{ "id": "9c2e297a-3153-497a-a3a9-70223681a7c4", "created_at": "2026-04-06T00:15:21.272773Z", "updated_at": "2026-04-10T13:11:28.337179Z", "deleted_at": null, "sha1_hash": "37eb1c9bd867497732ab39d113be0b3166024c87", "title": "Virus Bulletin :: Domestic Kitten: an Iranian surveillance program", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60410, "plain_text": "Virus Bulletin :: Domestic Kitten: an Iranian surveillance program\r\nArchived: 2026-04-05 15:55:21 UTC\r\nWednesday 2 October 14:00 - 14:30, Green room\r\nAseel Kayal (Check Point)\r\nLotem Finkelstein (Check Point)\r\nIn a fundamental regime that is constantly wary of anything that might jeopardize its stability, and a region that is\r\na hotbed of political conflicts and dissensions, it is not surprising to discover a large-scale surveillance campaign\r\nthat keeps an eye out not only for external threats, but also for internal ones.\r\nLately we uncovered an operation dubbed \"Domestic Kitten\", which uses malicious Android applications to steal\r\nsensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings,\r\nand more. This operation managed to remain under the radar for a long time, as the associated files were not\r\nattributed to a known malware family and were only detected by a handful of security vendors.\r\nWhether it is an application that changes the device's background into ISIS-related images, or one that\r\nimpersonates a legitimate Kurdish news agency, the malicious APKs used by this actor were tailored for the use of\r\nspecific ethnic groups. Those ethnic groups and minorities can be considered a natural enemy to the Islamic\r\nRepublic of Iran: Kurds, ISIS supporters, Sunni Muslims, and even Iranian citizens.\r\nOur suspicions of the attack's origin were confirmed when we were able to gain access to logs that were uploaded\r\nfrom the victims' infected devices to the C2 servers. The information we gathered from those findings also\r\nrevealed the true dimensions of the attack as well as its lifespan, with the earliest malicious instances dating back\r\nto 2016.\r\nIn our presentation, we will discuss the evolution of the mobile spyware, the Iranian fingerprints it carries, and the\r\npolitical motives behind the launch of such an attack. In addition, we will share never-before-seen insights into the\r\ndata stolen from hundreds of victims.\r\nhttps://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program\r\nPage 1 of 3\n\nRelated links\r\nDomestic Kitten: An Iranian Surveillance Operation (Check Point)\r\nZooming In On \"Domestic Kitten\" (Check Point)\r\nMobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East (Trend Micro)\r\nAseel Kayal\r\nAseel is a malware analyst at Check Point Research. She joined Check Point as a security analyst in\r\n2016. She received her Bachelor's degree in computer science and English literature, and speaks Arabic,\r\nHebrew and English. Aseel's research mainly focuses on threat groups and cyber attacks in the Middle\r\nEast. Some of her work has been presented at security conferences such as Virus Bulletin and Botconf.\r\n@CurlyCyber\r\nLotem Finkelstein\r\nEquipped with years of experience in the field of threat intelligence from his former role as a Major\r\nOfficer in the Intelligence Forces of Israel, Lotem joined Check Point's Threat Intelligence and\r\nResearch organization four years ago. While he was completing his B.Sc. degree in communication\r\nsystem engineering at Ben-Gurion University, Lotem took on several roles as malware analyst and a\r\nteam leader at Check Point. During 2018 Lotem took over the threat intelligence department at Check\r\nPoint, focusing his efforts on pinpointing attacks and uncovering large-scale operations.\r\n@Lotemfi\r\nhttps://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program\r\nPage 2 of 3\n\nSource: https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program\r\nhttps://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program" ], "report_names": [ "domestic-kitten-iranian-surveillance-program" ], "threat_actors": [ { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c80783db-2b34-4321-ac7e-9a13692ffa31", "created_at": "2022-10-25T15:50:23.853579Z", "updated_at": "2026-04-10T02:00:05.422314Z", "deleted_at": null, "main_name": "Bouncing Golf", "aliases": [ "Bouncing Golf" ], "source_name": "MITRE:Bouncing Golf", "tools": [ "GolfSpy" ], "source_id": "MITRE", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37eb1c9bd867497732ab39d113be0b3166024c87.pdf", "text": "https://archive.orkl.eu/37eb1c9bd867497732ab39d113be0b3166024c87.txt", "img": "https://archive.orkl.eu/37eb1c9bd867497732ab39d113be0b3166024c87.jpg" } }