APT39 is an Iranian cyberespionage group that has been active since at least 2014. The group is known to target the telecommunication and travel industries to collect personal information that aligns with Iran's national goals. [1][2]

The group is known to be using Secure Shell SSH to move laterally within the network.

Associated Group Descriptions

Name Description

Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2][3]

Techniques Used

Domain ID Name Use
Enterprise VT0013 Brute Force

APT39 has used Ncrack to reveal credentials.[1]

Enterprise VT0012 Command and Scripting Interpreter

APT39 utilized custom scripts to perform internal reconnaissance. [1]

Enterprise VT0021 Credentials from Password Stores

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[4]

Enterprise VT0003 Exploit Public-Facing Application

APT39 has used SQL injection for initial compromise.[5]

Enterprise VT0018 .001 Input Capture: Keylogging

APT39 has used tools for capturing keystrokes.[5]

Enterprise VT0024 Network Service Scanning

APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning. [1][4]

Enterprise VT0020 .001 Remote Services: SSH

APT39 used secure shell (SSH) to move laterally among their targets. [1]

Enterprise VT0034 Remote System Discovery

APT39 has used nbtscan and custom tools to discover remote systems. [1][4][5]

Enterprise VT0005 Valid Accounts

APT39 has used stolen credentials to compromise Outlook Web Access (OWA). [1]



Associated Groups

Created: 02 May 2021

Last Modified: 02 May 2021