analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt39-remix-kitten
analyst@nohacky:~/apt39-remix-kitten.html
active threat profile
type nation-state
threat_level high
status active
origin Iran — MOIS / Rana Intelligence Computing
last_updated 2025-03-27
RK
apt39-remix-kitten

APT39 / Remix Kitten

also known as: Chafer Remix Kitten Burgundy Sandstorm Radio Serpens COBALT HICKMAN ITG07 TA454 Cadelspy Remexi

APT39 is the Iranian Ministry of Intelligence and Security's primary people-tracking unit, operating through the front company Rana Intelligence Computing Company since at least 2014. Unlike other Iranian APTs focused on IP theft or destructive operations, APT39's mission is human surveillance — acquiring the travel itineraries, call records, contact lists, and personal identifiers needed to locate, monitor, and act against individuals deemed a threat by the Iranian regime. Targets span over 30 countries and include dissidents, journalists, dual nationals, foreign diplomats, and customers of telecommunications and travel companies holding data on people of interest to MOIS.

attributed origin Iran
suspected sponsor MOIS — Rana Intelligence Computing Company
first observed 2014
primary motivation Human surveillance — tracking dissidents, journalists, dual nationals, and persons of interest to MOIS
primary targets Telecommunications, travel, hospitality, academia, government
known campaigns 6+ confirmed
mitre att&ck group G0087
target regions Middle East, North Africa, Central Asia, Europe, North America, Australia
threat level HIGH

Overview

APT39 was publicly named by Mandiant (then FireEye) in January 2019, though US government attribution to Rana Intelligence Computing Company was formalized on September 17, 2020 — the same day the US Treasury Department sanctioned Rana and 45 individuals employed as managers, programmers, and hacking experts at the front company. The FBI simultaneously released a public threat analysis report detailing eight previously undisclosed malware families used by the group. The sanctions prohibited US companies from doing business with Rana or its employees and represented one of the clearest formal linkages between an Iranian MOIS cyber unit and its commercial cover infrastructure.

What distinguishes APT39 from other Iranian APTs is its operational purpose. Where APT33 targets aerospace and energy IP, and Sandstorm conducts destructive wiper attacks, APT39 is a surveillance instrument — its intrusions into telecommunications carriers and travel companies are not ends in themselves but means of acquiring data about specific people. At least 15 US travel sector companies were confirmed compromised. The group has targeted organizations across more than 30 countries spanning the Middle East, North Africa, Central Asia, Europe, and North America. Iranian citizens, dissidents, journalists, and Persian language and cultural centers inside and outside Iran have all been confirmed targets — making APT39 one of the more direct expressions of Iranian transnational repression in the cyber domain.

APT39's activities show meaningful overlap with APT34 (OilRig): both groups share similar malware distribution methods, use variants of the POWBAT backdoor, share infrastructure naming conventions, and have overlapping targeting. Mandiant assesses APT39 as distinct given its use of a different POWBAT variant and its singular focus on personal surveillance rather than government or financial sector espionage. The two groups may share resources or coordinate at some level — APT39 intrusions are assessed in some cases to prepare footholds for follow-on APT34 operations.

analyst note

APT39's targeting of telecom carriers and travel companies creates a risk profile that extends far beyond the directly compromised organizations. The PII, call records, and travel data accessible via these sectors can be used to identify, locate, and surveil individuals — including Iranian dissidents, dual nationals, and foreign intelligence personnel — across dozens of countries. Organizations in these sectors should treat APT39 as a direct threat to their customers' physical safety, not merely a data breach risk.

Target Profile

APT39's targeting is driven by the intelligence collection requirements of MOIS rather than economic or technical objectives. The group consistently pursues sectors and organizations that hold large databases of personal and movement data.

