Threat Actor Profile
High APT
Description

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Confidence Score
90%
Known Aliases
APT39 ITG07 Chafer Remix Kitten
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (53)
T1005 - Data from Local System
Collection
T1056 - Input Capture
Collection
T1056.001 - Keylogging
Collection
T1074.001 - Local Data Staging
Collection
T1113 - Screen Capture
Collection
T1115 - Clipboard Data
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1071.004 - DNS
Command and Control
T1090.001 - Internal Proxy
Command and Control
T1090.002 - External Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1003.001 - LSASS Memory
Credential Access
T1110 - Brute Force
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1027.002 - Software Packing
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1197 - BITS Jobs
Defense Evasion
T1553.006 - Code Signing Policy Modification
Defense Evasion
T1012 - Query Registry
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1135 - Network Share Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1059.010 - AutoHotKey & AutoIT
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1569.002 - Service Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1136.001 - Local Account
Persistence
T1505.003 - Web Shell
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1547.009 - Shortcut Modification
Persistence
T1546.010 - AppInit DLLs
Privilege Escalation
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['APT39', 'ITG07', 'Chafer', 'Remix Kitten'],
 'created': '2019-02-19T16:01:38.585Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[APT39](https://attack.mitre.org/groups/G0087) is one of '
                'several names for cyber espionage activity conducted by the '
                'Iranian Ministry of Intelligence and Security (MOIS) through '
                'the front company Rana Intelligence Computing since at least '
                '2014. [APT39](https://attack.mitre.org/groups/G0087) has '
                'primarily targeted the travel, hospitality, academic, and '
                'telecommunications industries in Iran and across Asia, '
                'Africa, Europe, and North America to track individuals and '
                'entities considered to be a threat by the MOIS.(Citation: '
                'FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec '
                '2015)(Citation: FBI FLASH APT39 September 2020)(Citation: '
                'Dept. of Treasury Iran Sanctions September 2020)(Citation: '
                'DOJ Iran Indictments September 2020)',
 'external_references': [{'external_id': 'G0087',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0087'},
                         {'description': '(Citation: Crowdstrike GTR2020 Mar '
                                         '2020)',
                          'source_name': 'Remix Kitten'},
                         {'description': '(Citation: FBI FLASH APT39 September '
                                         '2020)(Citation: Dept. of Treasury '
                                         'Iran Sanctions September '
                                         '2020)(Citation: DOJ Iran Indictments '
                                         'September 2020)',
                          'source_name': 'ITG07'},
                         {'description': '(Citation: FireEye APT39 Jan '
                                         '2019)(Citation: FBI FLASH APT39 '
                                         'September 2020)(Citation: Dept. of '
                                         'Treasury Iran Sanctions September '
                                         '2020)(Citation: DOJ Iran Indictments '
                                         'September 2020)',
                          'source_name': 'APT39'},
                         {'description': 'Activities associated with APT39 '
                                         'largely align with a group publicly '
                                         'referred to as Chafer.(Citation: '
                                         'FireEye APT39 Jan 2019)(Citation: '
                                         'Symantec Chafer Dec 2015)(Citation: '
                                         'Dark Reading APT39 JAN '
                                         '2019)(Citation: FBI FLASH APT39 '
                                         'September 2020)(Citation: Dept. of '
                                         'Treasury Iran Sanctions September '
                                         '2020)(Citation: DOJ Iran Indictments '
                                         'September 2020)',
                          'source_name': 'Chafer'},
                         {'description': 'Crowdstrike. (2020, March 2). 2020 '
                                         'Global Threat Report. Retrieved '
                                         'December 11, 2020.',
                          'source_name': 'Crowdstrike GTR2020 Mar 2020',
                          'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'},
                         {'description': 'Dept. of Treasury. (2020, September '
                                         '17). Treasury Sanctions Cyber Actors '
                                         'Backed by Iranian Intelligence. '
                                         'Retrieved December 10, 2020.',
                          'source_name': 'Dept. of Treasury Iran Sanctions '
                                         'September 2020',
                          'url': 'https://home.treasury.gov/news/press-releases/sm1127'},
                         {'description': 'DOJ. (2020, September 17). '
                                         'Department of Justice and Partner '
                                         'Departments and Agencies Conduct '
                                         'Coordinated Actions to Disrupt and '
                                         'Deter Iranian Malicious Cyber '
                                         'Activities Targeting the United '
                                         'States and the Broader International '
                                         'Community. Retrieved December 10, '
                                         '2020.',
                          'source_name': 'DOJ Iran Indictments September 2020',
                          'url': 'https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt'},
                         {'description': 'FBI. (2020, September 17). '
                                         'Indicators of Compromise Associated '
                                         'with Rana Intelligence Computing, '
                                         'also known as Advanced Persistent '
                                         'Threat 39, Chafer, Cadelspy, Remexi, '
                                         'and ITG07. Retrieved December 10, '
                                         '2020.',
                          'source_name': 'FBI FLASH APT39 September 2020',
                          'url': 'https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf'},
                         {'description': 'Hawley et al. (2019, January 29). '
                                         'APT39: An Iranian Cyber Espionage '
                                         'Group Focused on Personal '
                                         'Information. Retrieved February 19, '
                                         '2019.',
                          'source_name': 'FireEye APT39 Jan 2019',
                          'url': 'https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html'},
                         {'description': 'Higgins, K. (2019, January 30). Iran '
                                         'Ups its Traditional Cyber Espionage '
                                         'Tradecraft. Retrieved May 22, 2020.',
                          'source_name': 'Dark Reading APT39 JAN 2019',
                          'url': 'https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764'},
                         {'description': 'Symantec Security Response. (2015, '
                                         'December 7). Iran-based attackers '
                                         'use back door threats to spy on '
                                         'Middle Eastern targets. Retrieved '
                                         'April 17, 2019.',
                          'source_name': 'Symantec Chafer Dec 2015',
                          'url': 'https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets'}],
 'id': 'intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80',
 'modified': '2024-04-11T02:59:52.392Z',
 'name': 'APT39',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.2'}
Quick Actions
Related TTPs (53)
Data from Local System
Collection
Input Capture
Collection
Keylogging
Collection
Local Data Staging
Collection
Screen Capture
Collection
View All 53 TTPs
Back to Threat Actors
Dashboard Home