> threat_actor APT39 —— origin: Iran (MOIS) —— sector: travel, telecoms, hospitality —— objective: surveillance<span class="cursor-blink">_</span>_
APT39 — also tracked as Chafer, Remix Kitten, and ITG07 — is an Iranian cyber espionage group assessed with high confidence to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS). First publicly identified by FireEye (now Mandiant) in 2019 with activity dating back to at least 2014, APT39 occupies a distinctive niche in Iran's cyber operations: where other Iranian groups focus on destructive attacks, intellectual property theft, or regional geopolitical disruption, APT39's primary objective is the collection of personal information that supports physical surveillance and tracking of individuals.
This makes APT39 unusual. Their targets are not chosen for their economic value or strategic military significance. They are chosen because they hold data about people — travel itineraries, booking records, call detail records, passport information, hotel reservations, and telecommunications metadata. The group compromises the organisations that process this data — airlines, travel agencies, telecommunications providers, hospitality companies, and government immigration systems — to build a surveillance capability that tracks the movements and communications of specific individuals of interest to the Iranian state.
Understanding APT39 matters for penetration testers and defenders because their tactics, techniques, and procedures (TTPs) are well-documented, their targeting is predictable, and their operational patterns illustrate how a patient, well-resourced adversary conducts long-term espionage operations against sectors that often underestimate their attractiveness as intelligence targets.
Attribution of APT39 to the Iranian government is supported by multiple independent sources. In September 2020, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned an Iranian front company — Rana Intelligence Computing Company — and 45 associated individuals, explicitly linking Rana to MOIS and to the cyber operations tracked as APT39. The FBI simultaneously released a detailed technical advisory identifying malware tools and infrastructure tied to Rana's operations.
| Attribute | Detail |
|---|---|
| Tracked Names | APT39 (Mandiant), Chafer (Symantec), Remix Kitten (CrowdStrike), ITG07 (IBM X-Force), Rana Intelligence Computing Company (US Treasury/FBI) |
| State Sponsor | Islamic Republic of Iran — Ministry of Intelligence and Security (MOIS). Distinct from IRGC-affiliated groups such as APT33 (Elfin) and APT35 (Charming Kitten) which report to the Islamic Revolutionary Guard Corps. |
| Active Since | At least 2014, with some infrastructure artefacts suggesting earlier operations. Continued activity observed through 2024. |
| Primary Objective | Collection of personally identifiable information (PII) — travel records, communication metadata, identity documents — to support surveillance and tracking of individuals deemed threats to the Iranian regime. Targets include Iranian dissidents, journalists, activists, foreign diplomats, and defence sector personnel. |
| Operational Tempo | Persistent and patient. Operations against individual targets have been sustained for months to years. Infrastructure is maintained and rotated methodically. The group does not rush — they establish access and maintain it. |
| Relationship to Other Iranian Groups | Shares some tooling and infrastructure with APT34 (OilRig), but maintains distinct operations, targeting, and command structure. The overlap likely reflects shared development resources within the MOIS ecosystem rather than operational coordination. |
APT39's target selection directly reflects their intelligence collection mission. Every confirmed target sector holds data that would support the surveillance and tracking of individuals. The group's operations have been observed across the Middle East, Europe, North America, and South Asia — wherever organisations process data relevant to their collection requirements.
| Target Sector | Data of Interest | Observed Targeting |
|---|---|---|
| Telecommunications | Call detail records (CDRs), subscriber information, cell tower location data, SMS metadata, IP session logs. CDRs alone reveal who communicates with whom, when, for how long, and from where. | Multiple telco operators in the Middle East and South Asia compromised. Long-duration access maintained — in some cases for over a year — enabling continuous extraction of CDRs for targeted phone numbers. |
| Travel and Aviation | Passenger name records (PNRs), flight manifests, booking systems, frequent flyer databases, passport scans. PNR data reveals planned travel before it occurs — enabling pre-positioning of surveillance assets. | Airlines and travel agencies in the Middle East and Europe. Reservation systems accessed to extract upcoming itineraries for specific individuals. |
| Hospitality | Hotel reservation systems, guest registration data, loyalty programme records, payment information linked to identity documents. | Hotel chains with properties in the Middle East. Reservation databases queried for specific guest names and dates. |
| Government — Immigration and Customs | Border crossing records, visa applications, passport databases, entry/exit logs. | Immigration authorities in Middle Eastern countries. Access to border systems provides confirmation of actual travel movements. |
| Information Technology | Managed service providers and IT firms that administer systems for organisations in the above sectors. Compromising the IT provider grants access to the clients they serve. | IT service companies in the Middle East. Supply chain access providing indirect routes to travel and telecoms targets. |
Organisations in these sectors often do not consider themselves high-value intelligence targets. An airline's security team focuses on fraud, data protection, and payment card compliance — not state-sponsored espionage. A regional telecoms provider may assume nation-state threats target larger carriers. APT39's operations demonstrate that any organisation holding PII data relevant to a state's surveillance requirements is a target, regardless of size, profile, or geography.
