Cyber Threat Actor: APT39
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
2 incidents |
|---|
Profile
Chafer, also tracked as APT39, is an Iran‑linked threat actor that has been active since at least mid‑2014. Public reporting identifies the group’s primary focus as surveillance operations and the tracking of individuals, indicating an espionage‑oriented motive. The actor has been observed targeting government entities in different regions, including a Turkish governmental organization and Spain’s state meteorological agency, Aemet. These incidents show that Chafer’s interests extend beyond traditional diplomatic or military targets to include civilian public‑sector infrastructure. The group’s alias set includes Chafer and APT39, and its geographic nexus to Iran is repeatedly cited in threat‑intelligence sources.
Chafer’s tooling has evolved to include Python‑based backdoors such as MechaFlounder, which was first seen in a November 2018 intrusion against a Turkish government target. MechaFlounder is packaged with PyInstaller into a portable executable and uses the mechanize module to upload files to its command‑and‑control server, encoding command output with base16 (hex) before transmission over HTTP. Earlier activity attributed to the group involves data‑stealer malware that has been distributed since at least mid‑2014, underscoring a long‑standing emphasis on exfiltrating sensitive information. The infrastructure used for the MechaFlounder campaign, notably the win10‑update[.]com domain and the IP address 185.177.59.70, had been observed in prior Chafer operations reported by other researchers. Analysts have noted code similarities between Chafer’s MechaFlounder and tools used by the Oilrig threat group, suggesting possible sharing of components or development practices.
Representative operations attributed to Chafer include the 2018 compromise of a Turkish government entity where the MechaFlounder backdoor was deployed via the win10‑update[.]com domain, enabling file transfer, command execution and persistent communication with attacker‑controlled servers. A more recent incident occurred on 24 May 2023 when the group’s activity led to a cyberattack on Spain’s Aemet meteorological agency, forcing the temporary suspension of the SINOBAS public science project and affecting related services such as the meteoglossary and Antarctic weather station operations. Agency officials stated that restoration was expected once user safety could be guaranteed, indicating the attack caused a disruptive outage rather than a prolonged breach. These two cases illustrate Chafer’s capability to conduct both espionage‑focused intrusions and operations that impair the availability of public‑sector services.