  • Telecommunications carriers: The group's highest-priority target category. Telecom operators hold call detail records, subscriber data, IMSI numbers, and real-time location data — the exact intelligence needed for human tracking operations. Carriers across the Middle East, Central Asia, and Europe have been targeted repeatedly. Compromised carrier access can enable passive monitoring of individuals without further intrusion.
  • Travel and hospitality: Airlines, hotel chains, and online travel platforms hold itinerary data, passport copies, credit card records, and frequent traveler profiles. APT39 targets these organizations specifically to acquire travel intelligence on persons of interest — knowing where a dissident or intelligence officer is traveling, when, and under what identity is operationally valuable to MOIS.
  • Academia and research institutions: Universities and research centers targeted for the personal data of international students, faculty, and researchers — particularly those with connections to Iran or Iranian diaspora communities.
  • Government agencies: Select government targets, primarily in the Middle East, targeted for the personal data of officials and civil servants. Overlaps with APT34 targeting in this category.
  • Iranian dissidents and diaspora organizations: Persian language and cultural centers, human rights organizations, and diaspora community groups directly targeted — not just as a means to data but as end targets. The FBI confirmed this domestic-external surveillance mission in its 2020 public disclosure.
  • IT firms supporting travel and telecom: Technology vendors and managed service providers serving the travel and telecommunications industries targeted as a supply chain access vector.

Tactics, Techniques & Procedures

Documented TTPs based on Mandiant, Symantec, FBI, and MITRE ATT&CK reporting across the group's operational history.

mitre id technique description
T1566.001 Spearphishing Attachment Primary initial access vector. Malicious attachments and hyperlinks in spearphishing emails delivering POWBAT infections. In some cases previously compromised email accounts used to lend legitimacy and exploit inherent trust between sender and recipient.
T1190 Exploit Public-Facing Application APT39 routinely identifies and exploits vulnerable web servers at targeted organizations to install web shells (ANTAK, ASPXSPY). This complements spearphishing as a parallel initial access pathway, particularly for organizations where email-based lures are less effective.
T1078 Valid Accounts Stolen legitimate credentials used to authenticate to externally facing Outlook Web Access (OWA) resources — a particularly effective technique for maintaining persistent access via trusted IP addresses without deploying additional malware.
T1071.001 Application Layer Protocol — Web Protocols C2 communications conducted primarily over HTTPS to domains that masquerade as legitimate web services and organizations relevant to the target. APT39 registers typosquatting domains impersonating airlines, telecom providers, and travel system platforms to blend C2 traffic with legitimate industry traffic.
T1505.003 Server Software Component — Web Shell ANTAK and ASPXSPY web shells deployed on compromised web servers as persistence mechanisms and lateral movement staging points. Web shells allow command execution and file operations via HTTP without requiring a separate C2 channel.
T1021.001 Remote Services — RDP Remote Desktop Protocol used for lateral movement after initial foothold. Combined with SSH, PsExec, RemCom, and xCmdSvc for traversal across compromised networks. Custom SOCKS5 proxy tools REDTRIP, PINKTRIP, and BLUETRIP used to tunnel lateral movement traffic through intermediary hosts.
T1003 OS Credential Dumping Mimikatz, Ncrack, Windows Credential Editor, and ProcDump used for privilege escalation and credential harvesting during the post-compromise phase. Harvested credentials fed into subsequent lateral movement and OWA access operations.
T1560 Archive Collected Data Data compressed prior to exfiltration — a consistent operational pattern observed across campaigns, reducing transfer time and evading size-based data loss prevention controls.
T1036 Masquerading Domains registered to impersonate legitimate airline, telecom, and travel system provider brands — used both for initial lure delivery and ongoing C2 infrastructure. Infrastructure naming conventions follow a consistent pattern that partially overlaps with APT34 domain naming.

Known Campaigns

Confirmed or highly attributed operations linked to APT39 across its operational history.

Telecom and Travel Sector Espionage 2014–2018

APT39's founding campaign set, spanning four years before public attribution. Targeting focused on telecommunications carriers and travel companies across the Middle East, Central Asia, and North America. Intrusions used spearphishing with POWBAT payloads and web shell deployment on vulnerable servers. The operational objective — collecting customer databases, call records, and travel itineraries on individuals of interest to MOIS — remained consistent throughout. FireEye tracked the activity from November 2014 and formally disclosed it in January 2019, naming the group APT39.

