TAMECAT PowerShell Backdoor Targets Edge and Chrome: Login Credentials At Risk

The emergence of TAMECAT reflects a growing trend among nation‑state actors to weaponize PowerShell for stealthy credential harvesting. Linked to Iran’s APT42, the backdoor combines a multi‑stage delivery chain—starting with a VBScript downloader that performs AV reconnaissance—and an AES‑encrypted loader that evades static analysis. By leveraging Telegram bots for command‑and‑control, the operators maintain low‑profile communications while dynamically pulling additional modules, a tactic that complicates traditional signature‑based detection.

Technical analysis reveals that TAMECAT’s loader decrypts components named Gorba and Borjol, which orchestrate in‑memory execution of PowerShell and C# payloads. The malware suspends Chrome and Edge processes, then taps into their remote‑debugging protocols to dump saved passwords directly from memory, avoiding file system artifacts. Network traffic is funneled to obscure domains such as accurate‑sprout‑porpoise.glitch.me, with data encrypted via AES‑256 before exfiltration, demonstrating a sophisticated blend of obfuscation and covert channel usage.

For enterprises, the incident underscores the urgency of layered defenses. Enabling PowerShell script‑block logging, enforcing execution policies for signed scripts, and monitoring for anomalous VBScript launches can surface early indicators. Additionally, hardening browsers—disabling remote debugging, applying credential protection policies, and segmenting privileged accounts—reduces the attack surface. As APT42 continues to refine its toolkit, organizations must adopt proactive threat‑hunting and continuous monitoring to mitigate the elevated risk posed by advanced PowerShell backdoors.