: bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8), makes use of AES-encrypted payloads. <\/p>\n It defines Gorba for decryption with key \u201cT2r0y1M1e1n1o0w1\u201d and Borjol for additional processing. <\/p>\n The script drops the primary three bytes from a base64 URL, downloads df32s.txt, and applies bitwise operations plus UTF-8 conversion to disclose extra code.\u200b<\/p>\n Decrypted modules deal with sufferer ID era (written to %LocalAppDatapercentconfig.txt) and C2 communication to accurate-sprout-porpoise[.]glitch[.]me. <\/p>\n It collects OS particulars, pc identify, and a hardcoded token (GILNH9LX6TCZ9V8ZZSUF), encrypts by way of Borpos (AES-256, key: kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B), and exfils by way of POST with customized \u201cContent material-DPR\u201d header for the IV.<\/p>\n \u200b<\/p>\n C2 responses, separated by \u00b6, embody language (PowerShell\/C#), base64 command, thread identify, and begin\/cease flags. <\/p>\n TAMECAT executes these in-memory, suspending Chrome processes <\/a>and utilizing Edge\u2019s distant debugging for credential extraction.\u200b<\/p>\n![\"Details](\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-151-741x1024.png\")
Loader Evaluation<\/strong><\/h2>\n
![\"\"\/](\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2UMVMXEXuy7TCIIV6Djqlr1W0CkY-7OfkyT9-jd1gAUi5mh6fqv5j9HOJ8Domg8xk9KtKCxRcIVoHcrbPjXNSDicF4XzQLQ7oJ55IT2muSZpyMCNgm_QHAobZuE1-ohyp5b0e-QD2sJscBko8DgEzP6feow3diF89NY_RDQ0GH3DB2XN1otBsRDadC_m1\/s786\/data-src-image-dc29b..._imresizer.webp\")
![\"Data](\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-152.png\")
![\"Decrypted](\"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-153.png\")