Iran-based Foreign Diplomatic Surveillance 2015–2019

Kaspersky documented APT39 (tracked as Chafer/Remexi) conducting surveillance operations against foreign diplomatic entities based inside Iran using the Remexi backdoor — a tool capable of capturing keystrokes, screenshots, browser data, and clipboard content. The campaign targeted embassies and consulates inside Iranian territory, reflecting MOIS's interest in monitoring foreign intelligence personnel operating on Iranian soil. Remexi is a lightweight implant assessed as purpose-built for persistent long-term surveillance rather than data exfiltration at scale.

Kuwait and Saudi Arabia Infrastructure Targeting 2020

Bitdefender documented two APT39-attributed attacks against critical infrastructure organizations in Kuwait and Saudi Arabia. Intrusions initiated via spearphishing emails with malicious attachments. Multiple intrusion tools were used to gain an initial foothold and collect sensitive data from infected systems. The Kuwait and Saudi Arabia targeting aligns with Iran's regional intelligence requirements against Gulf state adversaries.

Rana — Iranian Dissident and Domestic Surveillance 2014–2020

The FBI's September 2020 disclosure formally connected APT39 to Rana Intelligence Computing and revealed the full scope of the group's domestic surveillance mission. At least 15 US travel sector companies were confirmed compromised. Iranian citizens, dissidents, and journalists were directly targeted with Android spyware (optimizer.apk) capable of information theft and remote access — extending MOIS surveillance beyond organizational data collection to direct device-level control of individual targets. Rana and 45 named employees were sanctioned by the US Treasury the same day.

Continued Regional Telecom Targeting 2022–2024

Reporting from 2023 and 2024 documents continued APT39-aligned activity, with possible partial overlap or absorption into broader MOIS-linked clusters. Distinct activity under the APT39 tracking designation was documented through at least 2023–2024, with telecom and travel targeting continuing as the group's primary operational focus. Some vendors note possible convergence with other MOIS clusters since 2022, though the mission profile — human surveillance via carrier and travel data — remains consistent.

Tools & Malware

APT39 employs a mix of custom-developed backdoors, commodity remote access tools, and legitimate system utilities. The FBI's 2020 disclosure revealed eight previously undocumented malware families used by Rana, significantly expanding the known toolset beyond what had been publicly reported.

  • POWBAT: APT39's primary custom backdoor, used across all documented campaigns. A distinct variant from the POWBAT used by APT34 — the difference in variant is one of the key technical factors supporting Mandiant's assessment that the two groups are separate entities. Delivers initial foothold and enables follow-on payload staging.
  • SEAWEED: Custom backdoor used for post-compromise persistence and command execution. Deployed after initial POWBAT infection to establish a more stable foothold. Supports file operations, system enumeration, and C2 communication.
  • CACHEMONEY: Custom backdoor used in the post-compromise phase alongside SEAWEED. Provides overlapping capability with a different technical implementation, supporting redundant access in case one implant is detected and removed.
  • Remexi: Lightweight persistent surveillance implant, assessed as purpose-built for long-term monitoring of individual targets rather than bulk data theft. Capabilities include keylogging, screenshot capture, browser credential and history collection, and clipboard monitoring. Used in the diplomatic surveillance campaign documented by Kaspersky.
  • optimizer.apk: Android spyware disclosed by the FBI in 2020. Used for direct device-level surveillance of individual targets — primarily Iranian dissidents and journalists. Capabilities include information theft and remote access. Represents the group's extension from organizational compromise into personal device targeting.
  • ANTAK / ASPXSPY: Web shells deployed on compromised web servers for persistent access and lateral movement staging. Used as a parallel access mechanism independent of the email-delivered backdoor chain.
  • REDTRIP / PINKTRIP / BLUETRIP: Custom SOCKS5 proxy tools used to tunnel lateral movement and C2 traffic through compromised intermediary hosts, reducing direct exposure of attacker infrastructure.
  • BITS 1.0 and 2.0: Malware families disclosed in FBI and open-source reporting as part of the Rana toolset. Used for persistence and data staging.
  • Commodity tools: Mimikatz (credential dumping), Ncrack (network authentication cracking), Windows Credential Editor, ProcDump, PsExec, RemCom, xCmdSvc, and the port scanner BLUETORCH — all used in the post-compromise phase alongside custom implants.

