{ "id": "4b9c0482-696b-41ea-8366-8fb964a9797a", "created_at": "2026-04-06T00:21:01.794438Z", "updated_at": "2026-04-10T03:37:55.859191Z", "deleted_at": null, "sha1_hash": "bbcb0de32d2d6f8af74374e92361e405540dcdd7", "title": "Iran-based attackers use back door threats to spy on Middle Eastern targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 320664, "plain_text": "Iran-based attackers use back door threats to spy on Middle\r\nEastern targets\r\nBy By\r\nPublished: 2015-12-07 · Archived: 2026-04-05 23:35:45 UTC\r\nTwo teams of Iran-based attackers have been using back door threats to conduct targeted surveillance of domestic\r\nand international targets. While the groups are heavily targeting individuals located in Iran, they’ve also\r\ncompromised airlines and telecom providers in the Middle East region, possibly in an attempt to monitor targets’\r\nmovements and communications.\r\nThe attackers are part of two separate groups that have a shared interest in targets. One group, which we call\r\nCadelle, uses Backdoor.Cadelspy, while the other, which we’ve named Chafer, uses Backdoor.Remexi and\r\nBackdoor.Remexi.B. These threats are capable of opening a back door and stealing information from victims’\r\ncomputers\r\nThe Cadelle and Chafer groups\r\nSymantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s\r\nlikely that activity began well before this date. Command-and-control (C\u0026C) registrant information points to\r\nactivity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue\r\nto the present day. Symantec estimates that each team is made up of between 5 and 10 people.\r\nThe back door threats that the groups use appear to be custom made. It’s unclear how Cadelle infects its targets\r\nwith Backdoor.Cadelspy. However, Chafer has been observed compromising web servers, likely through SQL\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 1 of 6\n\ninjection attacks, to drop Backdoor.Remexi onto victims’ computers. Chafer then uses Remexi to gather user\r\nnames and passwords to help it spread further across the network.\r\nThere is evidence to suggest that the two teams may be connected in some way, though we cannot confirm this. A\r\nnumber of computers experienced both Cadelspy and Remexi infections within a small time window. In one\r\ninstance, a computer was compromised with Backdoor.Cadelspy just minutes after being infected with\r\nBackdoor.Remexi. The Cadelle and Chafer groups also keep the same working hours and focus on similar targets.\r\nHowever, no sharing of C\u0026C infrastructure between the teams has been observed.\r\nIf Cadelle and Chafer are not directly linked, then they may be separately working for a single entity. Their victim\r\nprofile may be of interest to a nation state.\r\nThe victims\r\nData from Cadelle’s C\u0026C servers shows that a large number of Backdoor.Cadelspy infections affected individual\r\nusers of Iranian internet service providers (ISPs) and hosting services. This suggests that the majority of victims\r\nare based in Iran. There was also a significant amount of individual targets that used anonymous proxy services to\r\ngo online. Reports have shown that many Iranians avail of these services to access sites that are blocked by the\r\ngovernment’s internet censorship measures. Dissidents, activists, and researchers in the region may use these\r\nproxies in an attempt to keep their online activities private.\r\nFigure 1. Backdoor.Cadelspy infections by region\r\nIn terms of targeted organizations, both Cadelle and Chafer seem to be interested in a similar category of\r\norganizations, such as airlines and telecom companies. The affected organizations we were able to identify are\r\nmostly based in the Middle East region in countries such as Saudi Arabia and Afghanistan, while one organization\r\nis located in the US.\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 2 of 6\n\nFigure 2. Number of unique organizations hit with Backdoor.Cadelspy and Backdoor.Remexi from July 2014 to\r\nOctober 2015\r\nOur telemetry shows that among more than a dozen entities that experienced Cadelspy and Remexi infections,\r\nfour of them were compromised with both of the threats at some stages. In most instances, victim computers were\r\ninfected with either Backdoor.Cadelspy or Backdoor.Remexi, not both. Less than five percent of computers were\r\ninfected with both malware families. In one affected organization, there was intermittent activity between the\r\nthreats over ten months. A combined total of 60 computers were compromised in another organization for almost a\r\nyear.\r\nThe malware’s activity on victim computers appears to depend on the targets. One computer that was infected\r\nwith both Cadelspy and Remexi was a system that ran a SIM card editing application. Other compromised\r\ncomputers included those belonging to web developers, or are file and database servers.\r\nThe nature of the victims suggests that Cadelle and Chafer are primarily interested in tracking individuals in terms\r\nof their movements and communications. Compromising regional telcos and airlines can help the attackers\r\nachieve this aim.\r\nBased in Iran?\r\nThere are a number of factors in these groups’ campaigns that suggests that the attackers may be based in Iran.\r\nCadelle and Chafer are most active during the day time within Iran’s time zone and primarily operate during Iran’s\r\nbusiness week (Saturday through Thursday).