Introduction
APT42 also known as UNC788 and CALANQUE is one of Iran’s most important cyber espionage groups. Unlike financially motivated ransomware actors, APT42 runs operations with political, military, and intelligence objectives consistent with Iran’s national interests. APT42 consistently targets policymakers, non-governmental organizations (NGOs), academics, journalists, medical organizations, and dissidents to promote the regime’s geopolitical and security objectives.
APT42 remains an active cyber actor as of 2025. It has upgraded its operational technologies with credential phishing, surveillance malware, mobile exploitation, and supply chain compromises; maintaining strong effectiveness in shifting quickly in response to global defensive upgrades.
Identity and Motivation
Aliases: APT42, UNC788, CALANQUE
Attribution: Iran-aligned and attributed to state intelligence operations.
Active since: At least 2015 with a clearly visible increase in activity after 2018.
Motivation: Espionage, threat-based surveillance, and suppressing perceived threats to the Iranian regime.
APT42 is not driven by financial motivation. Its primary mission is to gather intelligence on adversaries, surveil targets, and neutralize dissident voices through intimidation and surveillance.
TTPs: How APT42 Operates
Initial Access
APT42 has strong proficiency in spear-phishing campaigns, frequently posing as trusted organizations like think-tanks, NGOs, or news outlets. Their lures are well-developed, appealing to the social and political anxieties of the targets.
Credential Harvesting
Compromised email accounts are commonly leveraged as pivot points to access further trajectories of the larger organization. The credentials obtained provide insight into internal communication, diplomatic negotiation, and planning for policies.
Malware & Tools
- Custom Mobile Malware: Provides monitoring on mobile devices by pulling down contacts, messages, and GPS location tracking.
- Reverse Tunnels: Seen frequently in recent campaigns to maintain persistence in secured networks.
- Cloud Service Abuse: Increased reliance on an organization’s cloud infrastructure and VPNs has enabled actors to obfuscate C2 traffic.
Persistence & C2
APT42 typically establishes persistence by leveraging legitimate remote monitoring and management (RMM) tools to provide attackers visibility in the long term while copying legitimate IT operations.
Target Profile
APT42 utilizes campaigns across multiple continents, though their target areas remain consistent:
Regional Focus: Middle East, Europe, North America, and occasionally Africa.
Government & Diplomacy: Ministries of foreign affairs, embassies, and intergovernmental organizations.
Healthcare: Particularly during COVID-19, targeting pharmaceutical and research organizations for vaccine data.
NGOs & Academia: Organizations that influence the globe’s narrative regarding Iran.
Media & Journalists: To gather intelligence for monitoring reporting on Iran and to intimidate those with dissenting opinions.
Notable Operations (2015–2025)
2017–2019: APT42 targeted western think tanks and academics that conducted research on Middle East policy.
2020–2021: APT42 leveraged COVID-19 to target liberal arts institutions, healthcare institutions, and pharmaceutical research.
2022: There was an increase in harassment campaigns targeting journalists and dissidents, and heavy use of Android malware for personal surveillance.
2023: Spear-phishing campaigns against government agencies in both the Middle East and Europe.
2024: Cooperation with MuddyWater and Lyceum and a joint effort using RMM software against Israeli and Central Asian targets.
2025 (Ongoing): Continuing interests in transportation and energy sectors, while also targeting networks in cloud environments and within diplomatic missions.
Recent Developments (2024–2025)
APT42 has adapted its activity in some way:
- Mobile-first surveillance: Use of Android malware has ramped up, in order to monitor dissidents and journalists abroad.
- Reverse Tunnels: Circumvents security to provide increased persistence.
- Collaboration with Other Iranian Units: There is evidence it has operated jointly with MuddyWater, as well as sub-groups of OilRig.
- Cloud Exploitation: he unit has been using fully cloud-based services for ex-filtration, and even as command-and-control which makes detection even harder.
All four elements show evidence that APT42 is moving toward hybrid espionage operations that combines some traditional phishing techniques and/or malware exploitation against advanced persistence networks or targeted mobile managed devices.
Strategic Impact
APT42 stands as one of the most strategically disruptive Iranian APTs. It differs from destructive groups like CyberToufan, which prioritize chaos and disruption, instead favoring a long-term focus on espionage. Use of APT42’s harvested intelligence is reflective of Iran’s strategies for diplomatic engagement, domestic control, and influence operations abroad.
At a minimum, organizations should:
– Harden email security and train their employees to spot spear-phishing attempts.
– Monitor for signs that legitimate RMM tools have been abused.
– Detect anomalous traffic over VPNs and clouds.
– Put protections on mobile devices using endpoint detection.
APT42’s persistence highlights the need for a layered defense, proactive threat hunting, and intelligence sharing, both between government and public-private collaboration.
Conclusion
APT42, also called UNC788 and CALANQUE, is a pillar of Iran’s cyber espionage efforts. With nearly a decade of operations, the group has displayed strategic patience and adaptability, while missing deployment and development of new tools for each new and evolving capability, to include phishing, credential harvesting, mobile device surveillance, and cloud exploitation.
As of 2025, APT42 will continue targeting aligned with Iran’s security interests government entities, NGOs, journalists, health organizations, and academic organizations. Their operations serve as a strong example of the ways modern APTs are increasingly demonstrating an assessment of adversaries’ long-standing tradecraft of espionage, with the . next cyber intrusion operations.
For defenders, the indication could not be clearer: APT42 will be a long-standing threat that requires vigilance, intelligence-based defenses, and international coordination in countermeasures.
You can download and review the sheet for all the details!
