3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
APT39

APT39

ID: 7fa1a9ffe728cecf8ad2ca13632fee0722424
Cybercrime State-Sponsored
Threat types: Surveillance, Intrusion, Espionage
Iran UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Chafer ITG07 Re**********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS. Ref: https://attack.mitre.org/groups/G0087/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • LSASS Memory - APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - APT39 has used SMB for lateral movement. · ref
T1021.004 SSH TA0008
  • Remote Services: SSH - APT39 used secure shell (SSH) to move laterally among their targets. · ref
T1027.002 Software Packing TA0005
  • Obfuscated Files or Information: Software Packing - APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - APT39 has used malware to drop encrypted CAB files. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - APT39 has created scheduled tasks for persistence. · ref
T1056.001 Keylogging TA0006 TA0009
  • Keylogging - APT39 has used tools for capturing keystrokes. · ref
T1059.001 PowerShell TA0002
  • PowerShell - APT39 has used PowerShell to execute malicious code. · ref
T1059.005 Visual Basic TA0002
  • Visual Basic - APT39 has utilized malicious VBS scripts in malware. · ref
T1059.006 Python TA0002
  • Python - APT39 has used a command line utility and a network scanner written in python. · ref
T1059.010 AutoHotKey & AutoIT TA0002
  • AutoHotKey & AutoIT - APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - APT39 has used malware to delete files after they are deployed on a compromised host. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - APT39 has used HTTP in communications with C2. · ref
T1071.004 DNS TA0011
  • Application Layer Protocol: DNS - APT39 has used remote access tools that leverage DNS in communications with C2. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - APT39 has utilized tools to aggregate data prior to exfiltration. · ref
T1090.001 Internal Proxy TA0011
  • Proxy: Internal Proxy - APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - APT39 has used various tools to proxy C2 communications. · ref
T1102.002 Bidirectional Communication TA0011
  • Web Service: Bidirectional Communication - APT39 has communicated with C2 through files uploaded to and downloaded from DropBox. · ref
T1136.001 Local Account TA0003
  • Create Account: Local Account - APT39 has created accounts on multiple compromised hosts to perform actions within the network. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - APT39 has installed ANTAK and ASPXSPY web shells. · ref
T1546.010 AppInit DLLs TA0003 TA0004
  • Event Triggered Execution: AppInit DLLs - APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - APT39 has maintained persistence using the startup folder. · ref
T1547.009 Shortcut Modification TA0003 TA0004
  • Boot or Logon Autostart Execution: Shortcut Modification - APT39 has modified LNK shortcuts. · ref
T1553.006 Code Signing Policy Modification TA0005
  • Subvert Trust Controls: Code Signing Policy Modification - APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - APT39 has used WinRAR and 7-Zip to compress an archive stolen data. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - APT39 leveraged spearphishing emails with malicious links to initially compromise victims. · ref
T1569.002 Service Execution TA0002
  • System Services: Service Execution - APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.