{
	"id": "9744885f-9782-4252-855e-377b2c313f0d",
	"created_at": "2026-04-06T00:08:10.443571Z",
	"updated_at": "2026-04-10T03:35:13.557162Z",
	"deleted_at": null,
	"sha1_hash": "7fa0d59cbc905439b45b74e60cdbbc4a47911590",
	"title": "Latest U.S. Indictments Target Iranian Espionage Actors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57258,
	"plain_text": "Latest U.S. Indictments Target Iranian Espionage Actors\r\nBy About the Author\r\nArchived: 2026-04-05 13:10:40 UTC\r\nUPDATE September 22: We have made some edits to this blog. An earlier version inaccurately described the\r\nlinks to the Elfin group as \"strong\".\r\nThe U.S. government has indicted three Iranian nationals on charges related to cyber attacks against aerospace and\r\nsatellite technology companies. Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati are\r\nalleged to have carried out a string of attacks between 2015 and 2019 which resulted in the theft of sensitive\r\ncommercial information, intellectual property, and personal data from targeted organizations.\r\nAccording to the indictment, Arabi is a member of Iran’s Islamic Revolutionary Guard Corps (IRGC) and carried\r\nout the attacks with Espargham and Bayati on behalf of the IRGC. Espargham is alleged to be the leader of an\r\nIranian hacking group known as the Iranian Dark Coders Team, while Bayati is alleged to be a malware developer\r\nwho shared tools with Arabi and Espargham.\r\nThe men are said to have obtained the names of individuals working in the aerospace and satellite industry,\r\ncreated fake accounts in their names, and used them to send spear-phishing emails to targeted organizations. If\r\nvictims clicked on a malicious link within the email, malware would be installed on their computers. Once on the\r\nvictim’s network, the attackers would escalate privileges, steal credentials, move laterally across the network, and\r\ndeploy further malware on computers before exfiltrating data.\r\nPossible Elfin link?\r\nAlthough not referenced specifically in the indictment, the attacks appear to have some links to the Elfin (aka\r\nAPT33) cyber espionage group. Aside from the fact that the targets and tactics described in the indictment closely\r\nresemble Elfin activity observed by Symantec, there is also a commonality in tools used. According to the\r\nindictment, one of the main malware tools used in the attacks was the Nanocore RAT (Trojan.Nancrat). Although\r\nit was publicly available, Symantec has observed Elfin make extensive use of Nanocore. While we haven’t\r\nobserved any other Iranian group utilizing this tool, other vendors have found cases.\r\nWho are Elfin?\r\nSymantec has been tracking Elfin since late 2015. Aside from compromising its victims with spear-phishing\r\nemails, the group is also known for scanning for vulnerable websites, either for potential victims or for use as\r\ncommand and control (C\u0026C) infrastructure. To date it has compromised a wide range of targets, including\r\ngovernments along with organizations in the research, chemical, engineering, manufacturing, consulting, finance,\r\ntelecoms, and several other sectors. Aside from the U.S, Elfin is also heavily focused on targets in Saudi Arabia,\r\nwhich accounted for 42 percent of attacks observed by Symantec between the start of 2016 and March 2019.\r\nDuring this time, Symantec also identified possible links to the destructive Shamoon group.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage\r\nPage 1 of 3\n\nRecent attacks\r\nSymantec has observed multiple Elfin campaigns over the past 18 months. In February 2019, the group attempted\r\nto exploit a known vulnerability (CVE-2018-20250) in WinRAR in order to compromise an organization in the\r\nchemical sector in Saudi Arabia.\r\nIn June 2019, Elfin sent out a phishing email to hundreds of recipients across multiple countries in what appeared\r\nto be an opportunistic trawling attack. The link within the document led recipients to dynamic DNS infrastructure\r\ncontrolled by the group.\r\nSubsequently, in late August 2019, Elfin compromised a victim in Saudi Arabia with a malicious HTA file.\r\nFollowing the initial compromise, Elfin continued to rely on the group’s known tools, tactics, and procedures\r\n(TTPs) to strengthen its foothold. During the incident, the legitimate utility mshta.exe executed a malicious HTA\r\nfile with a job application theme. The file was downloaded after a victim used Microsoft Edge to visit a malicious\r\nwebsite. A PowerShell command then downloaded a JPG file from a dynamic DNS host spoofing a U.S. defense\r\ncontractor.\r\nChafer alert and sanctions\r\nIn a separate announcement, the FBI has also issued a new cyber security advisory about an Iranian company\r\ncalled Rana Intelligence Computing Company, which it says is a front for the Chafer (aka APT39) cyber\r\nespionage group, which is linked to the Iranian Ministry of Intelligence and Security (MOIS). The FBI said Rana\r\nhad systematically targeted and monitored Iranian citizens, dissidents, and journalists, along with government\r\nnetworks of Iran’s neighboring countries, and foreign organizations in the travel, academic, and\r\ntelecommunications sectors.