{ "id": "26cfb523-d274-443e-a750-f4c496ca1603", "created_at": "2026-04-06T00:08:19.887689Z", "updated_at": "2026-04-10T13:11:20.468898Z", "deleted_at": null, "sha1_hash": "4833d735a10e070a8e14c14c4c29df1e97407b0f", "title": "APT39 | Iranian Threat Group Focused on Personal Information", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 369345, "plain_text": "APT39 | Iranian Threat Group Focused on Personal Information\r\nBy Mandiant\r\nPublished: 2019-01-29 · Archived: 2026-04-05 14:51:46 UTC\r\nWritten by: Sarah Hawley, Ben Read, Cristiana Brafman-Kittner, Nalani Fraser, Andrew Thompson, Yuri\r\nRozhansky, Sanaz Yashar\r\nUPDATE (Jan. 30): Figure 1 has been updated to more accurately reflect APT39 targeting. Specifically, Australia,\r\nNorway and South Korea have been removed.\r\nIn December 2018, FireEye identified APT39 as an Iranian cyber espionage group responsible for widespread\r\ntheft of personal information. We have tracked activity linked to this group since November 2014 in order to\r\nprotect organizations from APT39 activity to date. APT39’s focus on the widespread theft of personal information\r\nsets it apart from other Iranian groups FireEye tracks, which have been linked to influence operations, disruptive\r\nattacks, and other threats. APT39 likely focuses on personal information to support monitoring, tracking, or\r\nsurveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors\r\nto facilitate future campaigns.\r\nAPT39 was created to bring together previous activities and methods used by this actor, and its activities largely\r\nalign with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly\r\nreported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and\r\nCACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting\r\nscope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications\r\nsector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry. The\r\ncountries and industries targeted by APT39 are depicted in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html\r\nPage 1 of 4\n\nFigure 1: Countries and industries targeted by APT39\r\nOperational Intent\r\nAPT39's focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or\r\nsurveillance operations against specific individuals, collect proprietary or customer data for commercial or\r\noperational purposes that serve strategic requirements related to national priorities, or create additional accesses\r\nand vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to\r\ncollect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that\r\nAPT39's key mission is to track or monitor targets of interest, collect personal information, including travel\r\nitineraries, and gather customer data from telecommunications firms.\r\nIran Nexus Indicators\r\nWe have moderate confidence APT39 operations are conducted in support of Iranian national interests based on\r\nregional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group\r\nthat loosely aligns with activity publicly reported as “OilRig”. While APT39 and APT34 share some similarities,\r\nincluding malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting\r\noverlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is\r\npossible that these groups work together or share resources at some level.\r\nAttack Lifecycle\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html\r\nPage 2 of 4\n\nAPT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle.\r\nInitial Compromise\r\nFor initial compromise, FireEye Intelligence has observed APT39 leverage spear phishing emails with malicious\r\nattachments and/or hyperlinks typically resulting in a POWBAT infection. APT39 frequently registers and\r\nleverages domains that masquerade as legitimate web services and organizations that are relevant to the intended\r\ntarget. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted\r\norganizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to\r\ncompromise externally facing Outlook Web Access (OWA) resources.\r\nEstablish Foothold, Escalate Privileges, and Internal Reconnaissance\r\nPost-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique\r\nvariant of POWBAT to establish a foothold in a target environment. During privilege escalation, freely available\r\ntools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows\r\nCredential Editor and ProcDump. Internal reconnaissance has been performed using custom scripts and both\r\nfreely available and custom tools such as the port scanner, BLUETORCH.\r\nLateral Movement, Maintain Presence, and Complete Mission\r\nAPT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell\r\n(SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also\r\nbeen used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement,\r\nAPT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39\r\ntypically archives stolen data with compression tools such as WinRAR or 7-Zip.\r\nFigure 2: APT39 attack lifecycle\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html\r\nPage 3 of 4\n\nThere are some indications that APT39 demonstrated a penchant for operational security to bypass detection\r\nefforts by network defenders, including the use of a modified version of Mimikatz that was repacked to thwart\r\nanti-virus detection in one case, as well as another instance when after gaining initial access APT39 performed\r\ncredential harvesting outside of a compromised entity's environment to avoid detection.\r\nOutlook\r\nWe believe APT39's significant targeting of the telecommunications and travel industries reflects efforts to collect\r\npersonal information on targets of interest and customer data for the purposes of surveillance to facilitate future\r\noperations. Telecommunications firms are attractive targets given that they store large amounts of personal and\r\ncustomer information, provide access to critical infrastructure used for communications, and enable access to a\r\nwide range of potential targets across multiple verticals. APT39's targeting not only represents a threat to known\r\ntargeted industries, but it extends to these organizations' clientele, which includes a wide variety of sectors and\r\nindividuals on a global scale. APT39's activity showcases Iran's potential global operational reach and how it uses\r\ncyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national\r\nsecurity threats and gain advantages against regional and global rivals.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" ], "report_names": [ "apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4833d735a10e070a8e14c14c4c29df1e97407b0f.pdf", "text": "https://archive.orkl.eu/4833d735a10e070a8e14c14c4c29df1e97407b0f.txt", "img": "https://archive.orkl.eu/4833d735a10e070a8e14c14c4c29df1e97407b0f.jpg" } }