Register to stream ATT&CKcon 2.0 October 29-30


APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. [1][2]

ID: G0087
Associated Groups: Chafer
Version: 2.0

Associated Group Descriptions

Name Description
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2]

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy APT39 used custom tools to create SOCK5 proxies between infected hosts. [1]
Enterprise T1003 Credential Dumping APT39 has used Mimikatz, Ncrack, Windows Credential Editor and ProcDump to dump credentials. [1]
Enterprise T1002 Data Compressed APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [1]
Enterprise T1046 Network Service Scanning APT39 used a custom port scanner known as BLUETORCH [1]
Enterprise T1060 Registry Run Keys / Startup Folder APT39 has maintained persistence using the startup folder. [1]
Enterprise T1076 Remote Desktop Protocol APT39 has been seen using RDP for lateral movement and persistence. [1]
Enterprise T1021 Remote Services APT39 used secure shell (SSH) to move laterally among their targets. [1]
Enterprise T1053 Scheduled Task APT39 has created scheduled tasks. [1]
Enterprise T1064 Scripting APT39 utilized custom scripts to perform internal reconnaissance. [1]
Enterprise T1023 Shortcut Modification APT39 has modified LNK shortcuts. [1]
Enterprise T1045 Software Packing APT39 has repacked a modified version of Mimikatz to thwart anti-virus detection. [1]
Enterprise T1193 Spearphishing Attachment APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims. [1]
Enterprise T1192 Spearphishing Link APT39 leveraged spearphishing emails with malicious links to initially compromise victims. [1]
Enterprise T1016 System Network Configuration Discovery APT39 has used nbtscan to discover vulnerable systems. [1]
Enterprise T1033 System Owner/User Discovery APT39 used Remexi to collect usernames from the system. [2]
Enterprise T1204 User Execution APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment or link. [1]
Enterprise T1078 Valid Accounts APT39 has used stolen credentials to compromise Outlook Web Access (OWA). [1]
Enterprise T1100 Web Shell APT39 has installed ANTAK and ASPXSPY web shells. [1]


ID Name References Techniques
S0073 ASPXSpy [1] Web Shell
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0375 Remexi [2] [3] Application Window Discovery, Clipboard Data, Command-Line Interface, Data Encrypted, Deobfuscate/Decode Files or Information, Exfiltration Over Command and Control Channel, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Scripting, Standard Application Layer Protocol, Windows Management Instrumentation, Winlogon Helper DLL
S0005 Windows Credential Editor [1] Credential Dumping