G0087 · 53 ATT&CK techniques · 7 correlated reports

APT39

Aliases: ITG07, Chafer, Remix Kitten

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.

Open interactive actor investigation

ATT&CK techniques

T1046
Network Service DiscoveryT1547.001
Registry Run Keys / Startup FolderT1090.002
External ProxyT1140
Deobfuscate/Decode Files or InformationT1056.001
KeyloggingT1005
Data from Local SystemT1059.001
PowerShellT1115
Clipboard DataT1003
OS Credential DumpingT1553.006
Code Signing Policy ModificationT1546.010
AppInit DLLsT1547.009
Shortcut ModificationT1135
Network Share DiscoveryT1569.002
Service ExecutionT1027.013
Encrypted/Encoded FileT1588.002
ToolT1021.001
Remote Desktop ProtocolT1033
System Owner/User DiscoveryT1027.002
Software PackingT1041
Exfiltration Over C2 ChannelT1204.002
Malicious FileT1053.005
Scheduled TaskT1070.004
File DeletionT1102.002
Bidirectional CommunicationT1560.001
Archive via UtilityT1505.003
Web ShellT1105
Ingress Tool TransferT1059.010
AutoHotKey & AutoITT1204.001
Malicious LinkT1555
Credentials from Password StoresT1113
Screen CaptureT1003.001
LSASS MemoryT1018
Remote System DiscoveryT1071.004
DNST1059
Command and Scripting InterpreterT1074.001
Local Data StagingT1083
File and Directory DiscoveryT1012
Query RegistryT1110
Brute ForceT1197
BITS JobsT1136.001
Local AccountT1059.006
PythonT1036.005
Match Legitimate Name or LocationT1071.001
Web ProtocolsT1090.001
Internal ProxyT1078
Valid AccountsT1056
Input CaptureT1566.002
Spearphishing LinkT1566.001
Spearphishing AttachmentT1021.002
SMB/Windows Admin SharesT1190
Exploit Public-Facing ApplicationT1059.005
Visual BasicT1021.004
SSH

Correlated CTI and IR reports

APT39 G0087
MITRE ATT&CK · direct source mappingAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionTreasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry
U.S. Treasury · actor context

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research