APT39

apt39 · primary source: MITRE · first observed 2013

IR · IranState-sponsoredHigh confidencelast cited Sep 16, 2020 · 6y ago

Iranian state-affiliated intrusion set publicly attributed to Rana Intelligence Computing — an MOIS (Ministry of Intelligence and Security) front company sanctioned by the U.S. Treasury OFAC in September 2020. Targets the telecommunications and travel-reservation systems that Iran's intelligence services use to surveil ethnic minorities, Iranian dissidents, journalists, and former Iranian officials abroad. The 2020 OFAC action named 45 MOIS officers and unsealed parallel FBI charges.

Aliases

ChaferOtherRemix KittenCrowdStrikeITG07Other

Motivations

espionagesurveillance

Target sectors

telecommunicationstravelmediadissidents

Target countries

USGBTRILAESADE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT39
Iran
espionage
surveillance

Capability

Infrastructure

—

Victim

telecommunications
travel
media
US
GB
+1 more

MITRE ATT&CK techniques

T1566.001 T1059.001 T1078 T1071.001

Timeline

1 event

SanctionHigh2020-09-17·U.S. Department of the Treasury
U.S. Treasury OFAC sanctions Rana Intelligence Computing as MOIS front
U.S. Treasury OFAC sanctioned Rana Intelligence Computing — publicly attributing the MOIS-fronted Iranian company as the operational identity behind APT39. The action named 45 individual MOIS officers and was paired with parallel FBI charges, marking the first formal U.S. government public attribution of a MOIS contractor for the cyber-surveillance campaign against Iranian dissidents and minorities abroad.
sanctionsiranmoissurveillance

Indicators of compromise

2 indicators

defangedcsv

Type	Value	First seen	Source
Name	MAR-10303705-1.v1 family · Rana toolset Identifier for the CISA-hosted STIX bundle accompanying the FBI Malware Analysis Report on Rana / APT39 tooling, released alongside Treasury press release SM1127 on 17 Sep 2020. The bundle enumerates hashes, file names and C2 infrastructure for the eight malware sets attributed to MOIS through Rana.	Sep 16, 2020	U.S. Department of the Treasury
Name	Rana Intelligence Computing toolset family · Rana toolset Composite designation Treasury and the FBI used on 17 Sep 2020 for the eight malware sets (VBS/AutoIt scripts, BITS 1.0 and BITS 2.0 variants, a Firefox-impersonating binary, a Python tool, Android malware and Depot.dat) operated by MOIS front company Rana Intelligence Computing Company (APT39 / Chafer / Remix Kitten). Released as FBI advisory MAR-10303705 the same day Treasury sanctioned the front company and 45 associated individuals.	Sep 16, 2020	FBI

Related actors

shared ATT&CK techniques

RU · RussiaGamaredon3 shared techniques
KP · DPRKLazarus Group3 shared techniques
CN · ChinaMustang Panda3 shared techniques
CN · ChinaNaikon3 shared techniques
KP · DPRKAndariel2 shared techniques
- T1059.001
- T1078
CN · ChinaAPT32 shared techniques
- T1071.001
- T1078

References

cite this page

Threat Intel Tracker. (2026-05-19). APT39 — actor profile. Retrieved from https://threatintel.local/actors/apt39

latest cited activity · 2020-09-17 · 2 cataloged indicators