APT39's initial access techniques are effective rather than sophisticated. They rely on proven methods — spear-phishing and exploitation of public-facing applications — executed with patience and operational discipline. The group invests more effort in persistence and data collection than in novel exploitation, which reflects a mature operational mindset: use what works reliably and save complexity for where it is needed.
| Technique | MITRE ATT&CK | Implementation |
|---|---|---|
| Spear-Phishing with Attachments | T1566.001 | Targeted emails with malicious attachments — typically macro-enabled Office documents or documents exploiting known vulnerabilities (e.g., CVE-2017-11882, the Equation Editor vulnerability). Lures are tailored to the target sector: fake travel itineraries for airline staff, conference invitations for telecoms engineers, regulatory notices for government officials. The group registers lookalike domains for sender addresses. |
| Spear-Phishing with Links | T1566.002 | Emails directing targets to credential harvesting pages mimicking webmail portals (Outlook Web Access, Gmail), HR systems, or industry-specific platforms. Harvested credentials are used for initial access to corporate email and VPN — legitimate entry points that bypass perimeter security entirely. |
| Exploitation of Public-Facing Applications | T1190 | Exploitation of vulnerabilities in internet-facing infrastructure — web servers, VPN appliances, and mail servers. Observed exploitation of CVE-2019-0604 (SharePoint), vulnerabilities in Pulse Secure VPN (CVE-2019-11510), and various web application vulnerabilities. These provide direct access to internal networks without requiring user interaction. |
| Valid Accounts | T1078 | Use of credentials obtained through phishing, credential stuffing from public breaches, or purchased from initial access brokers. Legitimate credentials provide the stealthiest initial access — the logon appears normal to every security control. |
APT39 employs a mix of custom malware, modified open-source tools, and legitimate system utilities. Their custom tools are functional rather than elegant — designed for reliability and stealth over sophistication. The group's willingness to use publicly available tools alongside custom malware makes attribution harder and detection more dependent on behavioural analysis than signature matching.
| Tool | Type | Purpose |
|---|---|---|
| SEAWEED (Remexi) | Custom backdoor | APT39's primary implant. Provides remote shell access, file upload/download, screenshot capture, keylogging, and browser credential harvesting. Communicates with C2 infrastructure over HTTP/HTTPS. Variants observed with evolving obfuscation and anti-analysis features. Persistence via registry Run keys or scheduled tasks. |
| POWBAT | Custom PowerShell backdoor | PowerShell-based backdoor used for initial post-exploitation. Supports command execution, file transfer, and reconnaissance. Delivered via spear-phishing documents. Often used as a first-stage implant before deploying SEAWEED for persistent access. |
| MECHAFLOUNDER | Custom Python-based backdoor | Python RAT compiled into a Windows executable. Provides command execution, file management, and data exfiltration. Used against targets where Python runtime is available or where the compiled executable avoids detection better than PowerShell-based alternatives. |
| Mimikatz | Public tool (credential theft) | Used for credential harvesting from LSASS memory — extracting NTLM hashes, Kerberos tickets, and sometimes plaintext credentials. Enables lateral movement via Pass-the-Hash and Pass-the-Ticket techniques. Frequently observed in APT39 post-exploitation. |
| PsExec / RemCom | Public tools (lateral movement) | Used for remote command execution across the target network. PsExec for Windows-native lateral movement, RemCom as an open-source alternative that avoids Sysinternals licensing indicators. Both tools authenticate via SMB and create remote services. |
| NBTScan / Port Scanners | Public tools (reconnaissance) | Network discovery and enumeration tools used post-compromise to map the internal environment. Identify active hosts, shares, domain controllers, and services relevant to the data collection objective. |
| Web Shells | Custom and public (persistence) | ASP, ASPX, and PHP web shells deployed on compromised web servers for persistent access. Provide a fallback access mechanism if primary C2 channels are disrupted. Often placed in directories that survive application updates. |
| Living-off-the-Land Binaries | System utilities | Extensive use of legitimate Windows tools — PowerShell, certutil (for file transfer), BITSAdmin (for download), schtasks (for persistence), reg.exe (for credential extraction). These tools are present on every Windows system, trusted by security products, and blend with normal administrative activity. |
APT39's post-compromise behaviour is methodical and patient. The group follows a consistent operational pattern: establish persistence, conduct internal reconnaissance, escalate privileges, move laterally toward data repositories, and then systematically extract the data they came for. Operations against individual targets have been sustained for months, with the group maintaining access even through security incidents and partial remediation.
