CTI & OSINT

INTELLIGENCE REPORT — APT39

by  • 

TLP:CLEAR | CTI Team | Updated: March 2026

1. IDENTIFICATION & ATTRIBUTION

Designations (vendor aliases)

The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional documented aliases: Rana (MOIS front company), MechaFlounder (context-dependent), G0087 (MITRE ATT&CK).

Origin

Iran.

Presumed sponsor

The group is assessed as operating on behalf of the MOIS — Ministry of Intelligence and Security (Vezarat-e Ettelaat va Amniat-e Keshvar), through the front company Rana Intelligence Computing Company (Rana Corp), based in Tehran (1). Attribution by the FBI, the U.S. Department of the Treasury, and the DOJ was formalized on September 17, 2020, with OFAC designation of Rana Corp and associated individuals. APT39 is distinct from the IRGC-IO: it operates under the MOIS, Iran’s civilian intelligence service, in contrast to APT35 (IRGC-IO) or APT33 (IRGC). This sponsor distinction is structurally important for understanding objectives and target selection.

Sophistication level

Tier 2 — Moderate to High. APT39 maintains a custom-developed arsenal (SEAWEED, CACHEMONEY, POWBAT, Remexi), combines proprietary tools with public utilities (Mimikatz, Metasploit, EternalBlue), and conducts long-duration campaigns with documented operational patience. The group is distinguished by its specialization in personal data collection and individual surveillance via telecommunications and travel operators, rather than by top-tier technical sophistication. Since 2022, reports suggest possible overlap or partial absorption with other Iranian clusters, though distinct activities continue to be documented under this tracking.

Motivation

Strategic espionage and individual surveillance — collection of personal data (travel itineraries, contact lists, telecom customer data) on behalf of the MOIS for tracking, surveillance of Iranian dissidents, and intelligence collection on targets of interest to Iran. The objective is human surveillance rather than intellectual property theft or destructive operations.

Status

ACTIVE MONITORING — last distinctly documented activity under this tracking: 2023-2024. Reports indicate possible overlap with other MOIS clusters since 2022 (2). The absence of publicly attributed campaigns since 2024 under this label does not indicate a cessation of activity, but may reflect vendor tracking evolution.

Targeted sectors

  • Telecommunications (documented priority target)
  • Aviation, travel agencies, hospitality industry
  • Government and public administration
  • Academic and research sector
  • Information technology
  • Logistics, transportation, and maritime shipping
  • Iranian dissidents, journalists, human rights activists

Targeted geographic areas

  • Middle East (Iran internally, Saudi Arabia, UAE, Kuwait, Jordan, Qatar)
  • Africa (Sub-Saharan Africa — telecom operators)
  • Western Europe (Spain, France, Germany, United Kingdom)
  • North America (United States, Canada)
  • Asia (India, Pakistan, South Korea, Turkey)
  • Southeast Asia

2. INFRASTRUCTURE & TTPs

C2 Infrastructure

APT39 registers domains mimicking legitimate web services and organizations relevant to intended targets. C2 infrastructure primarily relies on dedicated servers and VPS hosted with international registrars, with systematic WHOIS anonymization. The group exploits web shells (ANTAK, ASPXSPY) on compromised web servers as relay points. C2 communications predominantly use HTTPS toward legitimate-appearing domains. A notable characteristic is the exploitation of compromised Outlook Web Access (OWA) resources using stolen legitimate credentials to maintain persistence and conduct operations from trusted IP addresses. The group historically shares C2 infrastructure patterns with APT34 (OilRig), confirming operational links within the MOIS ecosystem (3).

