Nation-State Actor

APT39 (Chafer)

Iran • Active since 2014

APT39 is Iran's surveillance hackers. They break into telecom companies and travel agencies to track people. They want to know where Iranian dissidents and opposition figures are traveling.

Overview

APT39 is an Iranian state-sponsored threat group attributed to the Ministry of Intelligence (MOIS). They focus on personal information collection for tracking individuals of interest to the Iranian government.

Also Known As

Chafer, Remix Kitten, Cobalt Hickman, Radio Serpens

Target Industries

Telecommunications, Travel, IT, Government, Aviation

Target Regions

Middle East, United States, Europe, Turkey

Is your business exposed?

Tactics, Techniques & Procedures

  • Spear-phishing
  • Web-based exploitation
  • Credential harvesting
  • Telecom data collection
  • Travel record theft

Known Tools & Malware

SEAWEED, CACHEMONEY, POWBAT, Remexi, Mimikatz

Notable Campaigns

Telecom Network Intrusions (2018-2019)

Infiltrated Middle Eastern telecom providers for surveillance access.

Travel Industry Targeting (2019)

Compromised travel booking systems to track individuals.

MITRE ATT&CK Techniques

T1566.001, T1190, T1003, T1114, T1078

Defense Recommendations

  1. 1.

    Protect customer travel and personal data

  2. 2.

    Monitor for credential harvesting

  3. 3.

    Implement telecom security standards

Related Threat Actors

Apt33 Elfin, Apt35 Charming Kitten, Muddywater

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices