{ "id": "1f062832-1b8a-4b9d-8a0a-1ca3dae81693", "created_at": "2026-04-06T00:08:18.548206Z", "updated_at": "2026-04-10T03:37:55.95773Z", "deleted_at": null, "sha1_hash": "43d87ef627f0d80c2baf984d1b1ce198c797d969", "title": "Apparently Linked Iran Spy Groups Target Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 175342, "plain_text": "Apparently Linked Iran Spy Groups Target Middle East\r\nBy Eduard Kovacs\r\nPublished: 2015-12-08 · Archived: 2026-04-05 17:23:35 UTC\r\nTwo Iran-based threat groups that appear to be linked have been conducting cyber espionage campaigns\r\naimed at entities in Iran and other Middle Eastern countries, Symantec reported on Monday.\r\nThe threat actors, dubbed by the security firm Cadelle and Chafer, have been using custom-made backdoors to\r\ntarget individuals and organizations, particularly airlines and telecoms companies, in Iran and Middle Eastern\r\ncountries such as Afghanistan and Saudi Arabia. One targeted organization was located in the United States.\r\nBased on the profiles of the victims, experts believe the attackers are focusing on tracking the movements and\r\ncommunications of certain Iranian individuals. It’s not uncommon for Iranians to use anonymous proxy services\r\nto circumvent their government’s Internet censorship mechanisms and keep their online activities private, and\r\nsince these types of services have also been attacked, the targets appear to be of interest to an Iranian entity.\r\nSymantec has been monitoring Cadelle and Chafer since July 2014, but command and control (C\u0026C) server\r\ninformation suggests that the groups started their activities as early as 2011.\r\nCadelle uses a piece of malware identified by Symantec as Backdoor.Cadelspy, while Chafer relies on threats\r\ndetected as Backdoor.Remexi and Backdoor.Remexi.B to steal information from infected devices.\r\nCadelspy, which is delivered via a dropper, is designed to harvest system information and clipboard data, log\r\nkeystrokes, collect the titles of open windows, record audio, capture screenshots and photos via the webcam, and\r\nhttps://www.securityweek.com/apparently-linked-iran-spy-groups-target-middle-east\r\nPage 1 of 2\n\nsteal documents printed by the user.\r\nAdvertisement. Scroll to continue reading.\r\nRemexi is an unsophisticated yet efficient backdoor Trojan that provides attackers a remote shell on the infected\r\ncomputer. Researchers say the threat has been used to collect usernames and passwords that help the attackers gain\r\naccess to other machines on the victim’s network.\r\nSymantec believes each of the threat groups has between five and ten members. Both actors are mainly active on\r\nthe same days and during the same time of day, which coincide with Iran’s working week (Saturday through\r\nThursday) and the country’s timezone. An analysis of the Cadelspy backdoor revealed some strings that appear to\r\nrepresent dates written according to the Solar Hijri calendar, which is used in Iran and Afghanistan.\r\nWhile they haven’t seen any overlaps in the infrastructure used by Cadelle and Chafer, experts believe the groups\r\ncould be directly linked or working separately for a single entity. This is based not only on similar working hours\r\nand targets, but also on the fact that infections with both Cadelspy and Remexi have been spotted on the same\r\ncomputers within a small timeframe. In one case, both threats were intermittently active on an organization’s\r\nsystems for a period of more than ten months.\r\nThe attackers picked up their activity this year. The highest number of Cadelspy infections were observed by\r\nSymantec in September, when nine organizations were hit by the malware. The number of Remexi infections\r\npeaked in June when the systems of eight organizations were compromised.\r\nCadelle and Chafer are not the only threat groups linked to Iran. Security firms have also analyzed the activities of\r\nan actor dubbed “Rocket Kitten,” which has been targeting entities in the Middle East and Europe. A different\r\nthreat group, best known for Operation Cleaver, has also been linked to Iran. In fact, Symantec has pointed out\r\nthat Remexi attacks are reminiscent of Operation Cleaver and they could be a continuation of the campaign.\r\nSource: https://www.securityweek.com/apparently-linked-iran-spy-groups-target-middle-east\r\nhttps://www.securityweek.com/apparently-linked-iran-spy-groups-target-middle-east\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.securityweek.com/apparently-linked-iran-spy-groups-target-middle-east" ], "report_names": [ "apparently-linked-iran-spy-groups-target-middle-east" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "5d57e839-da14-44ab-b0dc-3a090f45ac4c", "created_at": "2022-10-25T16:07:23.42967Z", "updated_at": "2026-04-10T02:00:04.595465Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "ETDA:Cadelle", "tools": [ "Antak", "Cadelle", "Cadelspy", "WinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1ba5f718-ad64-492c-8a95-e21a46516d22", "created_at": "2023-01-06T13:46:38.524357Z", "updated_at": "2026-04-10T02:00:03.011902Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "MISPGALAXY:Cadelle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43d87ef627f0d80c2baf984d1b1ce198c797d969.pdf", "text": "https://archive.orkl.eu/43d87ef627f0d80c2baf984d1b1ce198c797d969.txt", "img": "https://archive.orkl.eu/43d87ef627f0d80c2baf984d1b1ce198c797d969.jpg" } }