The Damselfly: APT42

Threat Intelligence Tarot

Vol. II · 83

Iran (IRGC-IO - Islamic Revolutionary Guard Corps Intelligence Organization)

G1007

★★★★★

risk 4/5

✦ The Damselfly ✦

APT42

Damselfly · Calanque · UNC788 · IRGC-IO

MediaNGOsThink tanksWestern governmentsNuclear negotiatorsUS election campaigns

Active since ~2015 · Espionage, Influence operations, Credential harvesting

The Damselfly hovers at the edge of power, drawn to the light of influence operations and the warmth of diplomatic secrets. Distinct from its IRGC cousins, it hunts minds rather than machines.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566

Phishing

Initial Access

T1598

Phishing for Information

Reconnaissance

T1539

Steal Web Session Cookie

Credential Access

T1078

Valid Accounts

Defense Evasion

T1566.004

Spearphishing Voice

Initial Access

T1114.002

Remote Email Collection

Collection

T1041

Exfiltration Over C2 Channel

Exfiltration

Notable Operations

◆Targeting of US 2024 presidential campaigns
◆Phishing of nuclear negotiators and policy advisors
◆WhatsApp-based credential theft against journalists
◆Targeting of academics and civil society globally

Defenses

▸
Phishing-resistant MFA (hardware keys or passkeys) for all accounts
NIST CSF: PR.AC ↗
▸
Awareness training on voice phishing and WhatsApp social engineering
NIST CSF: PR.AT ↗
▸
Out-of-band verification for credential reset requests
CIS Control 6 ↗
▸
Email session token protection and conditional access policies
NIST CSF: PR.AC ↗

Reversed: Their Weakness

Its credential-first approach collapses against phishing-resistant MFA. When targets verify callback numbers independently and refuse unsolicited voice requests, the Damselfly has no path forward.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Veil of Chafer Next →The Sunken Dragon

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.