Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT39

🇮🇷APT39

🇮🇷 APT39 is a tracked threat actor in the Clankerusecase corpus. IR-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 53 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0087) ↗
14Use cases
0Articles
53Techniques
0IOCs

About this actor (MITRE)

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI

Known aliases

APT39ITG07ChaferRemix Kitten

Top techniques

T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1005 · Data from Local System

All other tracked techniques

T1012 · Query RegistryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1021.004 · SSHT1027.002 · Software PackingT1027.013 · Encrypted/Encoded FileT1033 · System Owner/User DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1041 · Exfiltration Over C2 ChannelT1046 · Network Service DiscoveryT1053.005 · Scheduled TaskT1056 · Input CaptureT1056.001 · KeyloggingT1059 · Command and Scripting InterpreterT1059.001 · PowerShellT1059.005 · Visual BasicT1059.006 · PythonT1059.010 · AutoHotKey & AutoITT1070.004 · File DeletionT1071.001 · Web ProtocolsT1071.004 · DNST1074.001 · Local Data StagingT1078 · Valid AccountsT1083 · File and Directory DiscoveryT1090.001 · Internal ProxyT1090.002 · External ProxyT1102.002 · Bidirectional CommunicationT1105 · Ingress Tool TransferT1110 · Brute ForceT1113 · Screen CaptureT1115 · Clipboard DataT1135 · Network Share DiscoveryT1136.001 · Local AccountT1140 · Deobfuscate/Decode Files or InformationT1190 · Exploit Public-Facing ApplicationT1197 · BITS JobsT1204.001 · Malicious LinkT1204.002 · Malicious FileT1505.003 · Web ShellT1546.010 · AppInit DLLsT1547.001 · Registry Run Keys / Startup FolderT1547.009 · Shortcut ModificationT1553.006 · Code Signing Policy ModificationT1555 · Credentials from Password StoresT1560.001 · Archive via UtilityT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1569.002 · Service ExecutionT1588.002 · Tool

Detection use cases (14)

APT39 (Chafer) Plink reverse SSH tunnel for RDP pivot via SOCKS / port-forward AI · profile SΣ APT39 ASPXSpy / China Chopper web shell on Exchange OWA spawning recon LOLBins AI · profile SΣ 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match