| SYMBOL | COMMON_NAME | aka. SYNONYMS |
APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
| 2020-12-07 ⋅ Reversing Labs ⋅ Rana Android Malware Your past catches up, sooner or later... Rana |
| 2020-07-22 ⋅ Threatpost ⋅ OilRig APT Drills into Malware Innovation with Unique Backdoor OilRig |
| 2020-05-21 ⋅ Bitdefender ⋅ Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia MimiKatz Remexi |
| 2020-03-04 ⋅ CrowdStrike ⋅ 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
| 2020 ⋅ Secureworks ⋅ COBALT HICKMAN MimiKatz Remexi APT39 |
| 2019-03-04 ⋅ Palo Alto Networks Unit 42 ⋅ New Python-Based Payload MechaFlounder Used by Chafer APT39 |
| 2019-02-14 ⋅ Twitter (@QW5kcmV3) ⋅ Tweet on unpacking Remexi payload Remexi |
| 2019-01-30 ⋅ Kaspersky Labs ⋅ Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities Remexi APT39 |
| 2019-01-29 ⋅ FireEye ⋅ APT39: An Iranian Cyber Espionage Group Focused on Personal Information APT39 |
| 2019 ⋅ MITRE ⋅ Group description: APT39 APT39 |
| 2018-12-17 ⋅ Twitter (@MJDutch) ⋅ Tweet on APT39 OilRig |
| 2018-10-01 ⋅ FireEye ⋅ ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
| 2018-03-25 ⋅ Vitali Kremez Blog ⋅ Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence OilRig |
| 2018-02-28 ⋅ Symantec ⋅ Chafer: Latest Attacks Reveal Heightened Ambitions Remexi APT39 |
| 2018-02-28 ⋅ Symantec ⋅ Chafer: Latest Attacks Reveal Heightened Ambitions MimiKatz Remexi |
| 2015-12-07 ⋅ Symantec ⋅ Iran-based attackers use back door threats to spy on Middle Eastern targets APT39 Cadelle |
| 2015-12-07 ⋅ Symantec ⋅ Iran-based attackers use back door threats to spy on Middle Eastern targets CadelSpy Remexi Cadelle |
| 2015-12-07 ⋅ Symantec ⋅ Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise CadelSpy Remexi |
| 2015-08-19 ⋅ Github (samratashok) ⋅ Antak WebShell ANTAK |
| 2014-06-04 ⋅ Lab of a Penetration Tester ⋅ Introducing Antak - A webshell which utilizes powershell ANTAK |