Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Hackers Use Array of Tools to Steal Data: FireEye

An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say. 

An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say. 

Referred to as APT39, the group has been tracked since November 2014 and its activities largely align with the Chafer group, as well as with the OilRig cyberspies. Unlike other groups operating out of Iran, however, APT39 hasn’t been linked to influence operations, disruptive attacks, and other threats.

APT39 mainly targets the telecommunications and travel industries, likely aiming “to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns.”

The group has been created to bring together previous activities and methods used by the actor, FireEye notes in a report shared with SecurityWeek

The hackers primarily use the SEAWEED and CACHEMONEY backdoors and a specific variant of the POWBAT backdoor, while concentrating activities in the Middle East, despite global targeting scope (U.S. and South Korea). 

The actor has been also targeting high-tech industry and government entities. This suggests the group is also attempting to collect geopolitical data, but its key mission most likely remains the tracking or monitoring of targets of interest. 

“We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group that loosely aligns with activity publicly reported as ‘OilRig’,” FireEye says. 

Despite employing similar malware distribution methods, infrastructure nomenclature, targeting overlaps, and the POWBAT backdoor, APT39 appears different from APT34 due to the use of a different variant of the backdoor. However, the researchers note that the two groups could be working together or sharing resources at some level.

For initial compromise, the group uses spear-phishing emails carrying malicious attachments or URLs that usually lead to a POWBAT infection. The group targets vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY and steal credentials for further compromise. 

Post-infection, customer backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT are used to establish a foothold in a target environment. Tools such as Mimikatz and Ncrack are also being used, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.

For lateral movement, the group employs tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. It was also observed using custom tools as REDTRIP, PINKTRIP, and BLUETRIP to create SOCKS5 proxies between infected hosts. Stolen data is usually compressed using WinRAR or 7-Zip.

“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale. APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,” FireEye concludes. 

Related: Israel Blocks Iran Cyber-attacks ‘Daily’

Related: Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.