Chafer

Chafer, also known as APT39 or Helix Kitten, is an Advanced Persistent Threat (APT) actor linked to Iran and has been actively tracked by cybersecurity firms such as Symantec and FireEye for over four years. Chafer's activities primarily involve utilizing open-source tools to target entities perceived as enemies of Iran, including airlines and telecom companies. The group's methods include deploying the Remexi malware, a tool that has become synonymous with Chafer's operations. This malware has fewer features than some others, like Cadelspy from Cadelle, another Iran-based threat group, but it still proves effective in conducting targeted espionage. There is a notable overlap between Chafer and Cadelle, both in terms of targeted organizations and operational hours, hinting at potential collaboration or shared resources between these groups. Both groups leverage their respective malware, AutoIT payloads for Chafer and Cadelspy for Cadelle, to infiltrate similar categories of organizations. Despite not possessing advanced skills, their activities demonstrate the significant impact that such threat actors can have on their targets. As of now, both Chafer and Cadelle remain active threats, and there is no indication that their activities will cease in the near future. These groups are part of a growing list of Iran-based threat actors that pose significant cybersecurity risks to targeted industries and organizations worldwide. The differences in public reporting about these groups stem from variances in how different organizations track and report malicious activity, which underscores the need for unified standards and naming conventions in the cybersecurity industry.