The patience of this operational tempo is the defining characteristic. APT39 does not smash and grab. They establish persistent access, carefully identify the specific data repositories that serve their intelligence requirements, and then conduct sustained, low-volume extraction that is designed to blend with normal database activity. A single SQL query returning fifty records does not trigger volume-based data loss prevention alerts. Repeated daily over six months, it yields nine thousand records.
Mapping APT39's known techniques to the MITRE ATT&CK framework provides a structured view of their operational capabilities and — critically — identifies the detection opportunities at each phase. Defenders who instrument their environments against these specific techniques significantly increase the probability of detecting APT39 operations early in the kill chain.
| Tactic | Techniques Observed | Detection Opportunity |
|---|---|---|
| Initial Access | T1566.001 Spear-Phishing Attachment, T1566.002 Spear-Phishing Link, T1190 Exploit Public-Facing Application, T1078 Valid Accounts | Email gateway analysis for malicious attachments and credential harvesting links. VPN and webmail authentication monitoring for anomalous logons (unusual geography, time, device). |
| Execution | T1059.001 PowerShell, T1059.003 Windows Command Shell, T1059.006 Python, T1204.002 Malicious File | PowerShell script block logging (Event ID 4104). Command line auditing (Event ID 4688 with process creation). Suspicious parent-child process relationships (e.g., Word spawning PowerShell). |
| Persistence | T1547.001 Registry Run Keys, T1053.005 Scheduled Tasks, T1505.003 Web Shell | Registry monitoring for Run/RunOnce modifications. Scheduled task creation events (Event ID 4698). File integrity monitoring on web server directories. |
| Credential Access | T1003.001 LSASS Memory (Mimikatz), T1003.003 NTDS.dit, T1110 Brute Force, T1056.001 Keylogging | LSASS access monitoring (Sysmon Event ID 10). DCSync detection (Event ID 4662 with replication GUIDs). Failed authentication spike detection. |
| Lateral Movement | T1021.002 SMB/Windows Admin Shares, T1021.001 RDP, T1550.002 Pass-the-Hash | Service creation events (Event ID 7045) for PsExec indicators. NTLM authentication anomalies. RDP logons from unexpected source hosts. |
| Collection | T1005 Data from Local System, T1114 Email Collection, T1560.001 Archive via Utility | Large file creation in staging directories. Unusual database query patterns (volume, time of day, queried tables). Email forwarding rule creation. |
| Exfiltration | T1041 Exfiltration Over C2 Channel, T1048 Exfiltration Over Alternative Protocol | Unusual outbound data volumes to uncategorised domains. HTTPS connections to recently registered domains. DNS query anomalies. |
APT39's command and control infrastructure follows patterns common to Iranian cyber operations, with some distinctive characteristics. Understanding these patterns supports both proactive threat hunting and incident response when investigating potential APT39 activity.
Detecting APT39 requires moving beyond signature-based detection toward behavioural analysis and anomaly identification. Their use of legitimate tools, custom malware with evolving signatures, and patient operational tempo means that any single indicator of compromise (IoC) has a limited shelf life. The following hunting approaches focus on behaviours that persist even as specific tools and infrastructure change.
