Overview: APT39, also known as Chafer, surveils individuals and entities considered to be a threat to Iranian interests.
Suspected Attribution: Iran – Since 2014, APT39 has conducted cyber espionage activity through the Iranian Ministry of Intelligence and Security (MOIS) using the front company Rana Intelligence Computing, with the goal of tracking individuals and entities considered to be a threat by the MOIS.
Target Sectors: Telecommunications, high-tech, travel industry, government entities, and IT firms that support them, suggesting intent to perform monitoring, tracking, or surveillance ops against specific individuals.
Attack Vectors: Spearphishing with malicious attachments and/or hyperlinks, typically resulting in a POWBAT infection.
Associated Malware: SEAWEED and CACHEMONEY backdoors, along with a specific variant of the POWBAT backdoor. APT39 has not been observed to exploit vulnerabilities.