APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. [1][2]

ID: G0087
Version: 2.0

Associated Group Descriptions

ChaferActivities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2]

Techniques Used

EnterpriseT1090Connection ProxyAPT39 used custom tools to create SOCK5 proxies between infected hosts.[1]
EnterpriseT1003Credential DumpingAPT39 has used Mimikatz, Ncrack, Windows Credential Editor and ProcDump to dump credentials.[1]
EnterpriseT1002Data CompressedAPT39 has used WinRAR and 7-Zip to compress an archive stolen data.[1]
EnterpriseT1046Network Service ScanningAPT39 used a custom port scanner known as BLUETORCH[1]
EnterpriseT1060Registry Run Keys / Startup FolderAPT39 has maintained persistence using the startup folder.[1]
EnterpriseT1076Remote Desktop ProtocolAPT39 has been seen using RDP for lateral movement and persistence.[1]
EnterpriseT1021Remote ServicesAPT39 used secure shell (SSH) to move laterally among their targets.[1]
EnterpriseT1053Scheduled TaskAPT39 has created scheduled tasks.[1]
EnterpriseT1064ScriptingAPT39 utilized custom scripts to perform internal reconnaissance.[1]
EnterpriseT1023Shortcut ModificationAPT39 has modified LNK shortcuts.[1]
EnterpriseT1045Software PackingAPT39 has repacked a modified version of Mimikatz to thwart anti-virus detection.[1]
EnterpriseT1193Spearphishing AttachmentAPT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[1]
EnterpriseT1192Spearphishing LinkAPT39 leveraged spearphishing emails with malicious links to initially compromise victims.[1]
EnterpriseT1016System Network Configuration DiscoveryAPT39 has used nbtscan to discover vulnerable systems.[1]
EnterpriseT1033System Owner/User DiscoveryAPT39 used Remexi to collect usernames from the system.[2]
EnterpriseT1204User ExecutionAPT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment or link.[1]
EnterpriseT1078Valid AccountsAPT39 has used stolen credentials to compromise Outlook Web Access (OWA).[1]
EnterpriseT1100Web ShellAPT39 has installed ANTAK and ASPXSPY web shells.[1]


S0073ASPXSpy[1]Web Shell
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExec[1]Service Execution, Windows Admin Shares
S0375Remexi[2][3]Application Window Discovery, Clipboard Data, Command-Line Interface, Data Encrypted, Deobfuscate/Decode Files or Information, Exfiltration Over Command and Control Channel, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Scripting, Standard Application Layer Protocol, Windows Management Instrumentation, Winlogon Helper DLL
S0005Windows Credential Editor[1]Credential Dumping