\r\nSimultaneously, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on\r\nRana, Chafer, and a number of named individuals who work for MOIS.\r\nChafer has been active since at least July 2014 and its activities were first exposed by Symantec in December\r\n2015, when it was found to be conducting targeted surveillance of domestic and international targets.\r\nIn 2018 Symantec observed it mounting a number of ambitious new attacks including the compromise of a major\r\ntelecoms services provider in the Middle East.\r\nIncreased pressure\r\nState-sponsored espionage actors appear to be firmly in the sights of the U.S. Justice and Treasury Departments.\r\nThese indictments and sanctions may generate an unwelcome amount of publicity and disruption for groups that\r\nmay have believed they were operating with a degree of anonymity.\r\nProtection/Mitigation\r\nSymantec has the following protection in place to protect customers against Elfin attacks:\r\nFile-based protection\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage\r\nPage 2 of 3\n\nBackdoor.Notestuk\r\nTrojan.Stonedrill\r\nBackdoor.Remvio\r\nBackdoor.Breut\r\nTrojan.Quasar\r\nBackdoor.Patpoopy\r\nTrojan.Nancrat\r\nTrojan.Netweird.B\r\nExp.CVE-2018-20250\r\nSecurityRisk.LaZagne\r\nHacktool.Mimikatz\r\nSniffPass\r\nSymantec has the following protection in place to protect customers against Chafer attacks:\r\nFile-based protection\r\nBackdoor.Remexi\r\nBackdoor.Remexi.B\r\nHacktool.Mimikatz\r\nPwdump\r\nIPS: network-based protection\r\nSystem Infected: Backdoor.Remexi Activity\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage"
	],
	"report_names": [
		"elfin-indictments-iran-espionage"
	],
	"threat_actors": [
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bee22874-f90e-410b-93f3-a2f9b1c2e695",
			"created_at": "2022-10-25T16:07:23.45097Z",
			"updated_at": "2026-04-10T02:00:04.610108Z",
			"deleted_at": null,
			"main_name": "Chafer",
			"aliases": [
				"APT 39",
				"Burgundy Sandstorm",
				"Cobalt Hickman",
				"G0087",
				"ITG07",
				"Radio Serpens",
				"Remix Kitten",
				"TA454"
			],
			"source_name": "ETDA:Chafer",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Antak",
				"CACHEMONEY",
				"EternalBlue",
				"HTTPTunnel",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MechaFlounder",
				"Metasploit",
				"Mimikatz",
				"NBTscan",
				"NSSM",
				"Non-sucking Service Manager",
				"POWBAT",
				"Plink",
				"PuTTY Link",
				"Rana",
				"Remcom",
				"Remexi",
				"RemoteCommandExecution",
				"SafetyKatz",
				"UltraVNC",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"nbtscan",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d",
			"created_at": "2023-01-06T13:46:38.883911Z",
			"updated_at": "2026-04-10T02:00:03.132231Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"COBALT HICKMAN",
				"G0087",
				"Radio Serpens",
				"TA454",
				"ITG07",
				"Burgundy Sandstorm",
				"REMIX KITTEN"
			],
			"source_name": "MISPGALAXY:APT39",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b938e2e3-3d1b-4b35-a031-ddf25b912557",
			"created_at": "2022-10-25T16:07:23.35582Z",
			"updated_at": "2026-04-10T02:00:04.55531Z",
			"deleted_at": null,
			"main_name": "APT 33",
			"aliases": [
				"APT 33",
				"ATK 35",
				"Cobalt Trinity",
				"Curious Serpens",
				"Elfin",
				"G0064",
				"Holmium",
				"Magnallium",
				"Peach Sandstorm",
				"Refined Kitten",
				"TA451",
				"Yellow Orc"
			],
			"source_name": "ETDA:APT 33",
			"tools": [
				"Atros2.CKPN",
				"AutoIt backdoor",
				"Breut",
				"CinaRAT",
				"DROPSHOT",
				"DarkComet",
				"DarkKomet",
				"DistTrack",
				"EmPyre",
				"EmpireProject",
				"FYNLOS",
				"FalseFont",
				"Filerase",
				"Fynloski",
				"JuicyPotato",
				"Krademok",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Mimikatz",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Notestuk",
				"POWERTON",
				"PoshC2",
				"PowerBand",
				"PowerShell Empire",
				"PowerSploit",
				"PsList",
				"Pupy",
				"PupyRAT",
				"Quasar RAT",
				"QuasarRAT",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"SHAPESHIFT",
				"Shamoon",
				"Socmer",
				"StoneDrill",
				"TURNEDUP",
				"Tickler",
				"Yggdrasil",
				"Zurten",
				"klovbot",
				"pupy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6b6155e4-94ec-4909-b908-550afe758ad6",
			"created_at": "2022-10-25T15:50:23.365074Z",
			"updated_at": "2026-04-10T02:00:05.2978Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"APT39",
				"ITG07",
				"Remix Kitten"
			],
			"source_name": "MITRE:APT39",
			"tools": [
				"NBTscan",
				"MechaFlounder",
				"Remexi",
				"CrackMapExec",
				"pwdump",
				"Mimikatz",
				"Windows Credential Editor",
				"Cadelspy",
				"PsExec",
				"ASPXSpy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434090,
	"ts_updated_at": 1775792113,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7fa0d59cbc905439b45b74e60cdbbc4a47911590.pdf",
		"text": "https://archive.orkl.eu/7fa0d59cbc905439b45b74e60cdbbc4a47911590.txt",
		"img": "https://archive.orkl.eu/7fa0d59cbc905439b45b74e60cdbbc4a47911590.jpg"
	}
}