\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 3 of 6\n\nFigure 3. Cadelle and Chafer’s activity levels by hour in Iran’s time zone (UTC +3.5)\r\nAdditionally, Symantec observed that Backdoor.Cadelspy’s file strings seem to include dates written in the Solar\r\nHijri calendar, which is used in Iran and Afghanistan. While the Gregorian calendar marks the current year as\r\n2015, the Solar Hijri calendar states that it is 1394. When we converted the dates in the file strings from the Solar\r\nHijri calendar to the Gregorian one, we found that they were close to the compilation times of the executables and\r\nalso close to when Cadelle’s targets were initially compromised.\r\nBased on our analysis, we believe that Cadelle and Chafer’s victims are most likely to be of interest to an Iranian\r\nentity. Cadelle and Chafer are by no means the first Iran-based attack group to appear. Other groups attributed to\r\nIranian attackers, such as Rocket Kitten, have targeted Iranian individuals in the past, including anonymous proxy\r\nusers, researchers, journalists, and dissidents. Backdoor.Remexi activity in particular is reminiscent of Operation\r\nCleaver, as documented by Cylance, and may possibly be a continuation of that activity.\r\nCadelle and Chafer’s malware\r\nThe groups use one malware family each to open a back door and steal information from the compromised\r\ncomputer. Cadelle uses Backdoor.Cadelspy while Chafer operates with Backdoor.Remexi and\r\nBackdoor.Remexi.B.\r\nCadelspy initially arrives on the computer as a dropper, which downloads two installer components catering to\r\nwhether the victim is running a 32-bit or 64-bit system. The dropper then executes the appropriate installer, which\r\nlaunches Cadelspy’s malicious payload and allows it to run whenever any Windows program is executed.\r\nCadelspy’s main payload contains its back door functionality, allowing the threat to carry out the following\r\nactivities:\r\nLog keystrokes and the titles of open windows\r\nGather clipboard data and system information\r\nSteal printer information and any documents that were sent to be printed\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 4 of 6\n\nRecord audio\r\nCapture screenshots and webcam photos\r\nCadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker’s C\u0026C servers. The threat\r\nis also able to update its configuration file to gain additional features.\r\nMeanwhile, Chafer’s threat Remexi contains fewer features than Cadelle’s Cadelspy does. Remexi is a basic back\r\ndoor Trojan that allows attackers to open a remote shell on the computer and execute commands. Though this is\r\nunsophisticated, a remote shell does provide a highly flexible and powerful means of remote access in the hands\r\nof a skilled attacker.\r\nMitigation\r\nCadelle and Chafer’s activities show that attack groups don’t need advanced skills to conduct effective targeted\r\nespionage against victims. The two groups’ threats have managed to remain on their targets’ computers for almost\r\na year, potentially giving the attackers access to an enormous amount of sensitive information. They’re also aware\r\nthat they don’t only have to directly attack the individuals, as they can get to their victims by compromising the\r\nservices that they use, such as airlines and telcos.\r\nBoth Cadelle and Chafer are still active today and we don’t expect to see them end their activities any time soon.\r\nIndividuals and organizations wishing to avoid being compromised by these teams should adhere to the following\r\nadvice:\r\nEnsure that software on computers and servers is being regularly updated to prevent known vulnerabilities\r\nfrom being exploited\r\nTreat unsolicited emails with suspicion. Targeted attacks frequently distribute malware through malicious\r\nlinks and attachments in emails.\r\nKeep security software up-to-date with the latest definitions\r\nProtection\r\nNorton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these\r\nthreats through the following detections:\r\nAV\r\nBackdoor.Cadelspy\r\nBackdoor.Remexi\r\nBackdoor.Remexi.B\r\nIPS\r\nSystem Infected: Backdoor.Cadelspy Activity 2\r\nSystem Infected: Backdoor.Remexi Activity\r\nIndicators of compromise\r\nWe have also compiled an indicators-of-compromise document containing further details which can be used to\r\nhelp identify the threats if they are present in your environment.\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 5 of 6\n\nSource: https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-sp\r\ny-middle-eastern-targets\r\nhttps://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "report_names": [ "iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "5d57e839-da14-44ab-b0dc-3a090f45ac4c", "created_at": "2022-10-25T16:07:23.42967Z", "updated_at": "2026-04-10T02:00:04.595465Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "ETDA:Cadelle", "tools": [ "Antak", "Cadelle", "Cadelspy", "WinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1ba5f718-ad64-492c-8a95-e21a46516d22", "created_at": "2023-01-06T13:46:38.524357Z", "updated_at": "2026-04-10T02:00:03.011902Z", "deleted_at": null, "main_name": "Cadelle", "aliases": [], "source_name": "MISPGALAXY:Cadelle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bbcb0de32d2d6f8af74374e92361e405540dcdd7.pdf", "text": "https://archive.orkl.eu/bbcb0de32d2d6f8af74374e92361e405540dcdd7.txt", "img": "https://archive.orkl.eu/bbcb0de32d2d6f8af74374e92361e405540dcdd7.jpg" } }