TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome

[Brownie2019]

Content source

https://cybersecuritynews.com/tamecat-powershell-based-backdoor-exfiltrates-login-credentials/

A sophisticated PowerShell-based malware named TAMECAT has emerged as a critical threat to enterprise security, targeting login credentials stored in Microsoft Edge and Chrome browsers.
This malware operates as part of espionage campaigns conducted by APT42, an Iranian state-sponsored cyber-espionage group that has been actively targeting high-value senior defense and government officials worldwide.
The threat demonstrates advanced capabilities in credential theft, data exfiltration, and persistent access to compromised systems.
TAMECAT employs a multi-stage infection process that begins with social engineering tactics.
The attackers impersonate trusted WhatsApp contacts and send victims malicious links that abuse the search-ms URI protocol handler.
Once activated, the malware downloads a VBScript that performs antivirus detection on the target system to determine the appropriate execution path.

Full Story on:

TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome

TAMECAT PowerShell malware steals Edge and Chrome credentials in APT42 Iranian espionage targeting government officials.

cybersecuritynews.com

 

[Bot]

Full Story on:

TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome

TAMECAT PowerShell malware steals Edge and Chrome credentials in APT42 Iranian espionage targeting government officials.

cybersecuritynews.com

What you quoted (from CyberSecurityNews, dated January 30, 2026) is broadly consistent with two more “primary” write-ups:

• Israel National Digital Agency (INDA) “SpearSpecter” report (Published: November 2025) describing the WhatsApp social-engineering, search-ms abuse, WebDAV delivery, and TAMECAT’s modular backdoor behavior.
• Pulsedive Threat Research technical analysis (January 29, 2026) describing the VBScript/WMI AV-check logic and the PowerShell loader behavior.

What TAMECAT is (and what it isn’t)

TAMECAT is best understood as a PowerShell-based backdoor/toehold used by APT42 that can load modules and execute additional PowerShell (and in some reporting, C#) to perform tasks like recon and data theft. Google/Mandiant previously described TAMECAT as a PowerShell “toehold” used by APT42 (with NICECURL also observed), and MITRE ATT&CK tracks it as “TAMECAT” (S1193).

So when an article says “TAMECAT steals credentials from Edge/Chrome”, that usually means “TAMECAT plus its credential-theft modules,” not necessarily that the initial loader stage is only a credential stealer.

Attack chain highlights (from INDA’s SpearSpecter report)

INDA’s report describes a flow that matches your quote very closely:

• Long “relationship building” social engineering, including direct WhatsApp engagement.
• A link leading to a crafted page abusing the Windows search-ms URI handler, prompting the user to allow Explorer access.
• Explorer then connects to an attacker-controlled WebDAV share (notably via rundll32.exe calling davclnt.dll DavSetCookie) and presents a malicious .LNK disguised as a PDF.
• The LNK triggers cmd/curl to fetch a batch script hosted via Cloudflare Workers, which then runs obfuscated PowerShell that loads TAMECAT modules in memory and sets persistence (INDA shows persistence pointing into a path under the user profile, e.g., under %LOCALAPPDATA%\Microsoft\Windows\AutoUpdate in the observed sample).
• Multi-channel C2 described via HTTPS + Discord + Telegram, with AES encryption.

Practical defensive takeaways (enterprise-focused)

If an org is worried about this tradecraft, the most actionable controls are the ones that break the chain early:

• Reduce “living off the land” scripting exposure: enforce PowerShell restrictions where possible (least privilege, Constrained Language Mode/WDAC where feasible), and consider blocking/containing wscript.exe/cscript.exe for normal users if business use allows.
• Logging/detection: enable strong PowerShell logging (especially Script Block Logging) and alert on suspicious parent/child chains like wscript -> conhost/powershell, or cmd -> curl -> powershell with hidden window flags and in-memory execution patterns.
• Harden WebDAV usage: if WebDAV isn’t required, disable it; if it is required, monitor for unusual WebDAV access from endpoints and suspicious .LNK delivery from remote shares.
• Hunt for the “search-ms” / Explorer prompt abuse: treat unexpected prompts to open Explorer from a browser as high-risk user activity, and consider policy/technical controls to reduce exposure to URI/protocol-handler abuse where practical.
• Network controls: monitor/block unusual endpoint traffic to Telegram bot/API infrastructure and Discord webhook/bot patterns when not business-justified; scrutinize Cloudflare Workers traffic used as payload staging.
• Credential risk reduction: enforce MFA (preferably phishing-resistant methods) and reduce reliance on browser-saved passwords for privileged accounts; be ready to rotate credentials quickly after suspected endpoint compromise.

Sources

TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome

TAMECAT PowerShell malware steals Edge and Chrome credentials in APT42 Iranian espionage targeting government officials.

cybersecuritynews.com

TAMECAT - Analysis of an Iranian PowerShell-Based Backdoor

A detailed technical analysis of TAMECAT, a PowerShell-based backdoor used by the Iranian state-sponsored APT42 in espionage operations.

blog.pulsedive.com

https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/

Uncharmed: Untangling Iran's APT42 Operations | Google Cloud Blog

APT42 is using enhanced social engineering schemes to gain access to victim networks, including cloud environments.

cloud.google.com

TAMECAT, Software S1193 | MITRE ATT&CK®

attack.mitre.org

 

[Parkinsond]

The usual LNK file masquerading as PDF file.

The high-value senior defense and government officials worldwide deserve something more sophisticated.

 

[Halp2001]

Wow, TAMECAT sounds pretty unsettling… amazing how they keep finding new ways to sneak into the browsers we all use every day.

 

[cartaphilus]

One thing for sure; their targets are not US or Canada; No one in US or CAN uses what'sapp mainly because our text infrastructure became free long before IP based text comm aps. So there was no need for an app to text for free.

 

[Andy Ful]

A basic Windows hardening can block the attack. Any of the points below is effective to fully stop the attack:

• blocking outbound connections of popular LOLBins (Curl and PowerShell LOLBins in this particular case),
• restricting PowerShell to Constrained Language (decrypting functions are forbidden),
• blocking or removing VBScript from the system.

Edit1.
Smart App Control cannot block the attack because the shortcut is located on WebDav, and the payloads do not have MotW.

Edit2.
Windows Home/Pro is already hardened by Microsoft. The WebClient service is not started by default.
If the service is enabled, it is recommended to apply additional hardening (mentioned above).

 

[Parkinsond]

A basic Windows hardening can block the attack. Any of the points below is effective to fully stop the attack:

• blocking outbound connections of popular LOLBins (Curl and PowerShell LOLBins in this particular case),
• restricting PowerShell to Constrained Language (decrypting functions are forbidden),
• blocking or removing VBScript from the system.

Edit.
Smart App Control cannot block the attack (the payloads do not have MotW).

SRP to block Lnk and Bat files.

 

[Andy Ful]

SRP to block Lnk and Bat files.

It is not necessary in this case. On Windows Home/Pro, the WebDAV (WebClient service) is not enabled by default (I updated my previous post).