{
	"id": "c7ed3c78-da53-4d97-94d2-1cba27dfe515",
	"created_at": "2026-04-06T00:07:55.706868Z",
	"updated_at": "2026-04-10T13:12:36.706434Z",
	"deleted_at": null,
	"sha1_hash": "787c961844af4879ec26dea3cee89c2f45710c0e",
	"title": "Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36203,
	"plain_text": "Iranian Chafer APT Targeted Air Transportation and Government\r\nin Kuwait and Saudi Arabia\r\nBy Liviu ARSENE\r\nArchived: 2026-04-05 15:18:10 UTC\r\nBitdefender researchers have found attacks conducted by the Chafer APT threat group – known to have an\r\napparent Iranian link – in the Middle East region, dating back to 2018. The campaigns were based on several\r\ntools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and\r\na custom built backdoor.\r\nVictims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government\r\nsectors in the Middle East.\r\nDuring one analyzed incident, the operation potentially lasted more than one and a half years, during which time\r\nthe APT group deployed various tools for persistence and lateral movement.\r\nSome of the most interesting findings of the investigation involve attacker activity that occurred during weekends\r\nand attacker-created user accounts, with a potential end goal of data exploration and exfiltration.\r\nKey findings:\r\nCampaign targeted air transportation and government\r\nAttacker activity occurred on weekends\r\nIn the Kuwait attack, threat actors created their own user account\r\nThe Saudi Arabia attack relied on social engineering to compromise victims\r\nThe end goal of both attacks was likely data exploration and exfiltration\r\nFor the full report and the complete analysis of the analyzed components, please check the research paper\r\navailable below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced\r\nThreat Intelligence users.\r\nDownload the whitepaper\r\nSource: https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/\r\nhttps://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/"
	],
	"report_names": [
		"iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia"
	],
	"threat_actors": [
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bee22874-f90e-410b-93f3-a2f9b1c2e695",
			"created_at": "2022-10-25T16:07:23.45097Z",
			"updated_at": "2026-04-10T02:00:04.610108Z",
			"deleted_at": null,
			"main_name": "Chafer",
			"aliases": [
				"APT 39",
				"Burgundy Sandstorm",
				"Cobalt Hickman",
				"G0087",
				"ITG07",
				"Radio Serpens",
				"Remix Kitten",
				"TA454"
			],
			"source_name": "ETDA:Chafer",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Antak",
				"CACHEMONEY",
				"EternalBlue",
				"HTTPTunnel",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MechaFlounder",
				"Metasploit",
				"Mimikatz",
				"NBTscan",
				"NSSM",
				"Non-sucking Service Manager",
				"POWBAT",
				"Plink",
				"PuTTY Link",
				"Rana",
				"Remcom",
				"Remexi",
				"RemoteCommandExecution",
				"SafetyKatz",
				"UltraVNC",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"nbtscan",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/787c961844af4879ec26dea3cee89c2f45710c0e.pdf",
		"text": "https://archive.orkl.eu/787c961844af4879ec26dea3cee89c2f45710c0e.txt",
		"img": "https://archive.orkl.eu/787c961844af4879ec26dea3cee89c2f45710c0e.jpg"
	}
}