The sub-techniques beta is now live! Read the release blog post for more info.


APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. [1][2]

ID: G0087
Associated Groups: Chafer
Version: 2.0
Created: 19 February 2019
Last Modified: 29 April 2019

Associated Group Descriptions

Name Description
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2]

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy

APT39 used custom tools to create SOCK5 proxies between infected hosts.[1]

Enterprise T1003 Credential Dumping

APT39 has used Mimikatz, Ncrack, Windows Credential Editor and ProcDump to dump credentials.[1]

Enterprise T1002 Data Compressed

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[1]

Enterprise T1046 Network Service Scanning

APT39 used a custom port scanner known as BLUETORCH[1]

Enterprise T1060 Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder.[1]

Enterprise T1076 Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence.[1]

Enterprise T1021 Remote Services

APT39 used secure shell (SSH) to move laterally among their targets.[1]

Enterprise T1053 Scheduled Task

APT39 has created scheduled tasks.[1]

Enterprise T1064 Scripting

APT39 utilized custom scripts to perform internal reconnaissance.[1]

Enterprise T1023 Shortcut Modification

APT39 has modified LNK shortcuts.[1]

Enterprise T1045 Software Packing

APT39 has repacked a modified version of Mimikatz to thwart anti-virus detection.[1]

Enterprise T1193 Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[1]

Enterprise T1192 Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[1]

Enterprise T1016 System Network Configuration Discovery

APT39 has used nbtscan to discover vulnerable systems.[1]

Enterprise T1033 System Owner/User Discovery

APT39 used Remexi to collect usernames from the system.[2]

Enterprise T1204 User Execution

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment or link.[1]

Enterprise T1078 Valid Accounts

APT39 has used stolen credentials to compromise Outlook Web Access (OWA).[1]

Enterprise T1100 Web Shell

APT39 has installed ANTAK and ASPXSPY web shells.[1]


ID Name References Techniques
S0073 ASPXSpy [1] Web Shell
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0375 Remexi [2] [3] Application Window Discovery, Clipboard Data, Command-Line Interface, Data Encrypted, Deobfuscate/Decode Files or Information, Exfiltration Over Command and Control Channel, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Scripting, Standard Application Layer Protocol, Windows Management Instrumentation, Winlogon Helper DLL
S0005 Windows Credential Editor [1] Credential Dumping