Threat Actor Profile
Description
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally, APT42 exfiltrates data using native features and open-source tools.(Citation: Mandiant APT42-untangling) APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (31)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['APT42'],
'created': '2025-01-08T17:08:26.378Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[APT42](https://attack.mitre.org/groups/G1044) is an '
'Iranian-sponsored threat group that conducts cyber espionage '
'and surveillance.(Citation: Mandiant APT42-charms) The group '
'primarily focuses on targets in the Middle East region, but '
'has targeted a variety of industries and countries since at '
'least 2015.(Citation: Mandiant APT42-charms) '
'[APT42](https://attack.mitre.org/groups/G1044) starts cyber '
'operations through spearphishing emails and/or the PINEFLOWER '
'Android malware, then monitors and collects information from '
'the compromised systems and devices.(Citation: Mandiant '
'APT42-charms) Finally, '
'[APT42](https://attack.mitre.org/groups/G1044) exfiltrates '
'data using native features and open-source tools.(Citation: '
'Mandiant APT42-untangling) \n'
'\n'
'[APT42](https://attack.mitre.org/groups/G1044) activities '
'have been linked to [Magic '
'Hound](https://attack.mitre.org/groups/G0059) by other '
'commercial vendors. While there are behavior and software '
'overlaps between [Magic '
'Hound](https://attack.mitre.org/groups/G0059) and '
'[APT42](https://attack.mitre.org/groups/G1044), they appear '
'to be distinct entities and are tracked as separate entities '
'by their originating vendor. ',
'external_references': [{'external_id': 'G1044',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1044'},
{'description': 'Mandiant. (n.d.). APT42: Crooked '
'Charms, Cons and Compromises. '
'Retrieved October 9, 2024.',
'source_name': 'Mandiant APT42-charms',
'url': 'https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf'},
{'description': 'Rozmann, O., et al. (2024, May 1). '
"Uncharmed: Untangling Iran's APT42 "
'Operations. Retrieved October 9, '
'2024.',
'source_name': 'Mandiant APT42-untangling',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations'}],
'id': 'intrusion-set--c0291346-defe-48d7-9542-9e074ba1bdfb',
'modified': '2025-03-08T18:42:45.320Z',
'name': 'APT42',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Sittikorn Sangrattanapitak'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}