Skip to content
July 9, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Cyber Security
  • Symantec: the Iran-based Chafer attack group is expanding operations its attacks
  • Cyber Security

Symantec: the Iran-based Chafer attack group is expanding operations its attacks

Do Son March 4, 2018 5 minutes read
Iran-based Chafer
Add Daily CyberSecurity as a preferred source on Google

Symantec, the world’s leading provider of solutions for cybersecurity, warned in a blog post on Wednesday that a hacker group based in Iran called “Chafer” has been expanding its presence in the Middle East and List of targets in other regions and add new tools to their network of arsenals.

In 2017, the group launched a series of malicious attacks, including a major telecommunications service provider attacking the Middle East. One of the company’s main businesses is the provision of sales solutions to several telecom operators in the region, and successful intrusion will allow Chafer to monitor a large number of end users.

Symantec said Chafer has been active at least since July 2014. In December 2015, for the first time, Symantec publicly disclosed malicious attacks on the organization. Symantec said that at the time, Chafer was mainly using customized backdoors to target individuals and businesses in Iran and the Middle East (such as Afghanistan and Saudi Arabia, especially airlines and telcos).

During the year 2017, the organization used seven new tools, introduced new infrastructure and created nine new divisions in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey. The targets include airlines, aeronautical services companies, software and IT services companies, telecommunications companies, payroll services companies, engineering consulting firms and document management software companies serving the aviation and maritime sectors.

 

 

Outside the Middle East, Symantec also uncovered evidence of Chafer’s attack on an African airline in an attempt to attack an international travel company.

From the early attacks launched in 2015, Chafer attacks enterprise Web servers mainly through SQL injection and uploads malware. And by 2017, the organization added a new method of infection to its arsenal that began to spread malware by intruding into the employee’s personal e-mail address at the target organization.

The bait file used in the attack is usually an Excel spreadsheet with a malicious VBS file that runs a PowerShell script to execute the removal program on the target computer. After a few hours, a dropper assembly appears on the target computer to install three files: an information-stealing program, a screen capture program, and an empty executable.

The screen capture app seems to be used for initial information collection since it will only be used briefly at the beginning of each infection and will not be seen again later. An information theft program can steal the contents of the clipboard, take screenshots, record keystrokes, and steal files and user credentials. After this initial activity, attackers typically use the PowerShell downloader to download additional tools to their computer and attempt to move laterally across the victim’s network to find more targets.

Back to the new tools and new infrastructure mentioned at the beginning of the article, in addition to the known malware, Chafer has started using seven new tools. Symantec also pointed out that most of these tools are provided free of charge. New tools include:

  • Remcom: An open-source alternative to PsExec, which is a Microsoft Sysinternals tool used for executing processes on other systems.
  • Non-sucking Service Manager (NSSM): An open-source alternative to the Windows Service Manager which can be used to install and remove services and will restart services if they crash.
  • A custom screenshot and clipboard capture tool.
  • SMB hacking tools: Used in conjunction with other tools to traverse target networks. These tools include the EternalBlue exploit (which was previously used by WannaCry and Petya).
  • GNU HTTPTunnel: An open-source tool that can create a bidirectional HTTP tunnel on Linux computers, potentially allowing communication beyond a restrictive firewall.
  • UltraVNC: An open-source remote administration tool for Microsoft Windows.
  • NBTScan: A free tool for scanning IP networks for NetBIOS name information.

 

In addition, the organization continues to use tools such as its custom backdoors Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer clearly intends to use these tools to coordinate the targeted network. For example, the organization recently adopted NSSM to preserve persistence and install Plink on infected machines. Then use Plink to open the reverse SSH session from Chafer’s server to the RDP port on the victim’s computer, apparently in order to be able to use RDP to access the compromised computer. Once established, Chafer can use PsExec, Remcom and SMB hacking tools to move laterally across the victim’s network.

Chafer, on the other hand, has begun using the new infrastructure, which is embedded in the dropper assembly. Symantec discovered a large number of copies of the tools on a staging server Chafer had used, and Chafer did not even hide their activity and saved copies of the tools to the desktop without renaming them.

According to Symantec, malicious attacks by Chafer are linked to another hacker group called Crambus (aka Oilrig). This is another hacking group that is believed to have an association with Iran, mainly conducting cyber espionage.

Both seem to use the same IP address as the command and control (C&C) server address and use a similar infection vehicle, an Excel spreadsheet with malicious VBS files. Both VBS files reference the same file path and contain the same misspellings.

Recent activities by Chafer not only show that the organization is still very active, but that it has become bolder in choosing targets. Similar to other targeted hacking organizations, it follows two trends in global targeting attacks: the first is more reliance on software tools that are provided free of charge; the second is the attack on the supply chain, first Attack a goal, target the target customer after the success, and then continue to expand. This type of attack requires more “steps” to reach its ultimate goal, adding additional time and risk to the attacker’s goal. However, if successful, an attacker can gain a large number of potential goals.

Source: Symantec

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Russian State Actors Target UK Critical Infrastructure in New Cyber Campaign
  • Advanced Cyberattacks: Patchwork APT’s Nexe Backdoor Campaign Exposed
  • Microsoft admits to being hacked by hacker group LAPSUS$
  • Beware: Hackers Use Google Drawings & WhatsApp Links to Steal Data
  • Iranian APT42 Ramps Up Phishing Campaigns Against Israel, U.S. Election Targets

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Iran-based Chafer

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-14245CVSS 9.8
    The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is...
  • CVE-2026-47646CVSS 9.3
    Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics...
  • CVE-2026-54782CVSS 10.0
    CoreWCF is a port of the service side of Windows Communication Foundation...
  • CVE-2026-44024CVSS 9.8
    Fluentd collects events from various data sources and writes them to files,...
  • CVE-2026-53649CVSS 9.6
    # Unauthenticated Cross-Origin Plugin Upload Leads to RCE (Joro ≤ v1.1.0) **Severity:**...
  • CVE-2026-52831CVSS 10.0
    ## Summary Nuclio controller builds a `curl` invocation string for each cron...
  • CVE-2026-9074CVSS 9.1
    IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL...
  • CVE-2026-15062CVSS 9.6
    SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior...
  • CVE-2026-59702CVSS 9.3
    repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint...
  • CVE-2026-54061CVSS 9.1
    Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5,...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.