APT39 is a cyber espionage group attributed to Iran, specifically operating under the Iranian Ministry of Intelligence and Security (MOIS) through a front company known as Rana Intelligence Computing. The group has been active since at least 2014 and is also referred to by other names such as Chafer, Remix Kitten, and COBALT HICKMAN.
Primary Objectives and Targeting
APT39 is distinct among Iranian threat actors for its focus on the theft of personal information, which is believed to support monitoring, tracking, or surveillance operations in line with Iran’s national priorities. Its operations are global, but heavily concentrated in the Middle East and Western countries, including Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, the UAE, and the United States.
The group primarily targets
• Telecommunications companies
• High-tech and IT firms
• The travel industry
• Government entities
• Shipping, logistics, aviation, and engineering sectors
Attack Techniques and Tools
• Spear phishing emails with malicious attachments or links, often leading to POWBAT malware infections.
• Registration of domains that mimic legitimate services to lure targets.
• Exploitation of vulnerable web servers to install web shells like ANTAK and ASPXSPY.
Post-Compromise Activities:
• Use of custom backdoors such as SEAWEED, CACHEMONEY, and modified POWBAT variants to maintain access.
• Credential harvesting using tools like Mimikatz, Ncrack, Windows Credential Editor, and ProcDump.
• Internal reconnaissance with custom scripts and tools such as BLUETORCH.
Lateral Movement and Data Exfiltration
• Movement across networks using RDP, SSH, PsExec, RemCom, and custom proxy tools (REDTRIP, PINKTRIP, BLUETRIP).
• Data archiving with WinRAR or 7-Zip before exfiltration.
• Use of “Living off the Land” tactics, leveraging legitimate system tools to evade detection.
Operational Security
APT39 demonstrates a notable focus on operational security, including the use of repacked malware to evade antivirus detection and performing credential harvesting outside compromised environments to avoid being caught by defenders.
Attribution and Sanctions
APT39’s activities are widely attributed to the Iranian government, specifically the MOIS, and the group has been subject to international sanctions, including measures imposed by the US Department of the Treasury.