{
	"id": "b7e9a0de-729e-484c-8d24-77d91b9b03e8",
	"created_at": "2026-04-06T03:36:14.027286Z",
	"updated_at": "2026-04-10T13:11:48.107418Z",
	"deleted_at": null,
	"sha1_hash": "2de6102a9d42d440a70ae392c49a9845dd2e03a8",
	"title": "Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43524,
	"plain_text": "Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus –\r\nClearSky Cyber Security\r\nPublished: 2017-07-25 · Archived: 2026-04-06 02:10:53 UTC\r\nCopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky\r\nand Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a\r\nsecond report exposing further incidents, some of which impacted the German Bundestag [2].\r\nIn this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has\r\nbeen active. It includes recent incidents as well as older ones that have not been publicly reported; new malware;\r\nexploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this\r\nactivity Operation Wilted Tulip.\r\nTargetting\r\nCopyKittens is an active cyber espionage actor whose primary focus appears to be foreign espionage on strategic\r\ntargets. Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and\r\nGermany. Occasionally individuals in other countries are targeted as well as UN employees.\r\nTargeted organizations include government institutions (such as Ministry of Foreign Affairs), academic\r\ninstitutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense, and large IT\r\ncompanies. Online news outlets and general websites were breached and weaponized as a vehicle for watering\r\nhole attacks.\r\nFor example, a malicious email was sent from a breached account of an employee in the Ministry of Foreign\r\nAffairs in the Turkish Republic of Northern Cyprus, trying to infect multiple targets in other government\r\nhttps://www.clearskysec.com/tulip/\r\nPage 1 of 2\n\norganizations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs\r\nwas used as decoy. In other cases, Israeli embassies were targeted, as well as foreign embassies in Israel.\r\nVictims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious\r\nattachments. Fake Facebook profiles have been used for spreading malicious links and building trust with targets.\r\nSome of the profiles have been active for years.\r\nMalware\r\nCopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date,\r\nand are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike\r\nloader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a self-developed RAT\r\nanalyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with similar\r\nfunctionality.\r\nThe group often uses the trial version of Cobalt Strike, a publicly available commercial software for “Adversary\r\nSimulations and Red Team Operations.” Other public tools used by the group are Metasploit, a well-known free\r\nand open source framework for developing and executing exploit code against a remote target machine; Mimikatz,\r\na post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij,\r\nAcunetix and sqlmap.\r\nA notable characteristic of CopyKittens is the use of DNS for command and control communication (C\u0026C) and\r\nfor data exfiltration. This feature is available both in Cobalt Strike and in Matryoshka.\r\nMost of the infrastructure used by the group is in the U.S., Russia, and The Netherlands. Some of it has been in\r\nuse for more than two years.\r\nRead the full report: Operation Wilted Tulip\r\nIndicators of compromise: indicators-wilted_tulip.csv (also available on PassiveTotal)\r\nYara rules: yara-apt_wilted_tulip.txt (courtesy of Florian Roth) \r\nSamples:  Live samples can be downloaded from the following link:\r\nhttps://ln.sync[.]com/dl/f6772eb20/d8yt6kez-9q7eef3m-ai27ebms-8zcufi5f (Please email info@clearskysec.com\r\nto get the password.)\r\nAcknowledgments\r\nThis research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for malware\r\nresearch.\r\n[1] https://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/\r\n[2] https://www.clearskysec.com/copykitten-jpost/\r\nSource: https://www.clearskysec.com/tulip/\r\nhttps://www.clearskysec.com/tulip/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.clearskysec.com/tulip/"
	],
	"report_names": [
		"tulip"
	],
	"threat_actors": [
		{
			"id": "9fb19abe-4035-4f22-a595-641b7f3443a9",
			"created_at": "2022-10-25T15:50:23.748944Z",
			"updated_at": "2026-04-10T02:00:05.395401Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"CopyKittens"
			],
			"source_name": "MITRE:CopyKittens",
			"tools": [
				"Cobalt Strike",
				"TDTESS",
				"Matryoshka"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f4557ed9-2455-44c5-a768-dfb80ccae259",
			"created_at": "2023-01-06T13:46:38.652329Z",
			"updated_at": "2026-04-10T02:00:03.055638Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"Slayer Kitten",
				"G0052"
			],
			"source_name": "MISPGALAXY:CopyKittens",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "467c5e72-55a6-40a9-9b73-bb764889c0a5",
			"created_at": "2022-10-25T16:07:23.486532Z",
			"updated_at": "2026-04-10T02:00:04.628477Z",
			"deleted_at": null,
			"main_name": "CopyKittens",
			"aliases": [
				"CopyKittens",
				"G0052",
				"Operation Wilted Tulip",
				"Slayer Kitten"
			],
			"source_name": "ETDA:CopyKittens",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"EmPyre",
				"EmpireProject",
				"Matryoshka",
				"Matryoshka RAT",
				"PowerShell Empire",
				"TDTESS",
				"Vminst",
				"ZPP",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446574,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2de6102a9d42d440a70ae392c49a9845dd2e03a8.pdf",
		"text": "https://archive.orkl.eu/2de6102a9d42d440a70ae392c49a9845dd2e03a8.txt",
		"img": "https://archive.orkl.eu/2de6102a9d42d440a70ae392c49a9845dd2e03a8.jpg"
	}
}