APT42, an Iranian cyber espionage group believed to be sponsored by the state and operating under the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), employs sophisticated social engineering tactics to infiltrate networks, particularly targeting NGOs, media, academia, legal services, and activists in the West and Middle East. The group uses impersonation of journalists and event organizers to build trust and harvest credentials, which are then used to access cloud environments and exfiltrate data of strategic interest to Iran. In addition to cloud-based espionage, APT42 deploys custom backdoors, such as NICECURL and TAMECAT, through spear-phishing campaigns to establish initial access and possibly facilitate further malware deployment. These activities align with the IRGC-IO’s objectives of countering foreign threats and domestic instability. APT42’s operations exhibit significant overlap with other threat actors, including those identified by various cybersecurity firms. Mandiant’s detailed analysis reveals APT42’s extensive use of masquerading techniques, credential harvesting, and multi-factor authentication bypass, as well as their reliance on built-in features and open-source tools to reduce detection.