The Veil of Chafer: APT39

Threat Intelligence Tarot

Vol. II · 82

Iran (MOIS - Ministry of Intelligence and Security)

G0087

★★★★★

risk 3/5

✦ The Veil of Chafer ✦

APT39

Chafer · Remix Kitten · ITG07

TelecommunicationsTravel industryIT sectorMiddle East governmentsIranian dissidents abroad

Active since ~2014 · Surveillance, Tracking diaspora and dissidents

The Veil does not seek secrets of state but secrets of people: the itinerary of the dissident, the contact list of the journalist, the flight records of those who ran. It is a census of the unwilling.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1078

Valid Accounts

Defense Evasion

T1021.001

Remote Desktop Protocol

Lateral Movement

T1560

Archive Collected Data

Collection

T1105

Ingress Tool Transfer

Command and Control

T1083

File and Directory Discovery

Discovery

T1041

Exfiltration Over C2 Channel

Exfiltration

Notable Operations

◆Mass telecom surveillance campaigns across Middle East
◆Tracking Iranian dissidents in 30+ countries
◆Middle Eastern airline targeting for passenger data
◆Personal data harvesting operations against diaspora

Defenses

▸
Privileged access management limiting RDP exposure
CIS Control 6 ↗
▸
Telecom network anomaly detection for bulk data queries
NIST CSF: DE.AE ↗
▸
Data loss prevention on travel and HR systems
CIS Control 3 ↗
▸
Phishing-resistant MFA for remote access
NIST CSF: PR.AC ↗

Reversed: Their Weakness

Its focus on personal data over critical infrastructure limits its destructive potential. Telecom hardening and traveler OPSEC training disrupt the surveillance pipelines it depends on.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Scarlet Reaper Next →The Damselfly

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.