{ "id": "d31cd083-758a-496e-ab0b-86aa4fdb7b22", "created_at": "2026-04-06T03:37:39.764401Z", "updated_at": "2026-04-10T03:37:37.113673Z", "deleted_at": null, "sha1_hash": "bdb13a3bfa4ea900d1925202dc676281bb1600da", "title": "Chafer, APT 39 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81039, "plain_text": "Chafer, APT 39 - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:31:22 UTC\r\nHome \u003e List all groups \u003e Chafer, APT 39\r\n APT group: Chafer, APT 39\r\nNames\r\nChafer (Symantec)\r\nAPT 39 (Mandiant)\r\nRemix Kitten (CrowdStrike)\r\nCobalt Hickman (SecureWorks)\r\nTA454 (Proofpoint)\r\nITG07 (IBM)\r\nRadio Serpens (Palo Alto)\r\nBurgundy Sandstorm (Microsoft)\r\nG0087 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, Rana Intelligence Computing Company\r\nMotivation Information theft and espionage\r\nFirst seen 2014\r\nDescription\r\n(FireEye) APT39 was created to bring together previous activities and methods used by this\r\nactor, and its activities largely align with a group publicly referred to as “Chafer.” However,\r\nthere are differences in what has been publicly reported due to the variances in how\r\norganizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY\r\nbackdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting\r\nscope is global, its activities are concentrated in the Middle East. APT39 has prioritized the\r\ntelecommunications sector, with additional targeting of the travel industry and IT firms that\r\nsupport it and the high-tech industry.\r\nAPT39’s focus on the telecommunications and travel industries suggests intent to perform\r\nmonitoring, tracking, or surveillance operations against specific individuals, collect proprietary\r\nor customer data for commercial or operational purposes that serve strategic requirements\r\nrelated to national priorities, or create additional accesses and vectors to facilitate future\r\ncampaigns. Government entities targeting suggests a potential secondary intent to collect\r\ngeopolitical data that may benefit nation-state decision making. Targeting data supports the\r\nbelief that APT39’s key mission is to track or monitor targets of interest, collect personal\r\ninformation, including travel itineraries, and gather customer data from telecommunications\r\nfirms.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45\r\nPage 1 of 3\n\nObserved\nSectors: Aviation, Engineering, Government, High-Tech, IT, Shipping and Logistics,\nTelecommunications, Transportation.\nCountries: Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, UAE, USA and Middle East.\nTools used\nAntak, ASPXSpy, EternalBlue, HTTPTunnel, MechaFlounder, Metasploit, Mimikatz, nbtscan,\nNon-sucking Service Manager, OilRig, Plink, POWBAT, pwdump, Rana, Remcom, Remexi,\nSafetyKatz, SEAWEED, UltraVNC, Windows Credentials Editor, Living off the Land and\nSMB hacking tools.\nOperations performed\n2017\nChafer appears to have been undeterred by its exposure in 2015 and continued\nto be very active during 2017, using seven new tools, rolling out new\ninfrastructure, and attacking nine new target organizations in the region. The\ngroup hit organizations in Israel, Jordan, the United Arab Emirates, Saudi\nArabia, and Turkey.\nSectors targeted included airlines; aircraft services; software and IT services\ncompanies serving the air and sea transport sectors; telecoms services; payroll\nservices; engineering consultancies; and document management software.\nOutside of the Middle East, Symantec has also found evidence of attacks\nagainst one African airline and attempts to compromise an international travel\nreservations firm.\nFeb 2018\nTurkish Government Targeting\nThis new secondary payload is Python-based and compiled into executable\nform using the PyInstaller utility. This is the first instance where Unit 42 has\nidentified a Python-based payload used by these operators. We’ve also\nidentified code overlap with OilRig’s Clayside VBScript but at this time track\nChafer and OilRig as separate threat groups. We have named this payload\nMechaFlounder for tracking purposes.\nAutumn 2018\nSpying on Iran-based foreign diplomatic entities\nThroughout the autumn of 2018 we analyzed a long-standing (and still active\nat that time) cyberespionage campaign that was primarily targeting foreign\ndiplomatic entities based in Iran. The attackers were using an improved\nversion of Remexi in what the victimology suggests might be a domestic\ncyberespionage operation.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45\nPage 2 of 3\n\n2018\nBitdefender researchers have found attacks conducted by this actor in the\nMiddle East region, dating back to 2018. The campaigns were based on\nseveral tools, including “living off the land” tools, which makes attribution\ndifficult, as well as different hacking tools and a custom built backdoor.\nCounter operations Sep 2020\nTreasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45" ], "report_names": [ "showcard.cgi?u=d7f937b7-b50b-4022-bca1-9e403ffefe45" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446659, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bdb13a3bfa4ea900d1925202dc676281bb1600da.pdf", "text": "https://archive.orkl.eu/bdb13a3bfa4ea900d1925202dc676281bb1600da.txt", "img": "https://archive.orkl.eu/bdb13a3bfa4ea900d1925202dc676281bb1600da.jpg" } }