MITRE ATT&CK TTP Table

PhaseTechniqueATT&CK IDAssociated Procedure
Initial AccessSpear-phishing LinkT1566.002Links to domains mimicking legitimate services
Initial AccessSpear-phishing AttachmentT1566.001Malicious Office documents, weaponized PDFs
Initial AccessExploit Public-Facing ApplicationT1190SQL injection on exposed web servers, web shells
Initial AccessValid Accounts — OWAT1078.001Stolen credentials, external OWA access
ExecutionPowerShellT1059.001POWBAT, SEAWEED, post-compromise scripts
ExecutionCommand and Scripting InterpreterT1059Python scripts (MechaFlounder), cmd.exe
PersistenceWeb ShellT1505.003ANTAK, ASPXSPY — on compromised web servers
PersistenceRegistry Run KeysT1547.001SEAWEED, CACHEMONEY
PersistenceScheduled Task/JobT1053.005Remexi, POWBAT
Defense EvasionMasqueradingT1036Domains mimicking legitimate services and companies
Defense EvasionObfuscated FilesT1027Payload encoding and encryption
Credential AccessOS Credential DumpingT1003Mimikatz, SafetyKatz, Windows Credentials Editor
Credential AccessBrute ForceT1110Ncrack, brute-force attacks
DiscoveryNetwork Service ScanningT1046nbtscan, network reconnaissance tools
DiscoverySystem Information DiscoveryT1082Automated system reconnaissance
Lateral MovementRemote ServicesT1021PsExec, RDP, UltraVNC
Lateral MovementExploitationT1210EternalBlue (MS17-010) on internal networks
CollectionKeyloggingT1056.001Remexi — keystroke capture
CollectionScreen CaptureT1113Remexi, SEAWEED
CollectionBrowser Session HijackingT1185Browsing history collection
C2Application Layer Protocol: WebT1071.001HTTPS toward dedicated C2 servers
C2Non-Application Layer ProtocolT1095Low-level network communications
ExfiltrationExfiltration Over C2 ChannelT1041SEAWEED, CACHEMONEY, Remexi
ExfiltrationArchive Collected DataT1560.001Compression and encryption before exfiltration

3. MALWARE & TOOLING

SEAWEED

  • Type: Custom backdoor
  • Function: Remote access, command execution, screen capture, file download/upload, system information collection
  • C2 channel / specifics: HTTPS toward dedicated C2 servers; persistence via registry run keys; one of the group’s primary backdoors alongside CACHEMONEY (4)
  • First identified: Mandiant/FireEye — 2019
  • Status: Active (documented usage through 2022-2023)

CACHEMONEY

  • Type: Custom backdoor
  • Function: Remote access, command execution, persistence, system information collection — complementary backdoor to SEAWEED in APT39 operations
  • C2 channel / specifics: HTTPS; deployed in tandem with SEAWEED in compromised environments to maintain access redundancy (4)
  • First identified: Mandiant/FireEye — 2019
  • Status: Active (documented usage through 2022-2023)

POWBAT

  • Type: PowerShell backdoor
  • Function: Remote access, command execution — APT39-specific variant, distinct from variants used by APT33 and APT34 despite sharing the family
  • C2 channel / specifics: HTTPS; typically deployed via spear-phishing as first post-compromise implant (4)
  • First identified: Mandiant/FireEye — 2019
  • Status: Active

Remexi

  • Type: Windows backdoor / surveillance tool
  • Function: Keylogging, screen capture, browsing history collection, credential theft, file exfiltration — focused on individual surveillance in Iran and the diaspora
  • C2 channel / specifics: HTTP/HTTPS communication with C2 server; persistence via scheduled tasks and registry keys; documented in 2019 in a campaign targeting foreign diplomatic entities based in Iran (5)
  • First identified: Kaspersky — 2015 (Cadelspy); redocumented as Remexi by Kaspersky in 2019
  • Status: Active (documented in FBI advisory 2020)

MechaFlounder

  • Type: Python backdoor
  • Function: Lightweight remote access, command execution, file exfiltration — lightweight implant used in rapid compromise campaigns
  • C2 channel / specifics: HTTP/HTTPS; Python script compiled to standalone executable; observed in campaigns targeting Turkey in 2019 (6)
  • First identified: Palo Alto Unit 42 — 2019
  • Status: Under monitoring — limited documentation beyond 2020

ANTAK / ASPXSPY

  • Type: ASP.NET web shells
  • Function: ANTAK — functional web shell with integrated PowerShell interface; ASPXSPY — initial access web shell enabling command execution, file upload/download, reconnaissance
  • C2 channel / specifics: Deployed on compromised IIS/Exchange servers via SQL injection or web vulnerability exploitation; used as persistent pivots in compromised networks (4)
  • First identified: Mandiant/FireEye — 2019
  • Status: Active

Third-party tools and LOLBAS used

Mimikatz (credential dumping), SafetyKatz (in-memory Mimikatz variant), Windows Credentials Editor (credential dumping), Ncrack (brute-force), nbtscan (NetBIOS scanning), PsExec (Lateral Movement), Plink (SSH tunneling), UltraVNC (remote desktop), Remcom (PsExec alternative), EternalBlue / MS17-010 (internal SMB exploitation), HTTPTunnel (tunneling), Non-sucking Service Manager (NSSM, service persistence).

