THREATOPS Actor Dossier
LIVE ← Dashboard

APT39

G00871 reports
aliases · APT39 · ITG07 · Chafer · Remix Kitten
Export dossier:
1
Reports
2
Techniques
1
Tactics
1
Countries
100%
Hunt coverage
4
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1090.004 (Domain Fronting), T1090.001 (Internal Proxy).
  • Primary targeting: US.
  • Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 2 new technique(s), 8 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 100% of 2 observed techniques (0 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-09 · last 2026-07-09
1
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1090.004T1090.001
Targeting gained
US
New infrastructure
https://www.bitdefender.com/files/News/Chttps://blog.sekoia.io/lucky-mouse-incidhttps://www.cybereason.com/blog/sliver-chttps://thedfirreport.com/2024/12/02/thehttps://blog.yaxser.io/blue/detecting-cohttps://trustedsec.com/blog/the-socks-wehttp://reg.pyhttp://ifconfig.me

Overview

Analyst triage
Intelligence summary

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected