>samit_hota
Back to adversary profiles
G0087HighActive

APT39: Iran's Relentless Surveillance Threat

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Information Theft, Surveillance
Aliases
ITG07, Chafer, Remix Kitten
Target Sectors
Telecommunications, Travel, Hospitality, Academic, Government, Aviation, IT, High-Tech, Engineering, Shipping and Logistics
Associated Malware
SEAWEED, CACHEMONEY, POWBAT, Remexi, MechaFlounder, ANTAK, ASPXSPY, Mimikatz, BLUETORCH, CrackMapExec, BITS 1.0 Malware, Python-based malware, VBS scripts
#threat-actor#g0087

Overview

APT39, identified by MITRE as G0087, is a cyber espionage group with strong links to the Iranian Ministry of Intelligence and Security (MOIS). Operating through the front company Rana Intelligence Computing, APT39 has been active since at least 2014, though some intelligence suggests operations dating back to 2012. This highly persistent threat actor is also known by various aliases, including Chafer, Remix Kitten, ITG07, COBALT HICKMAN, and Radio Serpens.

The group’s primary motivation is cyber espionage, specifically the collection of personal and proprietary information to support the Iranian government’s surveillance and tracking objectives. Unlike some other Iranian groups focused on destructive attacks or intellectual property theft, APT39 meticulously gathers data to monitor individuals and entities considered threats to the Iranian regime. This includes a keen interest in communications data, travel records, and operational information that can reveal the movements and associations of dissidents, journalists, activists, foreign diplomats, and defense sector personnel.

APT39’s targeting scope is broad, encompassing critical sectors globally, with a particular emphasis on the Middle East. Their typical targets include telecommunications providers, travel and hospitality companies, academic institutions, government entities, and IT firms that support these industries. Geographically, their operations span Iran, Asia, Africa, Europe, and North America, with specific activity noted in countries such as Saudi Arabia, the UAE, Israel, Jordan, Kuwait, Turkey, Spain, and the United States.

Tactics & Techniques

APT39 employs a blend of custom malware, modified open-source tools, and legitimate system utilities, often using “living off the land” techniques to blend in with normal network activity and evade detection. Their initial access methods are well-established and effective. Spear-phishing emails containing malicious attachments or links are a common vector, frequently leading to infections with custom backdoors like POWBAT. They also exploit vulnerable public-facing applications, such as web servers, VPN appliances (e.g., Pulse Secure VPN CVE-2019-11510), mail servers, and even specific vulnerabilities in platforms like SharePoint (CVE-2019-0604). The use of web shells like ANTAK and ASPXSPY on compromised web servers, and the exploitation of stolen credentials to access Outlook Web Access (OWA), further demonstrate their diverse entry points.

Once initial access is gained, APT39 focuses on maintaining a persistent foothold and escalating privileges. They establish persistence through custom backdoors and Remote Access Trojans (RATs), and by modifying registry Run keys, creating scheduled tasks, or leveraging the startup folder. For privilege escalation and credential access, they frequently deploy tools like Mimikatz, Windows Credential Editor, and Ncrack, alongside credential harvesting from various sources, including clipboard data. Lateral movement is facilitated through protocols and tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, xCmdSvc, and SMB.

To conduct internal reconnaissance, APT39 utilizes custom scripts, port scanners like BLUETORCH, and tools such as NBTscan and CrackMapExec to enumerate network shares and discover remote systems. Command and Control (C2) communications often leverage HTTP/HTTPS protocols, DNS, or legitimate services like DropBox. They also set up custom SOCKS5 proxies using tools like REDTRIP, PINKTRIP, and BLUETRIP to obscure their C2 infrastructure. For data exfiltration, collected information is typically aggregated and compressed using utilities like WinRAR or 7-Zip, then exfiltrated via encrypted channels, FTP, legitimate network services, or the BITS protocol.

Notable Campaigns

APT39 has maintained a consistent operational tempo since its inception. In 2016, Unit 42 observed activity from the Chafer alias targeting Turkish government entities. The group escalated its activities significantly in 2017, deploying new tools and infrastructure while attacking nine new organizations across the Middle East. These targets included airlines, aircraft services, IT providers, telecommunications firms, payroll services, engineering consultancies, and document management software companies. During this period, they also attempted to compromise a major international travel reservations firm, underscoring their focus on obtaining travel-related intelligence.

Between 2018 and 2019, APT39 was responsible for widespread telecom network intrusions in the Middle East, gaining surveillance access, and targeting the travel industry by compromising booking systems to track individuals. The autumn of 2018 also saw them employ an improved version of their Remexi malware in a prolonged cyber espionage campaign against foreign diplomatic entities located within Iran, suggesting domestic surveillance objectives.

The United States government has taken action against APT39. In 2019, individuals associated with the group faced U.S. sanctions. In a more significant move in September 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Rana Intelligence Computing Company and 45 associated individuals, explicitly linking the company to the MOIS and APT39’s cyber operations. Concurrently, the FBI released a FLASH alert detailing the group’s malware tools and infrastructure. More recently, in 2024, APT39 was observed exploiting ProxyShell vulnerabilities in Microsoft Exchange to steal data from Middle Eastern telecommunications providers.

Associated Malware & Tools

APT39’s toolkit is a mix of custom-developed malware, modified legitimate software, and widely available hacking tools:

  • Custom Backdoors and RATs: The group primarily leverages its bespoke implants such as SEAWEED, CACHEMONEY, and a specific variant of POWBAT. Other notable custom malware includes Remexi, used in domestic surveillance campaigns, and MechaFlounder, a Python-based payload observed targeting Turkish government entities. They have also utilized web shells like ANTAK and ASPXSPY for initial access and persistence on compromised web servers, and custom SOCKS5 proxies such as REDTRIP, PINKTRIP, and BLUETRIP.
  • Off-the-Shelf and Modified Tools: APT39 regularly incorporates publicly available tools to escalate privileges and move laterally. This includes Mimikatz and Windows Credential Editor for credential theft, BLUETORCH for port scanning, and CrackMapExec for network share enumeration. They also use NBTscan, Ncrack, PsExec, RemCom, xCmdSvc, and the Non-sucking Service Manager (NSSM) for various post-exploitation activities. Archive utilities like WinRAR and 7-Zip are commonly used for data staging before exfiltration.
  • Scripting and Other Malware: Their operations frequently involve malicious Visual Basic Script (VBS) and AutoIt malware, often embedded in spear-phishing documents. They also deploy Python-based malware scripts, Android malware, and specialized executables such as “BITS 1.0 Malware” which leverages Microsoft’s Background Intelligent Transfer Service for data exfiltration, and executables masquerading as legitimate software like Mozilla Firefox.

Current Status

APT39 remains an active and significant threat actor. Reports from 2024 confirm their ongoing operations, particularly in targeting telecommunications sectors in the Middle East by exploiting vulnerabilities like ProxyShell. The group continues to evolve its tactics and tooling, demonstrating a patient and persistent approach to cyber espionage. The U.S. Treasury’s sanctions against entities linked to APT39 underscore the persistent nature of this threat, emphasizing its ongoing danger. Defenders in targeted sectors should consider APT39 a formidable adversary requiring robust, behavioral-based detection and defense strategies, as their predictable targeting patterns and documented TTPs allow for proactive preparation.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call