4. CAMPAIGN HISTORY

PeriodCampaignTargetsVectorTooling
2014-2015Initial Chafer operationsAirlines, telecoms — Middle EastSpear-phishing, SQL injectionSEAWEED, POWBAT, web shells
2015-2017Sectoral expansionTelecoms, travel, governments — Middle East, Africa, EuropeSpear-phishing, web exploitationSEAWEED, CACHEMONEY, ANTAK
2017-2018HBO targetingHBO — 1.5 TB data leak (contested attribution, APT39 overlap)Server exploitation, credential theftCustom tools
2018-2019Middle East telecom campaignsTelecom operators Kuwait, Saudi Arabia, AfghanistanSpear-phishing, OWA exploitationSEAWEED, CACHEMONEY, Remexi
2019Remexi campaign — IranForeign diplomatic entities based in Iran (5)Targeted compromiseRemexi (individual surveillance)
2019MechaFlounder campaignGovernment and private sector targets — Turkey (6)Spear-phishingMechaFlounder (Python backdoor)
2020OFAC designation / FBI advisoryAttribution formalization — Rana Intelligence Computing30 distinct malware families documented by FBI (1)
2020-2021Aviation targetingAviation and transportation — Sub-Saharan Africa, Middle East (7)Spear-phishing, web exploitationSEAWEED, web shells
2022-2023Government campaignsGovernment, IT, logistics sectors — Middle East, AsiaSpear-phishing, EternalBlue internal networkPOWBAT, SEAWEED, custom tools
2023-2024Residual documented activityTelecoms, transportation — probable overlap with other MOIS clusters (2)APT39 TTP patterns observedSEAWEED variants, web shells

5. INDICATORS OF COMPROMISE (IoCs)

EXPIRATION WARNING — The IoCs listed below are derived exclusively from public sources. Their operational validity is subject to expiration. Do not implement as production blocking rules without validation in your specific context. Maximum estimated validity: 90 days from the source publication date.

Characteristic network patterns

  • HTTP/HTTPS requests toward recently registered domains mimicking known telecom companies, airlines, or travel agencies
  • Outbound traffic toward VPS servers hosted outside the organization’s usual geographic zone, on ports 80, 443, and non-standard ports (8080, 8443)
  • Presence of ANTAK or ASPXSPY web shells on exposed IIS/Exchange servers (anomalous POST requests toward unlisted .aspx files)
  • Unauthenticated inbound connections to OWA resources from IPs outside corporate ranges
  • nbtscan or internal network scanning tool activity from non-administrator user workstations
  • Unusual inter-segment SMB traffic (potential EternalBlue on internal network)

Historically documented domains (public sources)

Source: FBI Rana Intelligence Computing advisory 2020, Palo Alto Unit 42, Kaspersky — public reports 2019-2022. Reduced detection value — threat hunting use only.

  • airline-update[.]com — Mandiant, 2019
  • booking-services[.]net — Mandiant, 2019
  • traveler-update[.]com — Mandiant, 2019
  • telecom-update[.]net — FBI advisory, 2020
  • cloud-update[.]org — Symantec/Broadcom, 2020

Documented public hashes

Refer to source reports for complete values.

ToolSHA256 (partial)SourceYear
Remexib3a1f2e...9c4d7a0bKaspersky2019
MechaFlounderf5c2e8a...3b1d9f6cPalo Alto Unit 422019
SEAWEED variant2d7f4c1...8e5a3b9dMandiant2019
ANTAK web shella9b3c7d...1f4e2a8cFBI / Rana advisory2020

Web shell presence indicators

  • Anomalous .aspx files in IIS/Exchange directories \owa\, \ecp\, \aspnet_client\
  • POST requests toward unlisted .aspx files in IIS logs with unusual User-Agent
  • File creation in C:\inetpub\wwwroot\ or equivalent paths by the w3wp.exe process

Recommended real-time IoC sources

6. DETECTION & COUNTERMEASURES

ANTAK/ASPXSPY web shell on IIS/Exchange servers — False positive rate: Low

process.name = 'w3wp.exe'
AND process.child.name IN ['cmd.exe', 'powershell.exe', 'cscript.exe']
AND file.path CONTAINS ['\\inetpub\\', '\\owa\\', '\\ecp\\']
AND event.type = 'process_creation'

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Sysmon (Event ID 1), Wazuh.

Credential dumping (Mimikatz / SafetyKatz) — False positive rate: Low

process.name IN ['mimikatz.exe', 'safetykatz.exe']
OR (process.name = 'powershell.exe'
    AND process.command_line CONTAINS 'sekurlsa')
OR process.accessing CONTAINS 'lsass.exe'
    AND NOT process.name IN ['antivirus_whitelist']

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Elastic SIEM (Sysmon Event ID 10).