Indicators of Compromise

Behavioral and infrastructure indicators from documented APT39 campaigns. Specific IP and domain IOCs from 2020 FBI disclosure should be treated as largely burned — focus on behavioral patterns for detection.

warning

IOCs from the 2020 FBI / Treasury disclosure are likely burned following public exposure. APT39 registers infrastructure that mimics legitimate telecom, airline, and travel system domains — hunting for lookalike domain registrations relevant to your industry is a more durable detection approach than blocking specific historical indicators.

behavioral indicators of compromise
network HTTPS C2 traffic to newly registered domains typosquatting airline, telecom, or travel system brand names
web shell ANTAK.aspx or ASPXSPY.aspx files in web-accessible directories of IIS or Exchange servers
auth OWA authentication from unusual geographies or IP ranges not consistent with user's normal access pattern
process ProcDump, Mimikatz, or Windows Credential Editor execution from non-administrative user contexts
lateral RDP and PsExec activity originating from hosts not normally used for administrative access; SOCKS5 proxy traffic patterns consistent with REDTRIP/PINKTRIP tunneling
exfil Compressed archive creation (RAR/ZIP) containing customer database exports or call detail record files prior to outbound transfer

Mitigation & Defense

Recommended defensive measures for organizations in APT39's target profile — primarily telecommunications carriers, travel companies, and organizations holding large-scale PII databases.

  • Harden OWA and externally facing email infrastructure: APT39 consistently abuses stolen credentials against Outlook Web Access to establish persistent access from legitimate-appearing IP addresses. Enforce MFA on all OWA access, implement conditional access policies based on geography and device compliance, and alert on authentication from unexpected locations.
  • Patch web-facing applications promptly: The group routinely exploits vulnerable web servers for initial access alongside spearphishing. Prioritize patching for Exchange, IIS, and any customer-facing web applications. Conduct regular vulnerability scanning of externally accessible infrastructure.
  • Monitor for web shell deployment: ANTAK and ASPXSPY are consistent APT39 indicators. Implement file integrity monitoring on web server directories and alert on the creation of .aspx files in web-accessible paths outside of normal deployment windows. Web application firewalls should be tuned to detect web shell execution patterns.
  • Hunt for lookalike domain registrations: APT39 registers domains impersonating industry-specific brands before campaigns begin. Set up monitoring for newly registered domains typosquatting your organization's name, your vendors' names, and industry platforms (airline reservation systems, telecom portals). DMARC enforcement reduces the effectiveness of phishing from spoofed domains.
  • Restrict lateral movement tools: PsExec, RemCom, xCmdSvc, and RDP are all legitimate tools that APT39 repurposes for lateral movement. Implement application allowlisting or software restriction policies to limit execution of these tools to authorized administrative accounts and systems. Alert on their use from unexpected source hosts.
  • Monitor for credential dumping activity: Mimikatz execution, lsass memory access by non-system processes, and Volume Shadow Copy deletion are all indicators of credential harvesting activity. Enable Credential Guard on Windows endpoints to protect LSASS.
  • Protect customer data at rest: Given APT39's specific objective of acquiring customer databases and call records, implement data-at-rest encryption for PII and telecommunications records. Enforce the principle of least privilege on database access — limit which systems and accounts can query customer data in bulk.
  • Alert on bulk data access and compression: APT39 compresses collected data before exfiltration. Implement data loss prevention rules alerting on large archive creation events involving customer database exports. Monitor for unusual outbound data transfer volumes, particularly to newly seen external IP addresses.
  • Employee awareness for telecom and travel sectors: Spearphishing with lures tailored to aviation and telecommunications contexts is APT39's primary initial access vector. Security awareness training for employees in these industries should include specific examples of industry-themed lures.
note

The FBI's full IOC disclosure from September 17, 2020 — including network indicators, YARA signatures, and file hashes for all eight Rana malware families — remains publicly available at ic3.gov and is the most authoritative technical reference for APT39 detection engineering. Cross-reference any APT39 hunting effort against that disclosure before building detection rules.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile