SYMBOLCOMMON_NAMEaka. SYNONYMS

APT39  (Back to overview)

aka: COBALT HICKMAN, Chafer, G0087, REMIX KITTEN, Radio Serpens, TA454

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.


Associated Families
apk.rana php.antak ps1.oilrig win.remexi

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Radio Serpens
APT39
2020-12-07Reversing LabsKarlo Zanki
Rana Android Malware Your past catches up, sooner or later...
Rana
2020-07-22ThreatpostTara Seals
OilRig APT Drills into Malware Innovation with Unique Backdoor
OilRig
2020-05-21BitdefenderBogdan Rusu, Liviu Arsene
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-01-01SecureworksSecureWorks
COBALT HICKMAN
MimiKatz Remexi APT39
2019-03-04Palo Alto Networks Unit 42Brittany Ash, Robert Falcone
New Python-Based Payload MechaFlounder Used by Chafer
APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2019-01-29FireEyeAndrew Thompson, Ben Read, Cristiana Brafman-Kittner, Nalani Fraser, Sanaz Yashar, Sarah Hawley, Yuri Rozhansky
APT39: An Iranian Cyber Espionage Group Focused on Personal Information
APT39
2019-01-01MITREMITRE ATT&CK
Group description: APT39
APT39
2018-12-17Twitter (@MJDutch)Justin
Tweet on APT39
OilRig
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2018-03-25Vitali Kremez BlogVitali Kremez
Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-28SymantecSecurity Response Attack Investigation Team
Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2015-12-07SymantecSecurity Response
Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
2015-12-07SymantecSymantec
Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
2015-12-07SymantecSymantec Security Response
Iran-based attackers use back door threats to spy on Middle Eastern targets
APT39 Cadelle
2015-08-19Github (samratashok)Nikil Mittal
Antak WebShell
ANTAK
2014-06-04Lab of a Penetration TesterNikhil Mittal
Introducing Antak - A webshell which utilizes powershell
ANTAK

Credits: MISP Project