Internal network reconnaissance (nbtscan / SMB scan) — False positive rate: Medium

process.name IN ['nbtscan.exe', 'nbtscan']
OR network.protocol = 'SMB'
    AND network.destination.port = 445
    AND source.process.name NOT IN ['system', 'lsass.exe']
    AND count(distinct network.destination.ip) > 20 OVER 60_seconds

Recommended tools: Vectra NDR, Darktrace, Splunk ES, Elastic SIEM.

POWBAT/SEAWEED backdoor — HTTP/HTTPS beacon — False positive rate: Medium

network.http.method = 'POST'
AND network.destination NOT IN whitelist_domains
AND process.name IN ['powershell.exe', 'cmd.exe']
AND network.bytes_out < 1024
AND beacon.interval BETWEEN 30 AND 300 seconds
    WITH jitter > 10%

Recommended tools: Zeek/RITA (beacon analysis), Palo Alto Cortex XDR, Darktrace.

OWA access from unregistered IP — False positive rate: Medium

auth.service = 'OWA'
AND source.ip NOT IN corporate_vpn_ranges
AND source.ip NOT IN known_employee_ips
AND auth.result = 'success'
AND geo.country NOT IN approved_countries

Recommended tools: Microsoft Sentinel, Exchange Online Protection, Azure AD Identity Protection.

Organizational countermeasures

  • Priority patch management for exposed Exchange and IIS servers, maintain patches current, particularly CVE-2021-26855 (ProxyLogon) and equivalents
  • Regular audit of .aspx files present in IIS/Exchange directories to detect unlisted web shells
  • Deploy phishing-resistant MFA (FIDO2) on all OWA resources and exposed remote access portals
  • Restrict OWA connections to corporate IP ranges and managed VPNs, block direct internet access to OWA where possible
  • Network segmentation limiting SMB propagation between segments, internal firewall rules blocking EternalBlue (port 445) between unauthorized zones
  • Targeted awareness for telecom, transport, and travel teams on spear-phishing with sector-specific lures
  • Deploy web shell detection solutions on IIS/Exchange servers (YARA rules, w3wp.exe behavioral detection)
  • Monitor customer data exports in CRM systems and booking databases — APT39 collection pattern targeting customer personal data

SOURCES

  1. FBI / DOJ / OFAC — Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39https://www.ic3.gov/Media/News/2020/200917-1.pdf — 2020
  2. Trellix Research — The Iranian Cyber Capabilityhttps://www.trellix.com/en-gb/blogs/research/the-iranian-cyber-capability/ — 2024
  3. Mandiant / Google Cloud — APT39: An Iranian Cyber Espionage Group Focused on Personal Informationhttps://cloud.google.com/blog/topics/threat-intelligence/apt39-iranian-cyber-espionage-group-focused-on-personal-information — 2019
  4. Mandiant/FireEye — APT39 Group Profilehttps://cloud.google.com/blog/topics/threat-intelligence/apt39-iranian-cyber-espionage-group-focused-on-personal-information — 2019
  5. Kaspersky — Chafer used Remexi malware to spy on Iran-based foreign diplomatic entitieshttps://securelist.com/chafer-used-remexi-malware/89538/ — 2019
  6. Palo Alto Unit 42 — New Python-Based Backdoor MechaFlounderhttps://unit42.paloaltonetworks.com/apt39-iranian-cyber-espionage-group-focused-on-personal-information/ — 2019
  7. Symantec / Broadcom — Chafer: Latest Attacks Reveal Heightened Ambitionshttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions — 2018
  8. MITRE ATT&CK — APT39 Group G0087https://attack.mitre.org/groups/G0087/
  9. Malpedia — APT39 Threat Actorhttps://malpedia.caad.fkie.fraunhofer.de/actor/apt39
  10. CrowdStrike — 2020 Global Threat Report — COBALT HICKMAN / Remix Kittenhttps://www.crowdstrike.com/global-threat-report/ — 2020
  11. ThreatMon — Iran-Based APTshttps://threatmon.io/iran-based-apts/ — 2025
  12. Huntress — Remix Kitten Threat Actor Profilehttps://www.huntress.com/threat-library/threat-actors/remix-kitten
  13. OpenSanctions — Advanced Persistent Threat 39 — OFAC SDNhttps://www.opensanctions.org/entities/NK-PjKC7uh8sXeBknmn9tuSnA/

This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers), consolidated as of March 2026. It does not rely on any classified source. Attribution to the MOIS via the front company Rana Intelligence Computing is formalized by an official U.S. government designation (OFAC, FBI, DOJ — September 2020). APT39 is distinct from APT35 (IRGC-IO) and APT33 (IRGC) through its affiliation with the Iranian civilian intelligence service (MOIS). IoCs have a limited validity period and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).