| Hunt Hypothesis | Data Sources | What to Look For |
|---|---|---|
| Credential harvesting phishing | Email gateway logs, DNS query logs, proxy logs, certificate transparency logs | Emails containing links to recently registered domains that visually resemble internal or industry services. DNS queries to lookalike domains. SSL certificates issued for domains mimicking your organisation's brand or services. |
| Post-exploitation reconnaissance | Windows Event Logs (4688), Sysmon, EDR telemetry | Clusters of discovery commands within a short timeframe: whoami, ipconfig /all, net user /domain, net group "Domain Admins" /domain, nltest /dclist:. These commands are normal individually — suspicious when executed in rapid sequence from a single workstation. |
| Lateral movement via Pass-the-Hash | Windows Security Event Logs (4624, 4625, 7045), network flow data | NTLM type 3 (network) logon events from non-standard sources. Service creation events with suspicious binary paths. A single account authenticating to many systems within a short window. |
| Database access anomalies | Database audit logs, application access logs, DLP | Queries against PNR, CDR, or guest registration tables from unexpected sources or at unusual times. Bulk SELECT operations from service accounts that normally perform transactional queries. New database connections from hosts not in the application's normal architecture. |
| Staging and exfiltration | File system auditing, proxy logs, network flow data | Creation of compressed archives (ZIP, RAR, 7z) in unusual directories — temp folders, recycle bin, IIS log directories. Outbound HTTPS connections to uncategorised or newly registered domains with transfer volumes that deviate from the baseline. Connections during non-business hours. |
| Web shell persistence | Web server file integrity monitoring, web server access logs, process creation logs | New or modified files in web server directories (particularly ASP/ASPX/PHP files). Web server process (w3wp.exe, httpd) spawning command interpreters. HTTP POST requests to files with generic names in static content directories. |
Defending against APT39 — and state-sponsored threats generally — requires accepting that a sufficiently resourced and patient adversary will eventually find a way in. The defensive strategy must therefore focus not only on preventing initial access but on detecting post-compromise activity early, limiting lateral movement, protecting the data assets the adversary is seeking, and being able to respond effectively when compromise is discovered.
APT39's operations provide a real-world template for how penetration testing engagements should be structured for organisations in targeted sectors. Their TTPs are well-documented, their objectives are clear, and their attack paths are reproducible in a controlled testing environment.
| APT39 Behaviour | Penetration Testing Equivalent | What It Tests |
|---|---|---|
| Spear-phishing for credentials | Phishing simulation targeting staff with access to booking/CDR systems | Email security controls, MFA deployment, user awareness, conditional access policies |
| Exploitation of public-facing applications | External infrastructure testing focused on VPN, mail, and web application attack surface | Patch management, WAF effectiveness, external attack surface exposure |
| Pass-the-Hash lateral movement | Internal testing with credential harvesting and lateral movement attempts | LAPS deployment, credential tiering, Credential Guard, network segmentation |
| Database access and data extraction | Attempt to reach and query PII databases from compromised workstation | Database segmentation, access controls, DLP, query monitoring |
| Web shell deployment for persistence | Deploy benign web shell on compromised web server and test detection | File integrity monitoring, web server hardening, process monitoring |
| Data staging and exfiltration | Stage and exfiltrate test data over HTTPS to external server | DLP, proxy inspection, outbound traffic monitoring, SOC detection capability |
A penetration test modelled on APT39's TTPs tells the organisation something specific and actionable: could this particular threat actor, using these particular techniques, reach the data they are known to target in our environment? This is threat-led testing — and it produces findings that map directly to the real risk the organisation faces, rather than a generic list of vulnerabilities with no adversary context.
APT39 is a focused, patient, and persistent threat actor conducting cyber espionage in service of Iran's surveillance apparatus. They target organisations that hold data about people — airlines, telecoms, hotels, immigration systems, and the IT companies that serve them. Their techniques are proven rather than novel: spear-phishing, known-vulnerability exploitation, credential theft, Pass-the-Hash, and careful, low-volume data extraction sustained over months.
For defenders in targeted sectors, APT39 represents a specific, documentable threat that can be planned against. Their TTPs are catalogued in MITRE ATT&CK. Their tooling is analysed in public reporting. Their targeting patterns are predictable. This is an adversary you can prepare for — and preparation means implementing the controls that degrade their capabilities at every stage of the kill chain, from MFA that blocks phished credentials through to database monitoring that detects anomalous queries against PNR tables.
The organisations most at risk are those that hold surveillance-relevant data and have not yet internalised that this makes them an intelligence target. If your organisation processes travel records, telecommunications metadata, guest registrations, or identity documents — and particularly if you operate in or serve clients in the Middle East — APT39 is a threat you should be actively defending against.
Our penetration testing engagements can be modelled on specific threat actor TTPs — including APT39 — to assess whether your environment is resilient to the attacks you are most likely to face. If your sector is targeted, generic testing is not sufficient.